Rating Methodology
How we evaluate and rank every tool and auditor in our directory. No black boxes, no pay-to-play, no conflicts of interest.
The Rating Scale
Auditors are rated on a 1 to 5 scale based on a weighted evaluation across six criteria. Tools are evaluated qualitatively across five dimensions and ranked within their category.
Auditor Rating Criteria
There is no industry standard for scoring audit firms. This methodology is our own, developed from years of working with auditors and observing real-world outcomes. Each criterion carries a specific weight in the final 1-5 rating.
Portfolio Depth
25%Number and quality of publicly available audit reports. We look at severity depth of findings, quality of remediation guidance, and consistency across engagements.
- How many public audit reports has the firm published?
- Do reports include detailed finding descriptions and fix recommendations?
- Are findings categorized with clear severity ratings?
- Is there consistency in thoroughness across different clients?
Proving-System Coverage & Specialization
15%Breadth of proving-system expertise and depth of specialization in specific ZK stacks.
- Which proving systems (Groth16, PLONK, STARKs, zkVMs) has the firm audited?
- Do they specialize in specific stacks (circom, halo2, Noir, Cairo, gnark)?
- Can they audit both circuits and the surrounding verifier integration?
- Do they have ZK-specific tooling and methodology?
Team Size & Known Personnel
10%The people matter more than the logo. We assess team size, the visibility of lead auditors, and whether the firm relies on known senior researchers or unvetted juniors.
- How many staff can genuinely audit ZK circuits and cryptographic protocols?
- Are lead auditors publicly known with verifiable track records?
- Do they have researchers contributing to the broader security community?
- Can clients request specific auditors for their engagement?
Community Reputation & Track Record
25%What the security community actually thinks, combined with post-audit outcomes. We track soundness bugs surfaced in audited systems and weigh researcher sentiment.
- Have soundness bugs surfaced in systems this firm audited, and how were they handled?
- What do bug bounty hunters and independent researchers say?
- Is the firm recognized by peers in the audit community?
- Have they been involved in any controversy or disputed findings?
Turnaround Reliability
10%How responsive the firm is from initial contact through final report delivery. A great audit that arrives six months late can be worse than a good audit on time.
- What is the typical turnaround time for a standard engagement?
- How responsive are they during the scoping and quoting phase?
- Do they meet stated deadlines consistently?
- Is post-audit support and re-audit available promptly?
Public Transparency
15%Firms that publish their reports, disclose their methodology, and operate openly score higher. Transparency is a quality signal.
- Are audit reports published publicly (with client permission)?
- Does the firm disclose its audit methodology?
- Are team credentials and qualifications verifiable?
- Do they maintain a public portfolio or reports page?
Tool Evaluation Criteria
Tools are evaluated qualitatively and ranked within their category (static analyzers, fuzzers, monitoring, etc.). Since tools don't carry a single numeric rating, we assess them across these five dimensions and present our editorial recommendation.
GitHub Activity & Maintenance
Is the tool actively maintained? We look at commit frequency, issue response times, release cadence, and whether dependencies are kept current.
- Commit frequency in the last 90 days
- Open issue and PR response times
- Release cadence and changelog quality
- Dependency freshness and security patch adoption
Community Adoption
Real-world usage matters more than marketing. We track downloads, GitHub stars, mentions in audit reports, and adoption by recognized security researchers.
- GitHub stars and fork count trends
- Package manager download statistics (npm, pip, cargo)
- Usage in published audit reports and security research
- Adoption by top audit firms in their workflows
Documentation Quality
A powerful tool with terrible docs is a powerful tool nobody uses correctly. We evaluate getting-started guides, API references, and example quality.
- Does it have a clear getting-started guide?
- Are all features and configuration options documented?
- Are there real-world usage examples?
- Is the documentation kept in sync with releases?
Feature Completeness
How well does the tool cover its stated category? A static analyzer should catch the known vulnerability classes. A fuzzer should support property-based testing. We compare against category expectations.
- Coverage of ZK bug classes (under-constrained circuits, unsound gadgets, bad Fiat-Shamir)
- Constraint-bug detection accuracy and false positive rates
- Proving-system and circuit-language support breadth
- Integration with ZK development workflows (circom, halo2, Noir, Cairo)
Active Development Status
Is the project alive, on life support, or abandoned? We distinguish between stable-and-mature (good) and unmaintained-and-stale (bad).
- Last commit date and release date
- Roadmap or public development plans
- Maintainer responsiveness to community issues
- Whether the project is accepting contributions
What "Featured" Means
A tool or auditor marked as "Featured" on our homepage scored highest across these criteria in their category. Featured status is reviewed monthly and is never purchased or influenced by affiliate relationships.
Important Disclaimers
- Editorial opinion. Ratings are editorial assessments based on publicly available information. They are not guarantees of audit quality or tool effectiveness.
- No pay-to-play. No auditor or tool vendor pays for their rating, featured placement, or ranking position. Period.
- Editorial firewall. Some listings include affiliate referral links. Affiliate relationships do not influence editorial ratings, rankings, or featured placement. The editorial process is fully independent of monetization.
- Continuously updated. Ratings are updated as new information becomes available. A firm's rating today may change as they publish new reports, expand to new proving systems, or as post-audit outcomes emerge.
- Known limitations. Post-audit exploit data is incomplete. Newer firms have less data to evaluate. Community sentiment can be influenced by marketing. We disclose these gaps rather than pretend they don't exist.
Think We Got Something Wrong?
If you believe your listing is inaccurate, your rating doesn't reflect current information, or we're missing important data, we want to hear from you. We take corrections seriously.
Contact Us