Platform
The corpus, the search surface, the multi-user layer, and the API that turn the engine's output into something teams can query, compare, share, and act on.
80+ HTTP handlers · 50+ indexed query fields · 106-dim DNA similarity with ANN backing · multi-tenant workspaces with role-based access · ML anomaly scoring with per-cohort models.
The engine produces the facts about each binary. The platform indexes those facts into a programmable corpus, hosts the web interface that serves them to analysts, and exposes the REST API that pipelines and OEM consumers integrate against. It does not analyze binaries itself — every analysis row lives behind the engine's pipeline.
What it gives you
| Surface | What it does |
|---|---|
| REST API | 80+ endpoints — upload, search, query, similarity, compare, packages, vulnerabilities, annotations, jobs |
| DSL query language | Boolean compositional queries over 50+ indexed fields with kind-aware operators |
| Full-text search | Tantivy index, BM25 ranked, popularity-boosted |
| DNA similarity | 106-dim behavioral vector + ANN + weighted Jaccard rerank |
| ML layer | Per-cohort anomaly scoring + 128-dim learned embedding + binary-type classifier |
| Workspaces | Multi-tenant with public corpus, role-based access, invites |
| Web app | Search, binary detail, compare, upload, workspaces, vulnerabilities |
| Storage | WAL-backed state + content-addressed analysis blobs + append-only ledgers |
API surface
80+ axum handlers under /api/v1/ (plus token-gated /internal/* ops and /farm/* compute-farm planes). The most-used ones:
| Endpoint | What it does |
|---|---|
POST /upload | Multipart blob upload, returns a job ID |
GET /binary/{sha256} | Binary detail — analysis, signatures, verdict, similar binaries |
GET /search | Full-text + facet-filtered search |
GET /query | DSL query, paginated results with score and rank |
GET /similar/{sha256} | Nearest neighbors by DNA cosine or learned embedding |
GET /compare/{sha1}/{sha2} | Side-by-side diff |
GET /packages/{id} | Curated package detail + member binaries + manifest |
GET /packages/{id}/similar | Package-level neighbors |
GET /vulnerabilities | Fleet CVE rollup |
GET/PUT/DELETE /binary/{sha256}/annotations | Collaborative reverse-engineering annotations |
GET /cluster/{sha256} | Variant-cluster expansion |
GET /jobs/{id} (SSE) | Live job progress with stage labels |
Every endpoint respects the caller's visibility set: public, private (own scope), or workspace. Authentication is session-cookie via WorkOS Magic Auth; ob_key_… API keys are issued per user (optionally scoped to a workspace) for pipeline use.
The DSL query language
Compositional boolean algebra (AND / OR / NOT) over 50+ indexed fields with kind-aware operators.
| Field kind | Operators | Examples |
|---|---|---|
| Single-value facet | ==, != | signing_status == "ad_hoc", binary_type == "daemon" |
| Multi-value facet | ==, !=, ANY, ALL, CONTAINS | indicator_categories ANY "Persistence", attack_techniques ALL ["T1543.001", "T1547.015"] |
| Numeric | ==, !=, >, >=, <, <= | text_entropy > 6.5, indicator_hit_count >= 5 |
| Tokenized text | CONTAINS | frameworks CONTAINS "EndpointSecurity" |
| Exact string | ==, != | sha256_text == "abc123..." |
| Hierarchical | prefix match | package == "macos/macos/26.4", component == "libzstd" |
Compositional examples:
indicator_categories ANY "Persistence" AND action_opens_network == true
text_entropy > 6.5 AND NOT is_apple_signed == true
has_kev == true AND vuln_severity ANY ["critical", "high"]
Search and similarity
Full-text. Tantivy index, BM25 ranked, schema version 8. Field-level boosts so a lowercased filename match takes priority on exact-match. Popularity-weighted via a 30-day rolling tally of uploads and lookups — hits that get attention rank higher.
DNA similarity. Two-phase. The 106-dimensional behavioral vector goes through an arroy ANN index on cosine distance to retrieve the top 500 candidates. A weighted Jaccard rerank over 40+ content sets (entitlements, frameworks, indicators, ATT&CK techniques, syscall wrappers, hardening features, embedded formats, components) gives the final ranking. Default surface is pure Jaccard — the honest content-overlap number — with cosine and blended modes available.
Learned embedding. A 128-dim ONNX-served embedding lives on a shadow arroy index. A runtime config toggle lets the platform A/B the learned ranking against raw DNA without breaking either path.
Behavioral-signature search. Filter the corpus by resolved call-site facts: every binary that opens a path under ~/Library/Keychains/, every binary that execs osascript, every binary that calls SecItemCopyMatching with kSecClassGenericPassword. Paths normalized at index time so matches generalize across the corpus.
ML layer
Three ONNX-served pipelines, all fail-soft — a missing model falls back to a null implementation, so no model never breaks the platform.
- Binary-type classifier. 11 classes (daemon, UI app, CLI tool, kext, framework, …) over the 106-dim DNA vector. Output: a label per binary plus a confidence score.
- Per-cohort anomaly scoring. One isolation-forest model per binary-type cohort. A daemon is anomalous relative to other daemons, not relative to the wider population. Output: raw score, percentile 0–100,
flaggedboolean (≥95th percentile), model version tag. - 128-dim learned embedding. L2-normalized behavioral vector kept on a shadow index for live similarity A/B against raw DNA.
Function rarity is the engine-side counterpart: per-type k-means centroids plus regularized pseudo-inverse covariance, retrained from the platform's corpus. The retrainer requires at least 50 samples per type before it emits a model for that cohort.
Workspaces and visibility
The multi-tenant unit. Each workspace has a UUID, a URL slug, an owner, members with roles (Admin or Member), and its own scope of binaries, packages, and uploads. Invites are token-based with a 7-day TTL and email verification.
Every binary carries one of three visibility tags:
- Public — visible in the public corpus, searchable without auth
- Private — visible only to the uploading user
- Workspace — visible to every member of a specific workspace
A single SHA-256 can carry multiple visibility identities at once. The same binary uploaded into two workspaces lives once on disk with two membership rows; search filters respect the caller's visibility set so a query never returns rows the caller can't see.
Auth is WorkOS Magic Auth + HS256 session JWT (the alg: none attack is explicitly rejected).
Web app
| Route | What's there |
|---|---|
/ | Home and dashboard |
/search | Full-text search + facet filters + DSL query builder |
/query | DSL playground |
/binary/{sha256} | Binary detail — analysis, signatures, call graph, byte-map, on-demand decompile, IOCs, vulnerabilities, similar binaries |
/package/{sha256} | Curated package detail + member binaries + manifest |
/compare | Side-by-side binary comparison |
/upload | Multipart upload with metadata |
/vulnerabilities | Fleet CVE rollup with host tracking |
/term/{kind}/{value} | Taxonomy term page — indicators, ATT&CK techniques, frameworks |
/{workspace} | Workspace overview |
/{workspace}/inventory | Workspace binary inventory |
/{workspace}/security/cves, /security/vulnerabilities | Workspace security rollups |
/{workspace}/hosts | Per-host tracking |
/{workspace}/changes/timeline | Workspace activity timeline |
/login | WorkOS Magic Auth |
/invite/{token} | Workspace invite acceptance |
/settings, /settings/workspace | User and workspace settings |
/briefs/* | This brief set |
The /compare page is the surface behind the OS-baseline use case in the Product Brief — drop two macOS versions in, get the cross-version diff.
Storage
State lives in three places.
- WAL-backed state store carries every job, binary registry row, user, workspace, membership, API key, invite, and curated package. Crash-recovers on boot from the write-ahead log.
- Content-addressed analysis blobs — every analysis output is written to
scopes/{visibility}/results/{sha256}/{decompiler_version}/analysis.json. Versioned by engine version, so an engine upgrade re-analyzes lazily without invalidating older results. - Append-only ledger —
uploads.jsonlrecords every upload with metadata. A grep-able audit trail that survives state wipes.
Three indexes back search and similarity: a Tantivy on-disk index for full-text and facets, an arroy+LMDB index on raw DNA vectors, and a second arroy+LMDB index on learned embeddings. An LRU analysis cache (512 MB budget, 16 MB per entry cap) keeps hot analyses in memory.
Upload, scan, compare
Upload. POST /api/v1/upload accepts a multipart blob. The platform detects the file kind (Mach-O / ELF / PE / script / unknown), stores the blob, creates a job with the requested engine version, and enqueues it. A worker claims the job, spawns the engine, and writes the analysis output to the content-addressed location. Live progress is exposed via Server-Sent Events with stage labels (unpacking, scanning, indexing). Reconstruction is a separate job type the analyst can trigger after the initial analysis completes.
Scan (system or fleet). The engine's openbinary scan and openbinary scan-cache commands discover binaries on a host or in the dyld shared cache, analyze them locally, and POST the results to a platform instance. The platform deduplicates by SHA-256 — the same binary observed on ten hosts lives once on disk with ten host-sighting rows.
Compare. GET /api/v1/compare/{sha1}/{sha2} returns a unified diff: function signatures, call graphs, strings, imports, capabilities, ATT&CK techniques, hardening, telemetry endpoints, network endpoints, code-signature deltas. The web view renders it side-by-side with identical-hash callouts.
What this surface is not
- Not the engine. The platform never analyzes a binary directly — every analysis is the engine's output, indexed and served. See Engine.
- Not a sandbox. The platform never executes user-uploaded content. Static-only end to end.
- Not a malware verdict authority. The four-tier malware verdict is the engine's output; the platform surfaces it but does not override it. See Malware.
- Not an independent vulnerability database. CVE attribution comes from the engine's curated SBOM layer (see CVEs & SBOM); the platform aggregates rollups but does not maintain an external CVE feed.
Where this fits
The platform is the layer that turns binary analysis into a product. The engine produces the facts; the platform indexes them, ranks them, presents them, and lets teams collaborate over them. See Product Brief for the end-to-end view of how the two compose, and Architectures for the cross-format coverage matrix that determines what binaries the engine — and therefore the platform — can ingest.