Aegis Fuzzer

ICS/SCADA applications require robust components, but too often software is the weakest link.

Aegis is a smart fuzzer for power system protocols that can identify robustness and security issues in communications software before it is deployed in a production system.

View Documentation Contact Us

High-value Testing

Aegis has proven results but costs a fraction of the price of other ICS fuzzing products. We license Aegis for the following use cases:

  • Vendors seeking to eliminate defects from their products
  • Asset owners auditing their equipment
  • Pentesters or 3rd-party security personnel doing assessments


Aegis is a protocol-aware smart fuzzer and generates malformed messages that are much more likely to identify defects than random fuzzing.

Easy to Use

Since Aegis understands each protocol, little user configuration and experience are required to operate the tool.

Automated Testing

The GUI for Aegis makes user-driven testing easy, however, the same tests are also available from the command line allowing for full test automation.

ProtocolServer (outstation)Client (master)
DNP3 (IEEE-1815)
Modbus TCP
IEC 60870-5-104


Aegis™ is licensed on a per-seat subscription basis with a term of typically one year. Enterprise-wide licensing that grants unlimited seats is also available. Discounts are available for trainers, academia, and asset owners.

Contact Us

Learn More About Fuzzing

Browse some of our posts about fuzzing and secure programming.

OpenDNP3: Retrospective

OpenDNP3: Retrospective

OpenDNP3 was released as open source over 10 years ago. This post describes where I believe the project has succeeded, where it hasn’t, and why Step Function I/O is using a different licensing model for our new libraries going forward. In many ways, OpenDNP3 has been a success. We are constantly learning of new companies that have successfully used the library to add DNP3 functionality to their product or service offering.

Read More
CVE-2020-10611 - RCE in a flawed DNP3 Implementation

CVE-2020-10611 - RCE in a flawed DNP3 Implementation

S4x20 hosted the Pwn2Own Miami hacking competition this year, and one of the more interesting and impactful results was a bug chain leading to remote code execution (RCE) in the Triangle Microworks (TMW) SCADA Data Gateway. The Zero Day Initiative who puts on these competitions recently released a detailed writeup (and video) of the bugs and the exploit. Achieving code execution on the Triangle MicroWorks SCADA Data Gateway - details (and video!

Read More
Binding Rust to other languages safely and productively

Binding Rust to other languages safely and productively

When we made the decision to write our next generation of libraries in Rust, we knew we needed a solid approach for binding them to other languages. It may be some time before we have customers purchasing our libraries to use them in a Rust-only codebase. The majority of our customers will want to use the libraries in C/C++, .NET, or Java. Writing the core implementation in Rust means more productivity, fewer errors, and certain safety guarantees compared to writing it in C++.

Read More