Internal ICP & Landscape Brief
Internal. Facts, ICPs, landscape, deal shapes.
The Problem
Every organization runs thousands of compiled binaries — system services and vendor agents on workstations, daemons on Linux servers, firmware images inside the routers and appliances on the network edge, executables shipped by every third-party software vendor. Nobody knows what those binaries actually do.
The people whose job it is to know — SOC analysts, threat-intel researchers, MSSP analysts, IR responders, firmware auditors, sectoral CERTs — all hit the same wall. Understanding a single binary needs IDA or Ghidra and a specialist: 2–5 days of manual RE at $300–600/hr. A SOC analyst's best move on an unknown binary today is a VirusTotal hash check — no behavioral profile, no capability map, no explanation.
On the enterprise side, the same gap blocks every security decision that involves software: vetting a vendor agent before deploying it on 10,000 endpoints, assessing the impact of a macOS or Linux upgrade, auditing the firmware your network edge runs, surveying the supply chain. Security teams fill the gap with hash lookups, reputation scores, and trust. None of those answer what a binary actually does — what it accesses, what it contacts, what it collects.
The Product
openbinary is the programmable binary platform — read any binary or firmware and understand what it does.
Positioning
ICPs:
- Endpoint security teams — MDR, threat intel, IR, RE. Mac-led market today, expanding on Linux and Windows.
- Firmware, IoT, and OT security — appliance vendors, OT/ICS platforms, critical-infrastructure CERTs. Full firmware and Docker/OCI image unpack, SBOM with CVE attribution, CWE findings on every extracted file — both compiled binaries and the interpreted source (JS / Python / …) bundled inside — in one pipeline.
- Developers & CI/CD (DevSecOps) — the team that builds the binary. A pipeline gate on the shipped artifact: CWE/CVE rollup, build-hardening regression, real-vs-declared SBOM drift, embedded-junk and secrets, signing and publisher verification.
- Enterprise app inventory & SBOM (CRA) — product-security, compliance, and procurement teams that must inventory every app they ship or operate and produce a machine-readable, CRA-grade SBOM. Binary and source CWE, CVE attribution, CycloneDX / SPDX export across the estate.
- LLM-native security products and agent frameworks — need structured binary facts to reason over compiled software.
- Developer intelligence — vendor vetting, binary-layer dependency audit, compliance, supply-chain due diligence.
Platform scope. 56 executable formats, 66 ISAs, 5 OS platforms, 91 container unpackers feed the same pipeline (filesystems, archives, compression, firmware carriers, Docker/OCI images). Mach-O / ELF / PE32+ on arm64 / arm64e / x86_64 are first-class with full reconstruction-to-Rust. iOS analyzes through the macOS path. See Architectures.
Unit of analysis is the package, not just the binary. A single binary, a firmware image, a Docker/OCI image, or an entire OS distribution ingests as one package — every binary inside is analyzed, and the package carries its own composition, SBOM, and security rollup. Whole BSD releases (FreeBSD / NetBSD / OpenBSD, ~700–2,600 binaries each) are in the public corpus today. Any two packages diff release-over-release: added / removed / changed binaries, SBOM-component deltas, and hardening regressions, side by side.
Two layers of CWE in one pass. Compiled binaries get binary-level CWE findings — taint, memory safety, the full IL analysis. The interpreted source that ships inside the same package — JavaScript, Python, PHP, Ruby, Go, Java, C#, and more, ubiquitous in firmware and container images — gets source-level SAST CWE findings on the same unpack. One report covers both the binaries an image runs and the scripts it carries; most competitors do one or the other, not both, and never together inside a single firmware or image.
Deployment models
| Model | Shape |
|---|---|
| Cloud / SaaS | Web + REST API from a browser. Teams use it without install. |
| On-prem, fleet scan | One host enumerates a fleet — workstation, server, or firmware image — and builds a searchable local database. Stock macOS: ~2,500 binaries in ~30 minutes, plus ~3,500 frameworks via the dyld shared cache (13 macOS versions in under a day). Linux: every ELF under /usr, /bin, /lib. Firmware: every binary inside an unpacked image across 91 container formats. |
| Air-gapped | Two binaries, no cloud, no network. Deployable in a SCIF or behind any perimeter. |
| OEM / embedded | Pure Rust, ~13 MB, no GUI, no runtime deps. Bolts into an endpoint agent for real-time on-device analysis at under 200 ms per binary. |
Market signal
- macOS threats are surging. Red Canary's 2025 Threat Detection Report observed roughly 400% more macOS threat detections in 2024 than 2023. By 2025, infostealers accounted for ~30% of all macOS malware detections — Atomic, Poseidon (rebranded mid-2025 as Odyssey), Banshee, Cuckoo, MacSync, Phexia, DigitStealer.
- The paste-and-run pivot. After Apple closed a popular Gatekeeper bypass in September 2024 (95% of 2024's stealer infections happened before that patch; 5% after), adversaries moved to paste-and-run lures —
curl | bash, shell + AppleScript. The binary that lands on the endpoint is downloaded on demand and rarely sits in hash-reputation corpora. - Enterprise Mac is growing faster than the PC market. Per IDC, Apple Mac shipments grew ~11% in 2025 against an industry average of ~3.3%; US enterprise Mac share has reached ~23%.
- Supply-chain security adoption. Per Gartner (cited in ReversingLabs' 2025 coverage), 85% of enterprise software-engineering teams will have deployed SSCS tools by 2028, up from 60% in 2025.
- Objective-See's 10th annual Mac Malware roundup (Patrick Wardle, published January 2026 covering 2025) confirms stealers as the dominant new-malware category. Our indicator rules are seeded from the 2025 edition.
- Firmware regulatory floor. EU Cyber Resilience Act applies in full Dec 11, 2027 — every connected product on the EU market needs a machine-readable SBOM and documented vulnerability handling. US EO 14028 imposes parallel SBOM requirements on federal procurement. Public incidents — Zyxel firewall RCE (CVE-2023-28771) chained against 22 Danish energy companies via SektorCERT-tracked attacks late 2023, Cisco IOS XE mass-RCE waves, Volt Typhoon edge-device persistence — keep the appliance-audit market hot.
Buyer archetypes
Quick map
| Archetype | Who | Lead with |
|---|---|---|
| Mac-focused MDR / EDR | Huntress, Red Canary, Jamf Protect, Iru, Mosyle, Sophos, Expel | Behavioral profile in 200 ms + DSL queries + anomaly flag. SaaS or OEM-embed |
| Firmware & IoT vendors | Zyxel, Asus, TP-Link, Netgear, Synology, QNAP, Cisco, Juniper, Fortinet, Palo Alto, Ubiquiti, mid-market OEMs | Pre-ship firmware audit — SBOM with CVE attribution + binary CWE findings, CRA-compliant inventory in one pipeline |
| Developers & CI/CD | Platform / AppSec / release-engineering teams shipping compiled software | Pipeline gate on the built artifact: CWE+CVE, hardening-flag regression, real-vs-declared SBOM drift, secrets, signing — fail the build |
| Container & cloud-native vendors | Docker/OCI publishers, base-image builders, containerized ISVs | Audit every compiled binary inside the image — CWE + SBOM-with-CVE + hardening, at the layer manifest scanners miss |
| Enterprise app inventory & SBOM (CRA) | Product-security, compliance, procurement teams; CRA-regulated manufacturers & operators | Estate-wide app inventory + CRA-grade SBOM (CycloneDX/SPDX), binary and source CWE, CVE attribution, per-release diff |
| OT / ICS security | Claroty, Nozomi Networks, Armis, Dragos, Microsoft Defender for IoT | Firmware unpack + binary analysis as input to their asset-and-risk products. Data-feed or OEM |
| Binary-centric threat intel | Stairwell, ReversingLabs, Intezer | Behavioral depth as upstream data feed; category overlap at the high end |
| Malware research / CTI | Kaspersky GReAT, Mandiant Intel, Microsoft TI, ESET, Talos, Recorded Future, Flashpoint, Intel 471 | DNA similarity, ATT&CK-tagged indicators, JSONL as a licensable feed |
| RE / audit firms | NCC Group, Trail of Bits, Leviathan, Include Security, Atredis, Doyensec, Assetnote, Synack | Rust reconstruction + XPC audit-matrix. Per-seat or per-engagement |
| Endpoint XDR majors (OEM) | CrowdStrike, SentinelOne, Cortex XDR, Defender, Sophos, Jamf Protect, Iru, Mosyle | ~13 MB pure-Rust library, no GUI, no runtime deps. Highest LTV, longest cycle |
| Supply-chain security | JFrog Xray, ReversingLabs Spectra; adjacent SCA (Snyk, Black Duck, GitHub Adv. Sec., Endor) | Binary-level SBOM; library + function recognition across 5 signature tiers (87,828 prologue hashes / 219 open-source libs · ~1.2M PE/MSVC FLARE FLIRT · 34,219 Apple-kernel function sigs) |
| IR firms | Mandiant (Google), Kroll, CrowdStrike Services, Stroz Friedberg, Volexity, Secureworks IR | Air-gap install, scan-cache the victim's system, baseline against known-good. Per-engagement |
| Enterprise CISOs (Mac fleets) | Cross-industry | Reached through MDR / security-vendor channel rather than direct |
| Government, defense, intel | DoD components, CISA, Sandia, Los Alamos, FVEY, three-letter agencies | Two binaries, no cloud, air-gap deployable. Site-license via cleared channel partners |
| Cyber insurance underwriters | Resilience, Coalition, At-Bay, Corvus, Beazley | Experimental — quantified fleet-risk data feed |
Mac-focused MDR / EDR
Names. Huntress, Red Canary, Jamf Protect, Iru (formerly Kandji), Mosyle, Sophos MDR, Expel.
Pain. Their static macOS analysis today is hash reputation + signing state + runtime telemetry. The pre-execution question — what can this specific unknown binary do — is almost universally unanswered.
Lead with. Behavioral profile in under 200 ms, DSL queries over the corpus, per-type anomaly flag. SaaS or OEM-embed.
Firmware & IoT vendors
Names. Networking/edge — Zyxel, Asus, TP-Link, Netgear, D-Link, Ubiquiti. Enterprise — Cisco appliances, Juniper, Fortinet, Palo Alto, Sonicwall, Check Point. Storage/NAS — Synology, QNAP, Asustor. Industrial gateways, SBC OEMs, white-label appliance builders.
Pain. CRA forces a machine-readable SBOM + vulnerability handling on every connected product by Dec 11, 2027. Most OEMs don't have a clean inventory of what's bundled in their own firmware, let alone CVE attribution against it. Internal RE audits by hand and misses things.
Lead with. One pipeline: unpack the firmware, CWE findings on every extracted binary and on the interpreted source bundled alongside (JS/Python/Lua/shell — most firmware ships plenty), SBOM with CVE attribution at the component and firmware layers — and a release-over-release firmware diff (which binaries changed, which SBOM components moved, which hardening flags regressed between two image versions). Curated vendor rules (Zyxel NAS326, VMG, ZyWALL, USG ship today); the table grows with each advisory. Air-gap deployable, pure Rust, ~13 MB. Per-engagement, annual site license, or OEM-embed.
OT / ICS security
Names. Claroty, Nozomi Networks, Armis, Dragos, Microsoft Defender for IoT, Forescout (eyeInspect), Tenable OT.
Pain. Asset-discovery and protocol-anomaly products know what's on the network but not what's inside the firmware running on those assets. Customers increasingly ask the OT vendor for the CVE-and-CWE story on the actual firmware they're operating — not just the asset inventory.
Lead with. Firmware unpack + binary analysis as an upstream data feed. They own asset and network context; we provide firmware truth. Data-feed or OEM-embed.
Developers & CI/CD (DevSecOps)
Names. Platform-engineering, AppSec, and release-engineering teams inside any org that ships compiled software — desktop apps, agents, SDKs, drivers, embedded binaries. Reached through CI integrations (GitHub Actions, GitLab CI, Jenkins, Buildkite) and the REST API, not a sales motion to a named account list.
Pain. Source SCA (Snyk, Dependabot, GitHub Advanced Security) reads manifests and lockfiles — it never inspects the artifact that actually ships. So a build can regress every binary-layer property and nothing in the pipeline catches it: a hardening flag silently flips off (PIE / RELRO / NX stack / Intel CET / FORTIFY_SOURCE / stack canaries / ARM64 BTI / PAC), the shipped binary's real dependency set drifts from the declared SBOM, junk accumulates (unexpected data segments, leftover debug strings, embedded secrets), the version/publisher metadata is wrong, or the artifact ships unsigned. None of it is visible until someone reverse-engineers the release.
Lead with. A CI step that audits the built artifact against policy and diffs it against the previous release in one pass — added / removed / changed binaries, CWE findings and CVE attribution, a build-hardening regression diff with per-flag remediation (-fcf-protection, -D_FORTIFY_SOURCE, …), real-vs-declared SBOM drift with CycloneDX / SPDX export, SBOM-component deltas release-over-release, declared-vs-used consistency flags, secrets scan, signing and publisher verification. The package-diff view that ships today (added/removed/changed counts, SBOM delta, side-by-side identity) is the release-gate report. REST API + JSON, fail-the-build gate, pure Rust at ~13 MB with no runtime deps so it drops into any runner. Self-serve and usage-based at the bottom; expands to a team or org license. This is the producer side of the supply chain — distinct from the consumer-side vendor-vetting in Developer intelligence / Supply-chain security.
Container & cloud-native image vendors
Names. Teams that ship a whole image rather than a single binary — Docker / OCI container publishers, base-image and golden-image builders, ISVs distributing containerized products, internal platform teams. Adjacent to the firmware vendors above: same "audit everything inside the artifact" shape, different carrier.
Pain. Container scanners (Trivy, Grype, Docker Scout, Aqua, Sysdig, Prisma Cloud, Wiz) read OS package databases and language lockfiles inside the image. The compiled binaries the image actually executes — vendored static libraries, custom daemons, downloaded-at-build executables, anything not installed by a package manager — are a blind spot: no CWE findings, no hardening posture, no real SBOM, no signing check at the binary layer.
Lead with. Unpack the docker save / OCI tarball through the same pipeline as firmware — every executable inside gets binary-level CWE findings, SBOM with CVE attribution, hardening posture, and a secrets scan, at the layer the package manifest can't see. One report across the whole image, and an image-to-image diff (tag-to-tag, or against the upstream base) that flags every binary and SBOM-component change. Air-gap deployable, OEM-embeddable, or a CI gate alongside the existing image scanner rather than replacing it.
Enterprise app inventory & SBOM (CRA)
Names. Product-security, compliance, and procurement teams at any enterprise that places connected products on the EU market or must attest to the software it ships and runs — CRA-regulated manufacturers, plus regulated operators (energy, finance, healthcare, public sector) building an authoritative application inventory. Cross-industry; often reached through the same channel as the firmware-vendor and developer motions.
Pain. The CRA applies in full Dec 11, 2027 — every product with digital elements on the EU market needs a machine-readable SBOM and documented vulnerability handling; US EO 14028 imposes parallel SBOM duties on federal procurement. Most enterprises have no authoritative inventory of the compiled apps and embedded components they ship or operate. Source SCA covers the code they wrote — not the binaries they buy, the third-party artifacts they bundle, or the scripts riding inside an image. The result is an SBOM that stops at the manifest and a deadline they can't evidence against.
Lead with. One estate-wide inventory at the artifact layer: every app, firmware image, and container — every compiled binary and bundled script inside — with a CRA-grade SBOM (CycloneDX / SPDX), CVE attribution, binary-and-source CWE findings, and a per-release diff to show the inventory evolving. Scan the portfolio once, diff each release, export the SBOM the regulation asks for. On-prem or SaaS; annual site license, priced by estate size. Distinct from the Mac-fleet CISO motion below (endpoint posture) — this is the software-we-ship-and-operate compliance inventory.
Binary-centric threat intel platforms
Stairwell — 1B+ malware samples, 8.2B file sightings, 2T+ DNS records, ~1M files/day private corpus. GenAI alert triage shipped May 2025.
ReversingLabs — Titanium ~40B files/day; Spectra Assure for supply-chain; named in the 2025 Gartner Market Guide for SSCS.
Intezer — genetic code analysis, SOC automation. $5.3M revenue 2025 — much smaller than Stairwell / RL.
Two live paths:
- Upstream data feed / OEM. Depth their platforms don't carry — macOS entitlements + XPC surface, resolved call-site signatures, capa-aligned indicators with ATT&CK, plus firmware-SBOM-with-CVE. Partner motion.
- Category overlap at the high end. If we expand into fleet retroactive hunt, Stairwell is the closest analog.
Pricing not public for any of the three.
Malware research / CTI
Names: Kaspersky GReAT, Mandiant Intel (Google TI), Microsoft Threat Intelligence, ESET Research, Trend Micro, CrowdStrike Intelligence, Cisco Talos, Recorded Future, Flashpoint, Intel 471.
Pain. Mac malware coverage is thinner than Windows across most incumbents. Senior researchers use IDA / Ghidra / Binary Ninja for deep dives. The gap is triage at scale and ATT&CK coverage roll-ups that feed intel products.
Lead with. DNA similarity search (cluster unknown samples against known families), ~160 capa-aligned indicator rules pre-tagged with ATT&CK, JSONL export as a licensable feed. License to research teams or as a data product.
RE / audit firms
Names: NCC Group, Trail of Bits, Leviathan, Include Security, Atredis, Doyensec, Assetnote, Synack, and boutiques.
Pain. Mechanical triage eats 60–80% of engagement hours at rates the client increasingly resists.
Lead with. Rust reconstruction + confidence scoring + audit-matrix for XPC authorization gap detection. Per-seat or per-engagement licensing.
Endpoint security vendors (OEM-embed)
Names: CrowdStrike Falcon, SentinelOne, Palo Alto Cortex XDR, Microsoft Defender for Endpoint, Sophos, Jamf Protect, Iru, Mosyle.
Pain. Their macOS static analysis is a score, not an explanation.
Lead with. ~13 MB pure-Rust library, no GUI, no runtime deps. Bolts into an agent. Longest sales cycle of any archetype; highest LTV.
Supply-chain security tools
| Bucket | Players | Overlap |
|---|---|---|
| Closest match | JFrog Xray, ReversingLabs Spectra Assure | Both scan compiled artifacts |
| Adjacent (source/manifest SCA) | Snyk, Black Duck / Synopsys, GitHub Advanced Security, Endor Labs | Operate above the binary layer. Partnership plausible if they want to extend down to shipped binaries |
| Different axis (registry detection) | Socket (npm), Phylum (cross-registry) | Watch package registries, not compiled executables. Not direct overlap |
| Not in this category | Chainguard | Hardened Linux container base images, not binary SCA |
Angle. Our library + function recognition spans five signature surfaces — 71 hand-built rules, 87,828 prologue hashes from 219 open-source libraries (OpenSSL, FFmpeg, Boost, SDL2, zstd, harfbuzz, ZeroMQ, …), ~1.2M FLARE FLIRT entries for PE/MSVC (the Windows arm; Mandiant-curated, Apache-2.0), 34,219 Apple-kernel function fingerprints across M1–M5 Silicon, plus an openbinary-generated .pat.gz FLIRT pack for macOS arm64. Bundled libraries are identified in shipped binaries even when stripped, feeding a binary-level SBOM (CycloneDX / SPDX) with CVE attribution — the enterprise CRA-inventory motion turns this into its own ICP.
IR firms
Names: Mandiant (Google), Kroll, CrowdStrike Services, Stroz Friedberg, Volexity, Secureworks IR.
Motion. Per-engagement license. Air-gap install, scan-cache the victim's system, then diff the whole system against a known-good baseline — added / removed / changed binaries surface implants and tampering directly. Low-ACV, high-velocity, repeating.
Enterprise CISOs with Mac fleets
Vendor-agent vetting, macOS upgrade impact, supply-chain audit. Frequently reached through the MDR / security-vendor channel rather than direct.
Government, defense, intel
Names: DoD component teams, CISA, Sandia, Los Alamos, FVEY partners, three-letter agencies.
Motion. Two binaries, no cloud, air-gap deployable. Site-license via cleared channel partners.
Cyber insurance underwriters
Names: Resilience, Coalition, At-Bay, Corvus, Beazley.
Experimental. Quantified fleet-risk data feed as the pitch. One underwriter win → rest follow.
Landscape — who else is in this room
| Category | Players | Our position |
|---|---|---|
| Binary-centric threat intel | Stairwell, ReversingLabs (Spectra / Titanium), Intezer | Partner upstream (data feed) or compete at fleet-hunt if we expand. Treat as both. |
| Interactive RE workbenches | Ghidra, IDA Pro, Binary Ninja, Radare2, Hopper | Complementary. They deep-dive; we batch + index + triage. |
| Dynamic sandboxes | VirusTotal, Joe Sandbox, ANY.RUN, Hatching Triage, Falcon Sandbox | Orthogonal. They execute; we never do. Most buyers use both. |
| Source / manifest SCA | Snyk, Black Duck / Synopsys, GitHub Adv. Sec., Endor Labs, Mend | Adjacent. Partnership plausible if they want to extend down to compiled binaries. |
| Source SAST / code scanning | Semgrep, CodeQL (GitHub), SonarQube, Checkmarx, Snyk Code | They scan a source repo you point them at. We run SAST CWE on the source bundled inside a firmware or container — alongside binary CWE on the same unpack. Overlap only on the source layer; nobody else pairs it with the binary layer. |
| App-inventory / SBOM management | Anchore, Dependency-Track, FOSSA, Manifest, JFrog | They manage and store SBOMs; most ingest a generated SBOM rather than producing one from the shipped artifact. We generate the SBOM from the binary-and-source truth of the package. Feed-in or compete on generation. |
| Artifact / binary-scanning SC | JFrog Xray, ReversingLabs Spectra Assure | Closest direct overlap on compiled-binary scanning. |
| Container image scanning | Trivy, Grype, Docker Scout, Aqua, Sysdig, Prisma Cloud, Wiz | Adjacent — they read OS/lang package manifests inside the image; we analyze the compiled binaries that manifest can't see. Sits alongside, not against. |
| CI/CD binary gates | No direct incumbent — source SCA + container scanners both stop at manifests | Net-new gate at the artifact layer: hardening regression, real-vs-declared SBOM drift, binary CWE/CVE, signing. |
| Firmware SBOM / IoT binary audit | Microsoft (ReFirm Labs / IoT-firmware analysis), Finite State, Netrise, Onekey, Binarly, Fraunhofer FACT (open-source), EMBA (open-source) | Direct overlap on the firmware-unpack + binary-CWE + SBOM-with-CVE surface. Differentiated by air-gap deploy, pure-Rust embeddable, plus the cross-OS binary depth on top. |
| OT / ICS security platforms | Claroty, Nozomi, Armis, Dragos, Microsoft Defender for IoT | Adjacent — they own asset and network telemetry; we feed firmware truth. Data-feed or OEM-embed. |
| Registry malicious-package detection | Socket, Phylum | Different axis — they watch npm / PyPI; we analyze compiled binaries. |
| Hardened container images | Chainguard | Different product, different OS. |
| CTI feeds | Recorded Future, Mandiant Intel (Google TI), Microsoft TI, Flashpoint, Intel 471 | We feed them. Resolved signatures + ATT&CK rollup + DNA are a data product they'd license. |
| Mac MDR / EDR | Huntress, Red Canary, Jamf Protect, Iru, Mosyle, Sophos, Expel | Early conversation targets. Most rely on hash rep + runtime telemetry; we're the behavioral layer they lack. |
| Endpoint XDR majors | CrowdStrike, SentinelOne, Cortex XDR, Defender | OEM-embed opportunity. Long cycle. |
| Mac security community | Objective-See (Patrick Wardle's annual "Mac Malware of YYYY" roundup, 10th year in 2025), Objective by the Sea | Ecosystem allies, not buyers. Our indicator rules are seeded from the Objective-See 2025 roundup. |
Why buyers can't get this elsewhere
- Speed. Under 200 ms for a full behavioral profile. Ghidra / IDA auto-analysis is tens of seconds to minutes; VirusTotal needs execution and is cloud-only.
- Output shape. Compilable Rust crate with typed interfaces, XPC protocol traits, confidence scores. Nothing else ships this — the closest alternative is C pseudocode that doesn't compile.
- Cross-OS depth + unpack at scale. macOS depth nothing else has (entitlements, XPC, resolved call-sites, 12-axis taxonomy,
audit-matrix); same pipeline on ELF / PE32+ / DEX / WASM / SEP64; 91 container unpackers (filesystems, archives, compression, firmware carriers, Docker/OCI images) feed it. Stairwell / ReversingLabs / Intezer have scale. Firmware SBOM tools (Microsoft IoT, Finite State, Netrise, Onekey, Binarly, FACT, EMBA) have unpack. None have all three. - Whole-package scan + release-over-release diff. A binary, a firmware image, a Docker/OCI image, or an entire OS distribution ingests as one package, every binary inside analyzed — then any two versions diff side by side: added / removed / changed binaries, SBOM-component deltas, hardening regressions. Container scanners diff package manifests; we diff the actual compiled artifacts, across firmware, containers, and distros, in one tool.
- Binary and source CWE in one unpack. Compiled binaries get IL-level CWE analysis; the interpreted source bundled inside the same image (JS / Python / PHP / Ruby / Go / Java / C# …) gets SAST CWE findings — both in a single pass over the package. SAST tools read source they're pointed at; binary-CWE tools read compiled artifacts; firmware/SBOM tools inventory components. We do all three on the same unpacked image, so nothing inside an artifact falls through the gap between source and binary tooling.
- Deployment envelope. Air-gap deployable, ~13 MB embeddable, no cloud, no GUI. Closes shapes cloud-only and GUI-only competitors structurally cannot.
- Macro timing. Mac shipments grew ~11% in 2025 vs industry ~3.3%; US enterprise Mac share ~23%. Fleets growing; tooling thin.
Deal shape
By deployment model, not per-seat. Ranges are hypotheses, not observed.
| Model | Prior range | Likely buyer | Prior cycle |
|---|---|---|---|
| Self-serve / usage-based | $0 – $12K, expanding | Developers, CI/CD, container & app teams (bottom-up, lands then grows to a team/org license) | Self-serve to weeks |
| SaaS subscription | $12K – $300K | Endpoint MDR, CTI, RE firms, research groups | 1–3 months |
| On-prem site license | $200K – $500K | Government, defense, regulated enterprise | 6–12 months |
| OEM / embed license | Custom, typically $250K – $2M + royalty | Endpoint vendors, binary-intel platforms | 9–18 months |
| Per-engagement | $5K – $100K | IR firms, legal / IP disputes | Days to weeks, repeating |
| Data feed / API | $50K – $500K | CTI teams, threat-intel platforms | 2–6 months |
Value anchors. Manual RE runs ~$5K–$20K per binary at $300–$600/hr. A 5-person in-house RE team is $1M+/year. Stairwell / RL don't disclose deal sizes.
References
Links verified April 2026.
macOS threat landscape
- Red Canary — 2025 Threat Detection Report (Mac Malware trends)
- Red Canary — Distinguishing Atomic, Odyssey, and Poseidon stealers on macOS
- Objective-See — The Mac Malware of 2025 (Patrick Wardle)
- Palo Alto Unit 42 — Stealers on the Rise: A Closer Look at a Growing macOS Threat
- Malwarebytes — Macs targeted by infostealers in new era of cyberthreats
Competitor / landscape
- Huntress — Managed EDR for macOS
- Huntress — Managed EDR expands to macOS (May 2024)
- Stairwell — Core launch (December 2024)
- Stairwell — Intelligent Analysis / SIA launch (May 2025)
- Stairwell — Hidden Malware Report (September 2025)
- ReversingLabs — Titanium Platform overview
- ReversingLabs — 2025 Gartner Market Guide for SSCS
- Intezer — Genetic Malware Analysis
- Kandji → Iru rebrand (October 2025)
- Endor Labs — Supply Chain Security platform
Enterprise Mac market
- Computerworld / IDC — Macs reach 23% share in US enterprises
- IDC data via MacDailyNews — Apple Mac Q3 2025 13.7% growth
Firmware, IoT, regulatory
- EU — Cyber Resilience Act (Regulation 2024/2847), applies 11 December 2027
- ENISA — Cyber Resilience Act overview
- SektorCERT — The attack against Danish critical infrastructure (Zyxel CVE-2023-28771)
- CISA — Cisco IOS XE web UI vulnerabilities advisory
SBOM, build integrity, CI/CD