Our Technology

How TestMachine Works

Dynamic code execution + reinforcement learning = zero false positives. We don't guess at vulnerabilities. We prove them.

The Pipeline

End-to-end security analysis

From code ingestion to verified proof-of-concept. Every stage automated. Every finding proven.

Stage 01

Protocol Ingestion

Smart contract source code, ABIs, on-chain state, and economic parameters are ingested. The system maps every contract, every function, every external dependency.

Source CodeABIsOn-chain StateEconomic Params

Stage 02 — Azimuth Engine

LLM Analysis

LLMs parse the protocol to understand structure, identify potential attack surfaces, map economic flows, and understand governance mechanics. This is context-building, not vulnerability detection. The LLMs set up the battlefield.

Structure AnalysisAttack Surface MappingEconomic Flow TracingGovernance Parsing

Outputs structured context for hypothesis generation

Stage 03

Hypothesis Generation

Based on LLM analysis, the system generates structured attack hypotheses: "What if an attacker flash-loans X and then calls Y?" "What if governance is manipulated to drain the treasury?" Each hypothesis becomes a testable scenario.

Flash Loan VectorsGovernance AttacksPrice ManipulationReentrancy Paths

Stage 04

RL Agent Deployment

Reinforcement learning agents are deployed in a sandboxed fork of the protocol. Their objective: maximize economic extraction. They explore the state space systematically, probing every entry point, testing every invariant.

Sandboxed ForkReward: Max ExtractionState Space Exploration

Agents explore → exploit in simulated environment

Stage 05

Dynamic Execution

Agents actually execute transactions against forked contracts. Real calls, real state changes, real token flows. This is not simulation — it's execution. Every interaction modifies the forked chain state exactly as it would on mainnet.

Real TransactionsState ChangesToken FlowsForked Chain

Stage 06

Verification & PoC

When an agent finds an exploit path, the system generates a proof-of-concept: reproducible exploit code that demonstrates the vulnerability. Zero false positives because every vulnerability was actually exploited.

PoC GenerationReproducibleZero False Positives

Every finding backed by working exploit code

Stage 07

Report & Remediation

Findings are compiled with severity scores, proof-of-concept code, recommended fixes, and automated verification that resolves the vulnerability. The loop closes: find, fix, verify.

Severity ScoringFix RecommendationsFix Verification

Deep Dive

LLMs as the intelligence layer

At TestMachine, LLMs aren't used to detect vulnerabilities — they act as the context engine that makes everything else work.

Attack Surface Identification

They identify what to test: structural risks, economic invariants that must hold, access control patterns that could be bypassed, and governance flows that could be manipulated.

Economic Flow Mapping

LLMs trace how value moves through the protocol: token minting, staking rewards, liquidation mechanics, and fee structures. They build the economic model that the RL agents attack.

Why This Matters

LLMs are brilliant at understanding code structure, documentation, and intent. But they're fallible — they hallucinate, produce false positives, and they can't execute code. By using LLMs for what they're good at — understanding — and RL agents for what they're good at — exploration and exploitation — TestMachine eliminates the false positive problem entirely.

The Division of Labor

Azimuth LLMs

Intelligence Analysts

Map the terrain. Identify targets. Build the plan.

RL Agents

Special Operators

Execute the mission. Adapt in real-time. Prove the exploit.

Why this matters

LLMs are brilliant at understanding code structure, documentation, and intent. But they hallucinate. They produce false positives. They can't execute code. By using LLMs for what they're good at — understanding — and RL agents for what they're good at — exploration and exploitation — TestMachine eliminates the false positive problem entirely.

Deep Dive

RL agents attack your protocol

Lodestar, our RL engine, deploys agents that probe DeFi protocols. They explore every entry point, discover attack paths, and prove exploits by executing them.

Lodestar Analysis Pipeline

Initializing

Stage 0/6

▦

Ingest

→

◈

LLM Analysis

→

✓

Validate

→

▩

Action Space

→

▶

RL Agents

→

⚠

Exploit PoC

StakingVault.sol

deposit

(uint256 amount)

withdraw

(address to, uint256 amt)

claimRewards

()

liquidate

(address target)

setOracle

(address oracle)

updateRewardRate

(uint256 rate)

Ingestion

Reward0.00 ETH

Infrastructure

The infrastructure moat

This isn't something you can replicate with a prompt. TestMachine's engine requires dedicated infrastructure that runs at scale, continuously.

Forked Environments

Full blockchain fork per protocol analysis. Real state, real balances, real contract code.

Zero False Positives

RL agents don't just find vulnerabilities — they exploit them on forked chains. Every finding is verified with a working proof-of-concept.

Continuous Re-testing

Contracts are re-analyzed as they upgrade. Markets shift, new functions appear — the engine adapts.

All EVM Chains

Ethereum, Base, Arbitrum, Optimism, Polygon, Avalanche, BSC. One engine, full coverage.

Products

Powered by the engine

Product 01

Token Custody

Risk scoring for 9M+ tokens across all EVM chains. Every token analyzed for confiscation, hidden minting, proxy manipulation, and more. Risk probability from 0 (safe) to 100 (critical).

Product 02

Azimuth

AI agents that actively attack your smart contracts in forked mainnet environments with real transaction execution. Zero false positives — if Azimuth reports a vulnerability, it was actually exploited. Results in minutes, not weeks.

See it in action

Point TestMachine at your protocol. Get confirmed vulnerabilities with proof-of-concept exploits. Zero false positives.

Launch App