Mutation testing for the agentic era

2026-04-01 · Source: The Trail of Bits Blog · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Blockchain & Distributed Ledger Technology · Depth: Advanced, medium

Summary

Trail of Bits has released MuTON and mewt, two new open-source mutation testing tools optimized for agentic use, alongside a configuration optimization skill for AI agents. MuTON specifically supports TON blockchain languages (FunC, Tolk, Tact), while mewt is a language-agnostic core also supporting Solidity, Rust, and Go. These tools aim to overcome the limitations of earlier regex-based tools like Universalmutator and even Slither-mutate, which suffered from slow runtimes, language-specific coupling, and poor result handling. MuTON and mewt leverage Tree-sitter for robust language comprehension and store results in a SQLite database, enabling persistent sessions, flexible filtering, and SARIF export. The article highlights how AI agents, with specialized skills, can significantly reduce configuration complexity and improve result triage, transforming mutation testing into a more efficient process.

Key takeaway

For Security Engineers developing smart contracts or critical applications, traditional code coverage metrics are insufficient. You should integrate MuTON or mewt into your testing pipeline to uncover hidden vulnerabilities that coverage misses. Utilize the new configuration optimization skill with AI agents to streamline campaign setup and efficiently triage results. This approach ensures more thorough verification, reducing the risk of high-severity exploits in your codebase.

Key insights

Mutation testing tools MuTON and mewt, powered by Tree-sitter and AI agents, enhance software quality by efficiently identifying untested code paths.

Principles

• Code coverage alone is insufficient for verification.
• Prioritize mutants to optimize testing runtime.
• Tree-sitter offers robust multi-language parsing.

Method

MuTON and mewt utilize Tree-sitter for multi-language parsing, generate syntactically valid mutations, and store results in a SQLite database. This enables persistent sessions, flexible filtering, and AI-assisted configuration and triage.

In practice

• Install MuTON for TON blockchain languages.
• Use mewt for Solidity, Rust, and Go projects.
• Employ AI agents for campaign configuration.

Topics

• Mutation Testing
• Blockchain Security
• Smart Contract Testing
• TON Blockchain
• Tree-sitter
• AI Agents

Code references

• trailofbits/publications
• trailofbits/muton
• trailofbits/mewt
• trailofbits/skills
• crytic/slither

Best for: AI Engineer, AI Security Engineer, Machine Learning Engineer, Software Engineer

Related on AIssential

• New benchmark shows AI agents can exploit most smart contract vulnerabilities on their own — AI agents demonstrate significant capability in exploiting and fixing smart contract vulnerabilities, especially with location hints.
• Trailmark turns code into graphs — Code analysis benefits significantly from graph-based reasoning over list-based approaches, especially for security and test quality.
• With $1 Cyberattacks on the Rise, Durable Defenses Pay Off — Generative AI accelerates both cyberattacks and defenses, necessitating a shift to foundational security rather than reactive patching.
• Autoresearch Claude Code Hacker - Can It Breach My Vibecoded Site? — An AI-driven red teaming framework can autonomously test web application security and iteratively refine attack strategies.
• 🗞️ OpenAI teamed up with crypto firm Paradigm to launch EVMBench to test AI agents on smart contract security — AI is rapidly advancing in specialized domains like smart contract security and UI design, while also impacting hardware markets and the future of work.
• Benchmarking Security Risk Detection and Verification in Open Agentic Skill Ecosystems — Open agent skill ecosystems require two-stage security vetting, combining semantic analysis with runtime execution, to detect sophisticated supply-chain attacks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Trail of Bits Blog.