I don’t do a lot of self-promotion on this blog, mostly because I’d rather write about range proofs than about my own company. But I get the same email often enough (“hey, we’re shipping some crypto, who do we talk to?”) that I figured I’d just write the answer down once.

So here it is: if you’re building anything that touches cryptography and you want someone to look at it before it goes live, reach out to zkSecurity.

For the newer readers: a few years ago I cofounded zkSecurity, and what started as a “let’s audit ZK circuits” shop has grown into something much broader. We audit advanced cryptography in general now (ZK, sure, but also MPC, FHE, threshold signatures, consensus protocols, post-quantum, and the boring primitives everyone gets wrong), we do formal verification for when “we reviewed it carefully” isn’t good enough, and we do development and design work too. The team is world-class, a mix of researchers, hardcore devs, and CTF people. Most of them are more qualified than me, which is exactly the situation you want when you’re handing off code you care about =)

But the thing I really want to tell you about is zkAO, an AI tool we built that finds bugs in cryptographic codebases.

I want to be careful here, because everyone is slapping “AI” on a landing page right now and most of it is noise. But I’ve been doing this for over a decade, and I’ll just say it plainly: I think zkAO is the best tool on the market right now for finding cryptography bugs in real codebases.

Crypto bugs are nasty in their own particular way. They’re not your average off-by-one — they hide in the gap between what the math says and what the code actually does: a missing range check, a reused nonce, an unvalidated subgroup, a constraint that’s underconstrained in a way that only matters once someone is motivated to make it matter. Off-the-shelf tools just miss these, because they don’t understand the cryptography. zkAO does — that’s the whole point of it.

It doesn’t replace a real audit, and I’d never pitch it as one. But it catches a class of bugs early and cheaply, and it makes a real review go faster. That’s where I think this is all going.

So if you’re shipping crypto: zksecurity.xyz for the audits and the formal verification, zkao.io to throw an AI bug-finder at your codebase and see what falls out. Either way, get it looked at before, not after. I’ve seen how the “after” goes.

Anyway, that’s the pitch.