Product
Open any binary or firmware and see what it does — without running it.
What it does
- Disassembles 66 architectures (arm64, arm64e, x86_64 primary).
- Decompiles to compilable Rust — 99.7% method compile rate.
- Unpacks 91 firmware / archive / compression / disk-image formats (85 with a working extractor).
- Malware verdict — 4 tiers, no false positives on clean binaries.
- CWE findings — 200+ rules across 64 CWE classes (20 in MITRE Top-25).
- Behavioral indicators — ~160 capa-aligned rules → 430 ATT&CK techniques.
- SBOM with CVE attribution from unpacked firmware.
- Library + function recognition — five signature surfaces find bundled libraries even on stripped binaries: 71 hand-built rules (OpenSSL, libcurl, sqlite, zstd, libpng, mbedTLS, xxHash, …), 87,828 prologue hashes from 219 open-source libraries (FFmpeg, Boost, SDL2, harfbuzz, ZeroMQ, …), 34,219 Apple-kernel function fingerprints across M1–M5 Silicon, ~1.2M FLARE FLIRT entries for PE/MSVC (the Windows arm — Mandiant-curated, Apache-2.0), and an openbinary-generated
.pat.gzFLIRT pack covering ~27 macOS arm64 libraries. - Compare binaries — function-level diff + DNA similarity.
- Programmable corpus — REST, JSONL, DSL across 50+ fields, multi-user workspaces.
We don't debug, fuzz, or sandbox. We don't automate "anything" — we automate reverse engineering.
Use cases
- Vet a vendor binary before fleet deploy — capability map, network surface, telemetry, declared-vs-used entitlements, malware verdict — in under 200 ms.
- Diff two OS releases — macOS 26.1 vs 26.2: new entitlements, moved telemetry, regressed mitigations come out as a list. Same mechanism on any versioned build — vendor SDKs, internal builds, firmware lineages.
- Firmware audit — unpack the image, run the full pipeline on every extracted binary, emit SBOM with CVE attribution at the component layer.
- Malware triage — capa indicators, ATT&CK rollup, 4-tier verdict, DNA similarity against the corpus. Static, no sandbox.
- Search a corpus by behavior — every binary that opens a path under
~/Library/Keychains/, every unsigned binary holding a private Apple entitlement.
Coverage
| Surface | Count |
|---|---|
| Executable formats | 56 — 6 measured: Mach-O, ELF, PE32+, DEX, WASM, SEP64 |
| Architectures | 66 |
| OS platforms | 5 — Apple, Linux, BSD, Solaris / illumos, Windows |
| Unpackers | 91 container formats / 85 extracted |
| Apple type library | 3,162 classes / 18,633 fields |
| Library + function recognition | 5 tiers · 87,828 prologue hashes / 219 open-source libs · 34,219 Apple kernel fingerprints · ~1.2M PE/MSVC FLARE FLIRT · 71 hand-built · 27 macOS arm64 FLIRT packs |
| CWE rules / classes | 200+ / 64 |
| Capa indicators → ATT&CK | ~160 → 430 |
| CVE / SBOM rules | 21 / 22 CVEs |
Full matrix: Architectures →.
Deployment
| Model | Shape |
|---|---|
| Cloud / SaaS | Web UI + REST API. |
| On-prem | Local DB and UI. Data stays on the machine. |
| Air-gapped | Two binaries. No network, no cloud. |
| OEM | Pure Rust, ~13 MB, ~200 ms per binary. |
Limitations
- Static only — fuzzers reach paths we don't. Complementary.
- iOS analyzes through the macOS path; IPA handler on the roadmap.
- Decompilation is mechanical — the manifest reports gaps.
- Facts, not verdicts — policy belongs to the consumer.
vs alternatives
- Ghidra / IDA / Binary Ninja — manual workbenches. No batch, no database, no DSL.
- VirusTotal — executes; cloud-only.
- Black Duck / Snyk — source / manifest SCA. They don't read binaries.
- Firmware SBOM tools (Microsoft IoT, Finite State, Netrise, Onekey, Binarly, FACT, EMBA) — unpack and inventory. We add cross-OS binary depth + reconstruction + capability mapping.
- Manual RE — $5K–$20K per binary at $300–$600/hr.