Martin Schneider is Head of the Testing Group in the Quality Engineering business unit at the Fraunhofer Institute FOKUS. He is an expert in quality assurance and security testing for networked software systems. He earned his diploma in Computer Science from TU Berlin in 2012 and has more than 10 years of experience in applied research and teaching, as well as in coordinating, designing, and delivering customer‑specific trainings, including Security Testing Basic. He is co‑author of the technical book “Basiswissen Sicherheitstests” (dpunkt‑Verlag) and co‑author of a fuzzing guideline for the German Federal Office for Information Security (BSI).

Ramon Barakat completed his Master’s degree in Computer Science at Technische Universität Berlin. He works at the Fraunhofer Institute for Open Communication Systems (FOKUS), where he contributes to several industry and research projects in the areas of software quality assurance, security testing, NG112, and artificial intelligence.

What is fuzzing in software testing, and what is it used for?

Fuzzing is an automated testing method in which software is deliberately tested with unusual or faulty inputs.
The goal is to find security vulnerabilities and stability issues that traditional tests often fail to detect. Fuzzing is particularly effective for APIs, parsers, protocols, and complex input formats.

Why do I need fuzzing if I already have unit and integration tests?

Because traditional tests check expected inputs—fuzzing checks unexpected ones.
Fuzzing covers edge cases, faulty payloads, and unusual system states that often lead to crashes, denial‑of‑service issues, or security vulnerabilities. It therefore complements existing test methods in a meaningful way.

Who benefits from a fuzzing training?

Developers, testers, and QA professionals with basic knowledge of software testing.
The training is explicitly designed for people without prior security testing experience who want to apply fuzzing effectively or meet regulatory requirements.

How can I get started with fuzzing if I have no experience?

With a clear test objective, a suitable tool, and defined stopping criteria.
In the training, participants learn step by step how to set up, run, and evaluate fuzzing tests—including common pitfalls and proven best practices from real‑world projects.

Which security vulnerabilities can be found through fuzzing?

Typical findings include memory errors, parser bugs, crashes, and denial‑of‑service issues.
Fuzzing is especially effective in identifying zero‑day vulnerabilities, faulty input validation, and protocol edge cases—even in third‑party and open‑source components.

How do I integrate fuzzing effectively into CI/CD pipelines?

By running automated fuzz tests with defined time and resource budgets.
Short fuzzing jobs can run on every build, deeper tests on a scheduled basis. The training explains how to store, deduplicate, and process results in a reproducible way.

How do I know when I’ve done “enough” fuzzing?

When defined stopping criteria—such as time budget, coverage coverage, or crash stagnation—are reached.
Without clear criteria, fuzzing quickly becomes inefficient. In the training, participants learn when tests should reasonably end and how to prioritize results.

Does fuzzing help meet the requirements of the Cyber Resilience Act (CRA)?

Yes, fuzzing is a key component of demonstrable security testing.
The CRA requires regular security evaluations, including for third‑party and open‑source software. Fuzzing provides reproducible results that can be documented in an audit‑ready manner.

Why should companies care about fuzzing at all?

Because traditional software tests do not reliably uncover security‑relevant weaknesses.
Fuzzing finds issues caused by unusual or faulty inputs—the same kinds of triggers used in real attacks. Companies can reduce security risks before deployment and avoid costly incidents later.

What business risks does fuzzing reduce specifically?

Fuzzing lowers the risk of security incidents, liability issues, and reputational damage.
Undetected vulnerabilities in interfaces, protocols, or open‑source components are among the most common causes of security‑critical incidents. Early fuzzing acts as a measurable and preventative safeguard.

Is fuzzing relevant for regulatory compliance, such as the Cyber Resilience Act?

Yes. Fuzzing is an effective part of verifiable security testing under the CRA.
The Cyber Resilience Act requires regular and documented security tests—even for third‑party and open‑source components. Fuzzing generates reliable results that can be structured into compliant documentation.

Is fuzzing alone sufficient to fulfill regulatory requirements?

No, but it is a central building block of a robust security testing strategy.
Fuzzing enhances existing development and testing processes and increases their effectiveness. The key is to combine fuzzing with other measures—the training covers how to do this efficiently.

How much effort is required to introduce and operate fuzzing?

The initial effort is manageable, and the benefits scale with maturity.
Even time‑limited test runs produce valuable results. With clear stopping criteria and CI/CD integration, the ongoing effort remains predictable and controlled—without large new projects.

Do we need security specialists or additional roles for fuzzing?

No. Fuzzing can be implemented by existing development and testing teams.
After the training, teams can apply fuzzing independently, interpret results, and forward them appropriately. Specialists are only needed for highly specific edge cases.

How quickly will we see measurable benefits from fuzzing?

Very quickly—often during the first test runs.
Fuzzing frequently identifies crashes or weaknesses early on. These findings can be prioritized and fixed immediately, making the return on investment visible early.

What does the training deliver to the company in concrete terms?

It enables a controlled, efficient, and traceable use of fuzzing.
Participants learn how to use fuzzing purposefully, evaluate results correctly, and document them in an audit‑ready way. This reduces risk, improves test quality, and provides regulatory assurance—without unnecessary overhead.