Audit Firms and Communities
This list is for learning from public reports, research, contests, and community
norms. It is not a ranking or endorsement.
Firms and Research Teams
Organization
Tier
Why follow
OpenZeppelin Must learn
Mature EVM security practice and widely used libraries.
Trail of Bits Must learn
Deep program analysis, tooling, and publications.
Cyfrin Use in real audits
Education, tools, audits, CodeHawks, Solodit.
OtterSec Use in real audits
Solana, Move, ZK, and low-level security research.
Zellic Use in real audits
Strong research across EVM, Solana, ZK, and infra.
Runtime Verification Situational / advanced
Formal methods and semantics.
Certora Situational / advanced
Formal verification and audit reports.
Spearbit Use in real audits
Distributed expert network and public portfolio.
Pashov Audit Group Use in real audits
Smart contract security audit firm with public portfolio and reports.
Pashov Audits Use in real audits
Public archive of independent reports and review examples.
Pashov Skills Use in real audits
AI-assisted Solidity auditor and x-ray workflows.
TrustSec Use in real audits
Web3 security boutique with audits, bounties, contests, and research.
ChainSecurity Use in real audits
Protocol audits and research articles.
Platform
Tier
Why follow
Code4rena Must learn
Large archive of public competitive findings.
Sherlock Must learn
Competitive audits and coverage model.
Cantina Must learn
Competitions, private audits, and bounties.
CodeHawks Use in real audits
Contest practice and Cyfrin ecosystem.
Immunefi Must learn
Bug bounties and disclosure workflows.
Hats Finance Use in real audits
Decentralized bug bounties and vaults.
Communities
Community
Tier
Why follow
Secureum Must learn
Training, quizzes, and security community signal.
Ethereum Foundation ESP Situational / advanced
Ecosystem support and grants.
Security Alliance Must learn
Crypto security coordination and incident response.
0xPARC Situational / advanced
ZK research and learning community.