Sign in

Internal ICP & Landscape Brief

Internal. Facts, ICPs, landscape, deal shapes.


The Problem

Every organization runs thousands of compiled binaries — system services and vendor agents on workstations, daemons on Linux servers, firmware images inside the routers and appliances on the network edge, executables shipped by every third-party software vendor. Nobody knows what those binaries actually do.

The people whose job it is to know — SOC analysts, threat-intel researchers, MSSP analysts, IR responders, firmware auditors, sectoral CERTs — all hit the same wall. Understanding a single binary needs IDA or Ghidra and a specialist: 2–5 days of manual RE at $300–600/hr. A SOC analyst's best move on an unknown binary today is a VirusTotal hash check — no behavioral profile, no capability map, no explanation.

On the enterprise side, the same gap blocks every security decision that involves software: vetting a vendor agent before deploying it on 10,000 endpoints, assessing the impact of a macOS or Linux upgrade, auditing the firmware your network edge runs, surveying the supply chain. Security teams fill the gap with hash lookups, reputation scores, and trust. None of those answer what a binary actually does — what it accesses, what it contacts, what it collects.


The Product

openbinary is the programmable binary platform — read any binary or firmware and understand what it does.

Positioning

ICPs:

Platform scope. 56 executable formats, 66 ISAs, 5 OS platforms, 91 container unpackers feed the same pipeline (filesystems, archives, compression, firmware carriers, Docker/OCI images). Mach-O / ELF / PE32+ on arm64 / arm64e / x86_64 are first-class with full reconstruction-to-Rust. iOS analyzes through the macOS path. See Architectures.

Unit of analysis is the package, not just the binary. A single binary, a firmware image, a Docker/OCI image, or an entire OS distribution ingests as one package — every binary inside is analyzed, and the package carries its own composition, SBOM, and security rollup. Whole BSD releases (FreeBSD / NetBSD / OpenBSD, ~700–2,600 binaries each) are in the public corpus today. Any two packages diff release-over-release: added / removed / changed binaries, SBOM-component deltas, and hardening regressions, side by side.

Two layers of CWE in one pass. Compiled binaries get binary-level CWE findings — taint, memory safety, the full IL analysis. The interpreted source that ships inside the same package — JavaScript, Python, PHP, Ruby, Go, Java, C#, and more, ubiquitous in firmware and container images — gets source-level SAST CWE findings on the same unpack. One report covers both the binaries an image runs and the scripts it carries; most competitors do one or the other, not both, and never together inside a single firmware or image.

Deployment models

ModelShape
Cloud / SaaSWeb + REST API from a browser. Teams use it without install.
On-prem, fleet scanOne host enumerates a fleet — workstation, server, or firmware image — and builds a searchable local database. Stock macOS: ~2,500 binaries in ~30 minutes, plus ~3,500 frameworks via the dyld shared cache (13 macOS versions in under a day). Linux: every ELF under /usr, /bin, /lib. Firmware: every binary inside an unpacked image across 91 container formats.
Air-gappedTwo binaries, no cloud, no network. Deployable in a SCIF or behind any perimeter.
OEM / embeddedPure Rust, ~13 MB, no GUI, no runtime deps. Bolts into an endpoint agent for real-time on-device analysis at under 200 ms per binary.

Market signal


Buyer archetypes

Quick map

ArchetypeWhoLead with
Mac-focused MDR / EDRHuntress, Red Canary, Jamf Protect, Iru, Mosyle, Sophos, ExpelBehavioral profile in 200 ms + DSL queries + anomaly flag. SaaS or OEM-embed
Firmware & IoT vendorsZyxel, Asus, TP-Link, Netgear, Synology, QNAP, Cisco, Juniper, Fortinet, Palo Alto, Ubiquiti, mid-market OEMsPre-ship firmware audit — SBOM with CVE attribution + binary CWE findings, CRA-compliant inventory in one pipeline
Developers & CI/CDPlatform / AppSec / release-engineering teams shipping compiled softwarePipeline gate on the built artifact: CWE+CVE, hardening-flag regression, real-vs-declared SBOM drift, secrets, signing — fail the build
Container & cloud-native vendorsDocker/OCI publishers, base-image builders, containerized ISVsAudit every compiled binary inside the image — CWE + SBOM-with-CVE + hardening, at the layer manifest scanners miss
Enterprise app inventory & SBOM (CRA)Product-security, compliance, procurement teams; CRA-regulated manufacturers & operatorsEstate-wide app inventory + CRA-grade SBOM (CycloneDX/SPDX), binary and source CWE, CVE attribution, per-release diff
OT / ICS securityClaroty, Nozomi Networks, Armis, Dragos, Microsoft Defender for IoTFirmware unpack + binary analysis as input to their asset-and-risk products. Data-feed or OEM
Binary-centric threat intelStairwell, ReversingLabs, IntezerBehavioral depth as upstream data feed; category overlap at the high end
Malware research / CTIKaspersky GReAT, Mandiant Intel, Microsoft TI, ESET, Talos, Recorded Future, Flashpoint, Intel 471DNA similarity, ATT&CK-tagged indicators, JSONL as a licensable feed
RE / audit firmsNCC Group, Trail of Bits, Leviathan, Include Security, Atredis, Doyensec, Assetnote, SynackRust reconstruction + XPC audit-matrix. Per-seat or per-engagement
Endpoint XDR majors (OEM)CrowdStrike, SentinelOne, Cortex XDR, Defender, Sophos, Jamf Protect, Iru, Mosyle~13 MB pure-Rust library, no GUI, no runtime deps. Highest LTV, longest cycle
Supply-chain securityJFrog Xray, ReversingLabs Spectra; adjacent SCA (Snyk, Black Duck, GitHub Adv. Sec., Endor)Binary-level SBOM; library + function recognition across 5 signature tiers (87,828 prologue hashes / 219 open-source libs · ~1.2M PE/MSVC FLARE FLIRT · 34,219 Apple-kernel function sigs)
IR firmsMandiant (Google), Kroll, CrowdStrike Services, Stroz Friedberg, Volexity, Secureworks IRAir-gap install, scan-cache the victim's system, baseline against known-good. Per-engagement
Enterprise CISOs (Mac fleets)Cross-industryReached through MDR / security-vendor channel rather than direct
Government, defense, intelDoD components, CISA, Sandia, Los Alamos, FVEY, three-letter agenciesTwo binaries, no cloud, air-gap deployable. Site-license via cleared channel partners
Cyber insurance underwritersResilience, Coalition, At-Bay, Corvus, BeazleyExperimental — quantified fleet-risk data feed

Mac-focused MDR / EDR

Names. Huntress, Red Canary, Jamf Protect, Iru (formerly Kandji), Mosyle, Sophos MDR, Expel.

Pain. Their static macOS analysis today is hash reputation + signing state + runtime telemetry. The pre-execution question — what can this specific unknown binary do — is almost universally unanswered.

Lead with. Behavioral profile in under 200 ms, DSL queries over the corpus, per-type anomaly flag. SaaS or OEM-embed.

Firmware & IoT vendors

Names. Networking/edge — Zyxel, Asus, TP-Link, Netgear, D-Link, Ubiquiti. Enterprise — Cisco appliances, Juniper, Fortinet, Palo Alto, Sonicwall, Check Point. Storage/NAS — Synology, QNAP, Asustor. Industrial gateways, SBC OEMs, white-label appliance builders.

Pain. CRA forces a machine-readable SBOM + vulnerability handling on every connected product by Dec 11, 2027. Most OEMs don't have a clean inventory of what's bundled in their own firmware, let alone CVE attribution against it. Internal RE audits by hand and misses things.

Lead with. One pipeline: unpack the firmware, CWE findings on every extracted binary and on the interpreted source bundled alongside (JS/Python/Lua/shell — most firmware ships plenty), SBOM with CVE attribution at the component and firmware layers — and a release-over-release firmware diff (which binaries changed, which SBOM components moved, which hardening flags regressed between two image versions). Curated vendor rules (Zyxel NAS326, VMG, ZyWALL, USG ship today); the table grows with each advisory. Air-gap deployable, pure Rust, ~13 MB. Per-engagement, annual site license, or OEM-embed.

OT / ICS security

Names. Claroty, Nozomi Networks, Armis, Dragos, Microsoft Defender for IoT, Forescout (eyeInspect), Tenable OT.

Pain. Asset-discovery and protocol-anomaly products know what's on the network but not what's inside the firmware running on those assets. Customers increasingly ask the OT vendor for the CVE-and-CWE story on the actual firmware they're operating — not just the asset inventory.

Lead with. Firmware unpack + binary analysis as an upstream data feed. They own asset and network context; we provide firmware truth. Data-feed or OEM-embed.

Developers & CI/CD (DevSecOps)

Names. Platform-engineering, AppSec, and release-engineering teams inside any org that ships compiled software — desktop apps, agents, SDKs, drivers, embedded binaries. Reached through CI integrations (GitHub Actions, GitLab CI, Jenkins, Buildkite) and the REST API, not a sales motion to a named account list.

Pain. Source SCA (Snyk, Dependabot, GitHub Advanced Security) reads manifests and lockfiles — it never inspects the artifact that actually ships. So a build can regress every binary-layer property and nothing in the pipeline catches it: a hardening flag silently flips off (PIE / RELRO / NX stack / Intel CET / FORTIFY_SOURCE / stack canaries / ARM64 BTI / PAC), the shipped binary's real dependency set drifts from the declared SBOM, junk accumulates (unexpected data segments, leftover debug strings, embedded secrets), the version/publisher metadata is wrong, or the artifact ships unsigned. None of it is visible until someone reverse-engineers the release.

Lead with. A CI step that audits the built artifact against policy and diffs it against the previous release in one pass — added / removed / changed binaries, CWE findings and CVE attribution, a build-hardening regression diff with per-flag remediation (-fcf-protection, -D_FORTIFY_SOURCE, …), real-vs-declared SBOM drift with CycloneDX / SPDX export, SBOM-component deltas release-over-release, declared-vs-used consistency flags, secrets scan, signing and publisher verification. The package-diff view that ships today (added/removed/changed counts, SBOM delta, side-by-side identity) is the release-gate report. REST API + JSON, fail-the-build gate, pure Rust at ~13 MB with no runtime deps so it drops into any runner. Self-serve and usage-based at the bottom; expands to a team or org license. This is the producer side of the supply chain — distinct from the consumer-side vendor-vetting in Developer intelligence / Supply-chain security.

Container & cloud-native image vendors

Names. Teams that ship a whole image rather than a single binary — Docker / OCI container publishers, base-image and golden-image builders, ISVs distributing containerized products, internal platform teams. Adjacent to the firmware vendors above: same "audit everything inside the artifact" shape, different carrier.

Pain. Container scanners (Trivy, Grype, Docker Scout, Aqua, Sysdig, Prisma Cloud, Wiz) read OS package databases and language lockfiles inside the image. The compiled binaries the image actually executes — vendored static libraries, custom daemons, downloaded-at-build executables, anything not installed by a package manager — are a blind spot: no CWE findings, no hardening posture, no real SBOM, no signing check at the binary layer.

Lead with. Unpack the docker save / OCI tarball through the same pipeline as firmware — every executable inside gets binary-level CWE findings, SBOM with CVE attribution, hardening posture, and a secrets scan, at the layer the package manifest can't see. One report across the whole image, and an image-to-image diff (tag-to-tag, or against the upstream base) that flags every binary and SBOM-component change. Air-gap deployable, OEM-embeddable, or a CI gate alongside the existing image scanner rather than replacing it.

Enterprise app inventory & SBOM (CRA)

Names. Product-security, compliance, and procurement teams at any enterprise that places connected products on the EU market or must attest to the software it ships and runs — CRA-regulated manufacturers, plus regulated operators (energy, finance, healthcare, public sector) building an authoritative application inventory. Cross-industry; often reached through the same channel as the firmware-vendor and developer motions.

Pain. The CRA applies in full Dec 11, 2027 — every product with digital elements on the EU market needs a machine-readable SBOM and documented vulnerability handling; US EO 14028 imposes parallel SBOM duties on federal procurement. Most enterprises have no authoritative inventory of the compiled apps and embedded components they ship or operate. Source SCA covers the code they wrote — not the binaries they buy, the third-party artifacts they bundle, or the scripts riding inside an image. The result is an SBOM that stops at the manifest and a deadline they can't evidence against.

Lead with. One estate-wide inventory at the artifact layer: every app, firmware image, and container — every compiled binary and bundled script inside — with a CRA-grade SBOM (CycloneDX / SPDX), CVE attribution, binary-and-source CWE findings, and a per-release diff to show the inventory evolving. Scan the portfolio once, diff each release, export the SBOM the regulation asks for. On-prem or SaaS; annual site license, priced by estate size. Distinct from the Mac-fleet CISO motion below (endpoint posture) — this is the software-we-ship-and-operate compliance inventory.

Binary-centric threat intel platforms

Stairwell — 1B+ malware samples, 8.2B file sightings, 2T+ DNS records, ~1M files/day private corpus. GenAI alert triage shipped May 2025.

ReversingLabs — Titanium ~40B files/day; Spectra Assure for supply-chain; named in the 2025 Gartner Market Guide for SSCS.

Intezer — genetic code analysis, SOC automation. $5.3M revenue 2025 — much smaller than Stairwell / RL.

Two live paths:

Pricing not public for any of the three.

Malware research / CTI

Names: Kaspersky GReAT, Mandiant Intel (Google TI), Microsoft Threat Intelligence, ESET Research, Trend Micro, CrowdStrike Intelligence, Cisco Talos, Recorded Future, Flashpoint, Intel 471.

Pain. Mac malware coverage is thinner than Windows across most incumbents. Senior researchers use IDA / Ghidra / Binary Ninja for deep dives. The gap is triage at scale and ATT&CK coverage roll-ups that feed intel products.

Lead with. DNA similarity search (cluster unknown samples against known families), ~160 capa-aligned indicator rules pre-tagged with ATT&CK, JSONL export as a licensable feed. License to research teams or as a data product.

RE / audit firms

Names: NCC Group, Trail of Bits, Leviathan, Include Security, Atredis, Doyensec, Assetnote, Synack, and boutiques.

Pain. Mechanical triage eats 60–80% of engagement hours at rates the client increasingly resists.

Lead with. Rust reconstruction + confidence scoring + audit-matrix for XPC authorization gap detection. Per-seat or per-engagement licensing.

Endpoint security vendors (OEM-embed)

Names: CrowdStrike Falcon, SentinelOne, Palo Alto Cortex XDR, Microsoft Defender for Endpoint, Sophos, Jamf Protect, Iru, Mosyle.

Pain. Their macOS static analysis is a score, not an explanation.

Lead with. ~13 MB pure-Rust library, no GUI, no runtime deps. Bolts into an agent. Longest sales cycle of any archetype; highest LTV.

Supply-chain security tools

BucketPlayersOverlap
Closest matchJFrog Xray, ReversingLabs Spectra AssureBoth scan compiled artifacts
Adjacent (source/manifest SCA)Snyk, Black Duck / Synopsys, GitHub Advanced Security, Endor LabsOperate above the binary layer. Partnership plausible if they want to extend down to shipped binaries
Different axis (registry detection)Socket (npm), Phylum (cross-registry)Watch package registries, not compiled executables. Not direct overlap
Not in this categoryChainguardHardened Linux container base images, not binary SCA

Angle. Our library + function recognition spans five signature surfaces — 71 hand-built rules, 87,828 prologue hashes from 219 open-source libraries (OpenSSL, FFmpeg, Boost, SDL2, zstd, harfbuzz, ZeroMQ, …), ~1.2M FLARE FLIRT entries for PE/MSVC (the Windows arm; Mandiant-curated, Apache-2.0), 34,219 Apple-kernel function fingerprints across M1–M5 Silicon, plus an openbinary-generated .pat.gz FLIRT pack for macOS arm64. Bundled libraries are identified in shipped binaries even when stripped, feeding a binary-level SBOM (CycloneDX / SPDX) with CVE attribution — the enterprise CRA-inventory motion turns this into its own ICP.

IR firms

Names: Mandiant (Google), Kroll, CrowdStrike Services, Stroz Friedberg, Volexity, Secureworks IR.

Motion. Per-engagement license. Air-gap install, scan-cache the victim's system, then diff the whole system against a known-good baseline — added / removed / changed binaries surface implants and tampering directly. Low-ACV, high-velocity, repeating.

Enterprise CISOs with Mac fleets

Vendor-agent vetting, macOS upgrade impact, supply-chain audit. Frequently reached through the MDR / security-vendor channel rather than direct.

Government, defense, intel

Names: DoD component teams, CISA, Sandia, Los Alamos, FVEY partners, three-letter agencies.

Motion. Two binaries, no cloud, air-gap deployable. Site-license via cleared channel partners.

Cyber insurance underwriters

Names: Resilience, Coalition, At-Bay, Corvus, Beazley.

Experimental. Quantified fleet-risk data feed as the pitch. One underwriter win → rest follow.


Landscape — who else is in this room

CategoryPlayersOur position
Binary-centric threat intelStairwell, ReversingLabs (Spectra / Titanium), IntezerPartner upstream (data feed) or compete at fleet-hunt if we expand. Treat as both.
Interactive RE workbenchesGhidra, IDA Pro, Binary Ninja, Radare2, HopperComplementary. They deep-dive; we batch + index + triage.
Dynamic sandboxesVirusTotal, Joe Sandbox, ANY.RUN, Hatching Triage, Falcon SandboxOrthogonal. They execute; we never do. Most buyers use both.
Source / manifest SCASnyk, Black Duck / Synopsys, GitHub Adv. Sec., Endor Labs, MendAdjacent. Partnership plausible if they want to extend down to compiled binaries.
Source SAST / code scanningSemgrep, CodeQL (GitHub), SonarQube, Checkmarx, Snyk CodeThey scan a source repo you point them at. We run SAST CWE on the source bundled inside a firmware or container — alongside binary CWE on the same unpack. Overlap only on the source layer; nobody else pairs it with the binary layer.
App-inventory / SBOM managementAnchore, Dependency-Track, FOSSA, Manifest, JFrogThey manage and store SBOMs; most ingest a generated SBOM rather than producing one from the shipped artifact. We generate the SBOM from the binary-and-source truth of the package. Feed-in or compete on generation.
Artifact / binary-scanning SCJFrog Xray, ReversingLabs Spectra AssureClosest direct overlap on compiled-binary scanning.
Container image scanningTrivy, Grype, Docker Scout, Aqua, Sysdig, Prisma Cloud, WizAdjacent — they read OS/lang package manifests inside the image; we analyze the compiled binaries that manifest can't see. Sits alongside, not against.
CI/CD binary gatesNo direct incumbent — source SCA + container scanners both stop at manifestsNet-new gate at the artifact layer: hardening regression, real-vs-declared SBOM drift, binary CWE/CVE, signing.
Firmware SBOM / IoT binary auditMicrosoft (ReFirm Labs / IoT-firmware analysis), Finite State, Netrise, Onekey, Binarly, Fraunhofer FACT (open-source), EMBA (open-source)Direct overlap on the firmware-unpack + binary-CWE + SBOM-with-CVE surface. Differentiated by air-gap deploy, pure-Rust embeddable, plus the cross-OS binary depth on top.
OT / ICS security platformsClaroty, Nozomi, Armis, Dragos, Microsoft Defender for IoTAdjacent — they own asset and network telemetry; we feed firmware truth. Data-feed or OEM-embed.
Registry malicious-package detectionSocket, PhylumDifferent axis — they watch npm / PyPI; we analyze compiled binaries.
Hardened container imagesChainguardDifferent product, different OS.
CTI feedsRecorded Future, Mandiant Intel (Google TI), Microsoft TI, Flashpoint, Intel 471We feed them. Resolved signatures + ATT&CK rollup + DNA are a data product they'd license.
Mac MDR / EDRHuntress, Red Canary, Jamf Protect, Iru, Mosyle, Sophos, ExpelEarly conversation targets. Most rely on hash rep + runtime telemetry; we're the behavioral layer they lack.
Endpoint XDR majorsCrowdStrike, SentinelOne, Cortex XDR, DefenderOEM-embed opportunity. Long cycle.
Mac security communityObjective-See (Patrick Wardle's annual "Mac Malware of YYYY" roundup, 10th year in 2025), Objective by the SeaEcosystem allies, not buyers. Our indicator rules are seeded from the Objective-See 2025 roundup.

Why buyers can't get this elsewhere


Deal shape

By deployment model, not per-seat. Ranges are hypotheses, not observed.

ModelPrior rangeLikely buyerPrior cycle
Self-serve / usage-based$0 – $12K, expandingDevelopers, CI/CD, container & app teams (bottom-up, lands then grows to a team/org license)Self-serve to weeks
SaaS subscription$12K – $300KEndpoint MDR, CTI, RE firms, research groups1–3 months
On-prem site license$200K – $500KGovernment, defense, regulated enterprise6–12 months
OEM / embed licenseCustom, typically $250K – $2M + royaltyEndpoint vendors, binary-intel platforms9–18 months
Per-engagement$5K – $100KIR firms, legal / IP disputesDays to weeks, repeating
Data feed / API$50K – $500KCTI teams, threat-intel platforms2–6 months

Value anchors. Manual RE runs ~$5K–$20K per binary at $300–$600/hr. A 5-person in-house RE team is $1M+/year. Stairwell / RL don't disclose deal sizes.


References

Links verified April 2026.

macOS threat landscape

Competitor / landscape

Enterprise Mac market

Firmware, IoT, regulatory

SBOM, build integrity, CI/CD