diff --git a/test/fuzz/.gitignore b/test/fuzz/.gitignore
index 7dc7d92a7..04612ce5f 100644
--- a/test/fuzz/.gitignore
+++ b/test/fuzz/.gitignore
@@ -1,7 +1,14 @@
+CMakeCache.txt
+CMakeFiles
+crash-*
+default.profraw
 build
 Makefile
 cmake-build-debug
 cmake_install.cmake
 fuzz_hci
 fuzz_hci_transport_h4
+fuzz_ad_parser
+fuzz_att_db
+fuzz_gatt_client
 libbtstack.a
diff --git a/test/fuzz/debian-fuzz-env.sh b/test/fuzz/debian-fuzz-env.sh
index 2cc60d8b8..dfa45dac2 100755
--- a/test/fuzz/debian-fuzz-env.sh
+++ b/test/fuzz/debian-fuzz-env.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 DIR=`dirname $0`
-BTSTACK_ROOT=`realpath $DIR/../..`
+BTSTACK_ROOT="/Projects/btstack/"
+# call to build image
+# docker image build -t fuzz .
 docker run --rm -ti -v $BTSTACK_ROOT:/btstack  -w /btstack/test/fuzz fuzz
 
diff --git a/test/fuzz/fuzz_gatt_client.c b/test/fuzz/fuzz_gatt_client.c
new file mode 100644
index 000000000..b59b6d8ac
--- /dev/null
+++ b/test/fuzz/fuzz_gatt_client.c
@@ -0,0 +1,76 @@
+#include <stdint.h>
+#include <stddef.h>
+
+#include "ble/gatt_client.h"
+#include "btstack_run_loop_posix.h"
+#include "btstack_memory.h"
+
+static  void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t size);
+
+static int hci_transport_fuzz_set_baudrate(uint32_t baudrate){
+    return 0;
+}
+
+static int hci_transport_fuzz_can_send_now(uint8_t packet_type){
+    return 1;
+}
+
+static int hci_transport_fuzz_send_packet(uint8_t packet_type, uint8_t * packet, int size){
+    return 0;
+}
+
+static void hci_transport_fuzz_init(const void * transport_config){
+}
+
+static int hci_transport_fuzz_open(void){
+    return 0;
+}
+
+static int hci_transport_fuzz_close(void){
+    return 0;
+}
+
+static void hci_transport_fuzz_register_packet_handler(void (*handler)(uint8_t packet_type, uint8_t *packet, uint16_t size)){
+    packet_handler = handler;
+}
+
+static const hci_transport_t hci_transport_fuzz = {
+        /* const char * name; */                                        "FUZZ",
+        /* void   (*init) (const void *transport_config); */            &hci_transport_fuzz_init,
+        /* int    (*open)(void); */                                     &hci_transport_fuzz_open,
+        /* int    (*close)(void); */                                    &hci_transport_fuzz_close,
+        /* void   (*register_packet_handler)(void (*handler)(...); */   &hci_transport_fuzz_register_packet_handler,
+        /* int    (*can_send_packet_now)(uint8_t packet_type); */       &hci_transport_fuzz_can_send_now,
+        /* int    (*send_packet)(...); */                               &hci_transport_fuzz_send_packet,
+        /* int    (*set_baudrate)(uint32_t baudrate); */                &hci_transport_fuzz_set_baudrate,
+        /* void   (*reset_link)(void); */                               NULL,
+        /* void   (*set_sco_config)(uint16_t voice_setting, int num_connections); */ NULL,
+};
+
+static void gatt_client_packet_handler(uint8_t packet_type, uint16_t handle, uint8_t *packet, uint16_t size){
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+    const hci_con_handle_t ble_handle = 0x0005;
+
+    static bool gatt_client_initiated = false;
+    if (!gatt_client_initiated){
+        btstack_memory_init();
+        btstack_run_loop_init(btstack_run_loop_posix_get_instance());
+        // init hci, simulate connection
+        hci_init(&hci_transport_fuzz, NULL);
+        hci_setup_test_connections_fuzz();
+
+        gatt_client_init();
+        gatt_client_initiated = true;
+    }
+
+    // TODO: use first byte of random data to pick gatt_client request / set gatt client state
+    // then, only use dat from second byte as response
+    gatt_client_discover_primary_services(gatt_client_packet_handler, ble_handle);
+
+    // send test response
+    gatt_client_att_packet_handler_fuzz(ATT_DATA_PACKET, ble_handle, (uint8_t *) data, size);
+    return 0;
+}