[18] For example, in case of an audio player, American fuzzy lop can be instructed to open a short sound file with it.

Then, the fuzzer attempts to actually execute the specified command and if that succeeds, it tries to reduce the input file to the smallest one that triggers the same behavior.

After this initial phase, AFL begins the actual process of fuzzing by applying various modifications to the input file.

These mutations are any of:[23] If AFL cycles through the entire queue without generating any input that achieves new code coverage, it begins splicing.

Splicing takes two inputs from the queue, truncates them at arbitrary positions, concatenates them together, and applies the havoc stage to the result.

An input is considered "interesting" and is added to the queue if it produces a (tuple, binned count) pair that is not yet in the global set.

This representation is more fine-grained (distinguishes between more executions) than simple block or statement coverage, but still allows for a linear-time "interestingness" test.

On the assumption that smaller inputs take less time to execute, AFL attempts to minimize or trim the test cases in the queue.

American fuzzy lop features a colorful command line interface that displays real-time statistics about the fuzzing process.

In addition to afl-fuzz and tools that can be used for binary instrumentation, American fuzzy lop features utility programs meant for monitoring of the fuzzing process.

[44] Google's OSS-Fuzz initiative, which provides free fuzzing services to open source software, replaced its AFL option with AFL++ in January 2021.