Definition
Plain language
A system that combines static analysis, AI, and symbolic execution to find security bugs and write working proofs that exploit them.
As stated in the literature
A vulnerability discovery framework that pairs CodeQL-style static analysis with LLM-driven harness synthesis and symbolic execution, validating crashes against AddressSanitizer on unmodified binaries.
Why it matters: Pairing static analysis with LLM-driven harness synthesis closes the loop from "this looks suspicious" to "here's a proof it's exploitable," sharply reducing security-team triage time.
For example, SAILOR might use static analysis to flag a suspicious string-copy function, have an LLM synthesize a test harness around it, and produce a crashing input that AddressSanitizer confirms is a real overflow.
Heard on the show
“And the system has a name — they call it SAILOR.”Episode 014 — Why a Constrained Pipeline Beat a Full Coding Agent at Finding Bugs 30-to-1