Skip to main content
    CONTACT

    This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.
    Deep Dive into Fuzzing - Dhiraj Mishra & Zubin Devnani - DCTLV2026
    Deep Dive into Fuzzing - Dhiraj Mishra & Zubin Devnani - DCTLV2026
    Deep Dive into Fuzzing - Dhiraj Mishra & Zubin Devnani - DCTLV2026
    Deep Dive into Fuzzing - Dhiraj Mishra & Zubin Devnani - DCTLV2026

    Deep Dive into Fuzzing - Dhiraj Mishra & Zubin Devnani - DCTLV2026

    Las Vegas 2026

    Name of Training: Deep Dive into Fuzzing
    Trainer(s): Dhiraj Mishra & Zubin Devnani
    Dates: August 10-11, 2026
    Time: 8:00 am to 5:00 pm 
    Venue: Las Vegas Convention Center
    Cost: $2,000 (USD)

    Short Summary:

    This course teaches you how to use modern fuzzing techniques to automatically uncover software vulnerabilities and integrate fuzzing effectively into a secure SDLC. You’ll gain hands-on skills in building, running, and scaling fuzzers so you can identify critical flaws early and reduce security risk before software reaches production. 

    Course Description:

    Attendees would be emulating techniques which would provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.

    Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day software’s have a huge codebase and may contain vulnerabilities, manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.

    Course Outline: 

    • Fuzzing taxonomies (generation-based vs mutation-based, coverage-guided fuzzing)
    • Threat modeling and choosing high-value fuzzing targets
    • Instrumentation basics (compile-time vs runtime instrumentation)
    • Writing custom harnesses for effective fuzzing
    • Seed selection and seed corpus optimization
    • Code coverage analysis and feedback-driven fuzzing
    • Dictionary creation and protocol grammar hints
    • Handling timeouts, hangs, and flaky crashes
    • Crash triage, deduplication, and root-cause analysis
    • Reproducing crashes reliably
    • Exploitation basics: assessing crash exploitability
    • Integrating fuzzing into CI/CD pipelines
    • Scaling fuzzing with parallelization and distributed setups
    • Fuzzing libraries, file formats, and parsers
    • Hybrid fuzzing (fuzzing + static/dynamic analysis)
    • Performance tuning and optimization for long fuzzing runs
    • Common fuzzing pitfalls and how to avoid them
    • Fuzzing for memory corruption bugs (heap, stack, use-after-free)
    • Fuzzing real-world open-source targets (case studies)
    • Reporting findings and communicating risk to developers and stakeholders

    Difficulty Level:

    Beginner to Intermediate.

    Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

    Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

    What Students Should Bring:

    Attendees are required to have a system with root/admin privilege with minimum 8GB RAM and 100 GB disk space with VirtualBox or VMware installed.

    What the Trainer Will Provide:

    The trainer will provide comprehensive course materials and detailed runbooks covering all labs and exercises, along with access to a dedicated fuzzing server instance that attendees can use to test and run their fuzzing campaigns for two days after the training. Participants will also receive access to a private Slack workspace where they can ask questions, discuss challenges, and get post-training support from the trainer as they continue applying the techniques learned.

    Trainer(s) Bio:

    Dhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at DEF CON, BlackHat, BruCON, 44CON and presented in conferences such as Ekoparty, NorthSec, Hacktivity, PHDays, Hack in Paris & HITB. In his free time, he blogs at www.inputzero.io/www.fuzzing.at and tweets on @RandomDhiraj.

    Zubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He is a trainer at Blackhat and has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways of breaking into enterprises! Blogging at devtty0.io and tweets on @p1ngfl0yd. 

    Proficiency Exam Option:

    This course has the option for a proficiency certificate add-on. As part of the "CTC" capture the crash competition at the end of the course, attendees who successfully demonstrate the fuzzing goal and crash can earn the proficiency certificate. 

    Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

    Registration Terms and Conditions: 

    Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

    Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

    All trainings are non-refundable after August 5, 2026.

    Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

    If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

    Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

    DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

    By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

    Several breaks will be included throughout the day. Please note that food is not included.

    All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.

    $2,000.00