Stateful network protocols—characterized by memory-dependent behavior—pose significant challenges for fuzz testing, resulting in low vulnerability detection rates. To address this, we propose the first gray-box fuzzing method that jointly models both program code and protocol state space: it employs message sequences as seeds, lightweight infers protocol states from response codes, and drives AFL-based mutation via a dual-coverage guidance mechanism—integrating code coverage with protocol state-transition coverage. Our key innovation is establishing “response codes as state identifiers” as a general design principle, thereby enabling a state-aware, feedback-driven testing paradigm. The open-source implementation has become a foundational tool in protocol fuzzing, garnering hundreds of academic citations, nearly 200 GitHub forks, and over 30 community contributions. It has substantially advanced both research and industrial practice in testing stateful protocols.

Protocol implementations are stateful which makes them difficult to test: Sending the same test input message twice might yield a different response every time. Our proposal to consider a sequence of messages as a seed for coverage-directed greybox fuzzing, to associate each message with the corresponding protocol state, and to maximize the coverage of both the state space and the code was first published in 2020 in a short tool demonstration paper. AFLNet was the first code- and state-coverage-guided protocol fuzzer; it used the response code as an indicator of the current protocol state. Over the past five years, the tool paper has gathered hundreds of citations, the code repository was forked almost 200 times and has seen over thirty pull requests from practitioners and researchers, and our initial proposal has been improved upon in many significant ways. In this paper, we first provide an extended discussion and a full empirical evaluation of the technical contributions of AFLNet and then reflect on the impact that our approach and our tool had in the past five years, on both the research and the practice of protocol fuzzing.