Guided by feedback: Smarter fuzzing with Defensics

Feedback loops

A feedback loop in fuzz testing is a mechanism that uses information from the system under test to guide the generation and selection of future test cases. Instead of randomly sending inputs, the fuzzer observes how the target behaves and uses that data to make smarter decisions.

In Defensics, each test case generation can have hundreds or even tens of thousands of test cases. When no feedback is available, Defensics selects test cases and creates new generations accordingly. Once feedback becomes available, Defensics uses it to build new generations based on promising cases and prioritizes those generations.

Feedback can be from any observable runtime signals or other measurable changes that indicate new behavior.

Feedback score

The feedback score in Defensics is a single positive number assigned to a test case that produced interesting signals. When a test case receives a score, the engine creates a new generation of combination anomalies, using that case as the base. The new generation inherits the same feedback score as its parent, ensuring that promising paths stay prioritized.

Figure 1. Feedback score assignment for test generations

For example, if a test case receives a feedback score of 50, Defensics creates a new generation based on it. If a test case from that generation later receives a score of 10, a new generation is created from this second case. The subsequent generation inherits the parent’s score, resulting in a cumulative score of 60. This iterative process helps Defensics focus on areas most likely to expose unseen issues.

Defensics uses a weighted scheduling algorithm to dynamically select test cases for execution. This ensures that

• All generations, including those randomly created, get a chance to run
• Generations with higher feedback scores are prioritized and tend to complete first

If no feedback scores exist, test cases are selected from random generations until feedback appears.

This scoring system allows Defensics to adaptively focus on promising areas of the input space while supporting the broad exploration benefits of generative fuzzing. Next, we will look at a feedback source that comes built-in and requires no extra setup.

Input message analysis

To support feedback-driven fuzzing in black-box environments, Defensics includes an input message analysis feature. This internal mechanism analyzes responses from the test target to find behavioral changes, new error codes, or protocol state transitions, without requiring source code access or instrumentation.

Figure 1. Input message analysis calculates the feedback score

When Defensics receives a message from the test target, it is read into the internal protocol model to find the correct response and make values from received messages available in sent messages. Input message analysis uses this same mechanism to track responses. If there are interesting changes in the response, the test case causing these changes gets a feedback score accordingly.

Not all changes in the response are considered interesting. For example, timestamps and checksums are typically ignored, while status code changes or the appearance of a new field is considered meaningful. Input message analysis makes a best-effort attempt to detect such interesting changes. As explained earlier, generations with feedback are given higher priority. If no feedback is detected, random combinations are executed instead. This means that input message analysis, like any other feedback source, results in test runs that are more efficient but less random than those without feedback. If fully randomized test cases are desired, all feedback sources can be disabled.

The performance of input message analysis depends on the protocol, the test sequence, and the behavior of the test target. In our measurements, code coverage on the test target increased by up to 10% during the same time window when using input message analysis, compared to unlimited mode without any feedback source.

Including feedback loops in Defensics

Feedback mode and input message analysis are now part of Defensics, and the test engine is more adaptive and intelligent than ever. The Defensics test engine is embedded in every protocol test suite, and we currently support over 300 protocols. The feedback mechanism will begin appearing in test suites released in 2026. The first ones to include it are the Wireless LAN and the new Bluetooth LE Audio test suites.

In addition to test suites beginning to support the feedback mechanism, we are also making the feedback loop available to users along with new feedback sources. The engine is already capable of receiving feedback from multiple sources, enabling even deeper and faster vulnerability discovery.