Binary analysis engine

Ghidra for
AI agents.

Load PE, ELF, or Mach-O binaries. Disassemble x86-64, x86-32, and ARM64. Lift to a 42-opcode SSA-form IR. Decompile to typed C with constraint-based type recovery and struct reconstruction. Scan for vulnerabilities across 9 CWE classes with concolic falsification and CVSS scoring. Fuzz with coverage-guided hybrid fuzzing. All through 97 structured MCP tools.

Get Early Access See How It Works
97 MCP tools across 19 categories — structured JSON for every capability
SSA-form decompilation with Cooper-Harvey-Kennedy algorithm
16 Rust crates, 2,800+ tests, 152K lines of Rust — v0.9
aletheia — session: binary-analysis
How It Works

From raw binary to structured intelligence

Traditional RE tools give you a GUI. Aletheia gives your agent 97 JSON APIs to reason with.

Step 01

Load

Parse ELF, PE, and Mach-O binaries. Extract sections, symbols, DWARF debug info, and relocations automatically.

Step 02

Disassemble

Decode x86-64, x86-32, and ARM64 instructions, discover functions via recursive descent, and build control flow graphs with petgraph.

Step 03

Lift & Decompile

Lift to custom IR with 42 opcodes and explicit flag modelling (EFLAGS, NZCV). Construct SSA form via Cytron phi insertion. Decompile to typed C with struct reconstruction.

Step 04

Detect & Verify

Automated vulnerability scanning across 9 CWE classes with CVSS scoring. Concolic falsification with machine-checkable proofs. Hybrid fuzzing with LLM-guided search. MITRE ATT&CK-mapped evasion detection. SARIF 2.1.0 export.

Honest Comparison

Aletheia vs. the tools you already know

Ghidra is powerful. IDA is the standard. Binary Ninja innovates. Aletheia is built for a different user: agents.

Capability Aletheia Ghidra IDA Pro Binary Ninja
AI agent integration (MCP) 97 MCP tools, structured JSON
Structured API output Native JSON, agent-optimised Ghidra Script (Java/Python) IDAPython Python API
SSA-form IR Full SSA, Cooper-Harvey-Kennedy P-Code (not SSA) Microcode (limited SSA) BNIL (SSA variants)
Evasion / anti-analysis detection Built-in, MITRE ATT&CK mapped Plugins only FLARE plugins Plugins only
Crypto signature identification Built-in, structured results FindCrypt plugin FindCrypt plugin Sigkit
Full-text search across binary Tantivy full-text engine Basic string search String / byte search Cross-references
Headless / CLI mode Native CLI + MCP server analyzeHeadless Batch mode Headless
Memory safety Pure Rust, zero unsafe Java / JVM C++ (manual) C++ core
Multi-architecture x86-64, x86-32 & ARM64 Many architectures Many architectures Many architectures
Data flow analysis SSA def-use, taint, slicing P-Code emulation Microcode analysis MLIL SSA slicing
Price Free tier + Pro Free (NSA) $1,879+ / yr $299+

Ghidra and IDA are battle-tested with decades of plugin ecosystem. Binary Ninja's IL design is excellent. Aletheia's advantage is agent ergonomics and structured output — it's complementary for AI-driven workflows.

Engineering

The numbers behind Aletheia

A 16-crate Rust workspace. Clean-room implementation. Every algorithm from published literature.

16
Rust Crates
Modular workspace architecture
2,800+
Tests
Unit, integration & fuzz targets
97
MCP Tools
19 categories, full agent integration
42
IR Opcodes
Custom IR with explicit flag modelling
3
Architectures
x86-64, x86-32 & ARM64
152K
Lines of Rust
Pure Rust, zero unsafe
Capabilities

What Aletheia actually does

Every capability exposed as a structured MCP tool. Built for agents that need to reason about binaries.

Core Architecture

SSA-Form Decompilation Pipeline

A full decompilation pipeline from raw bytes to typed C. Instructions are lifted to a custom intermediate representation with 42 opcodes and explicit flag modelling (EFLAGS for x86, NZCV for ARM64). SSA construction uses the Cooper-Harvey-Kennedy algorithm with Cytron-style phi insertion — the same foundations as production compilers.

42 IR Opcodes
SSA Form IR
3 Binary Formats

Constraint-based type recovery with union-find lattice solving recovers integers, pointers, arrays, structs, unions, enums, and bitfields. Inter-procedural propagation refines types bidirectionally across the call graph. Control flow structuring detects loops, if/else chains, switch statements, and break/continue. Every pipeline stage is independently accessible through MCP tools.

AI-Native

97 MCP Tools

Every capability — loading, disassembly, decompilation, search, detection, data flow tracing, type recovery, concolic analysis, hybrid fuzzing, vulnerability scanning, binary diffing, and library signatures — is exposed as a structured MCP tool across 19 categories. Connect Aletheia to Claude and the agent orchestrates entire analysis workflows autonomously.

stdio + SSE transport • Risk-tiered permissions • Knowledge graph • Audit logging
Threat Intelligence

Evasion & Anti-Analysis Detection

Built-in detection for anti-debugging, anti-VM, packing, obfuscation, and other evasion techniques. Every finding is mapped to MITRE ATT&CK technique IDs for structured threat intelligence integration.

MITRE ATT&CK mapping • Anti-debug • Anti-VM • Packing detection • Obfuscation scoring
Cryptographic Analysis

Crypto Signature Detection

Identifies cryptographic constants, S-boxes, and algorithm signatures embedded in binaries. Detects AES, DES, SHA-256, MD5 constants, and custom implementations through byte-pattern and structural analysis.

AES / DES • SHA-256 / MD5 • S-box detection • Byte-pattern matching
Search Engine

Tantivy Full-Text Search

Blazing-fast full-text search across all analysis artifacts — strings, function names, cross-references, and disassembly output. Powered by Tantivy, the Rust search engine library. Query results are structured JSON.

Full-text indexing • Bidirectional xrefs • petgraph CFG • Sub-millisecond queries
Vulnerability Research

Data Flow & Taint Analysis

Trace how data moves through a binary. Backward slicing computes the minimal instruction set influencing a target variable. Taint tracking follows untrusted input from sources like recv and read to dangerous sinks like system and exec. Both work across function boundaries.

Backward slicing • Forward slicing • Taint propagation • Cross-function • Xref tracking
Concolic Falsification

Security Variant Detection

Combines concrete emulation with sparse symbolic shadow to find machine-checkable security property violations. Detects 9 CWE classes: buffer overflows, command injection, format strings, use-after-free, integer overflow, path traversal, null dereference, double-free, and divide-by-zero. Validated at 100% detection on CTF binaries with 0 false positives on production binaries.

Z3 SMT solver • Parallel constraint solving • UNSAT caching • Attacker model inference • Sandboxed Unicorn emulation
Fuzzing Engine

Hybrid Coverage-Guided Fuzzing

AFL-compatible coverage-guided fuzzing integrated with concolic exploration. Corpus management, validation campaigns, and A/B comparison framework for exploration strategies. Scheduler automatically balances fuzzing with symbolic execution.

64KB edge bitmap • AFL-compatible • Corpus management • Concolic integration • A/B comparison
Pricing

Start free. Scale when you're ready.

No credit card required. Upgrade as your analysis workload grows.

Free
$0/mo
  • 3 binaries per month
  • Core disassembly
  • x86-64 architecture
  • Basic decompilation
  • Community support
Join Waitlist
Most Popular
Pro
$79/mo
  • Unlimited binaries
  • All 97 MCP tools
  • x86-64 + ARM64
  • SSA decompilation
  • Concolic falsification
  • Hybrid fuzzing
  • Evasion detection
  • Priority support
Join Waitlist
Enterprise
Custom
  • Everything in Pro
  • On-prem deployment
  • Custom detection rules
  • CI/CD integration
  • Dedicated support & SLAs
Contact Us

IDA Pro starts at $1,879/yr. Binary Ninja at $299+. Aletheia Pro gives you full agent integration and SSA decompilation at a fraction of the cost.

FAQ

Frequently asked questions

What binary formats does Aletheia support?
ELF, PE, and Mach-O. Both x86-64 and ARM64 architectures. Format detection is automatic — load any supported binary and Aletheia identifies the format and architecture.
How does this differ from using Ghidra with a Python script?
Aletheia is purpose-built for agent consumption. Every capability returns structured JSON. No GUI, no Java runtime, no script glue. 97 MCP tools across 19 categories, with risk-tiered permissions and full audit logging.
Can I use Aletheia for malware analysis?
Yes. Built-in evasion detection identifies anti-debugging, anti-VM, packing, and obfuscation techniques with MITRE ATT&CK mapping. Unicorn-based sandboxed emulation lets you safely test hypotheses about binary behaviour.
What decompilation quality can I expect?
Aletheia uses SSA-form IR with the Cooper-Harvey-Kennedy dominance algorithm and Cytron-style phi insertion. Output is typed C with constraint-based type recovery, struct/union/enum reconstruction, and control flow structuring. Quality is actively improving with each release — currently at v0.9.
How do the MCP tools scale without overwhelming the AI's context window?
Both Aletheia and Arbiter integrate with Forgemax, our open source MCP gateway. Traditional MCP dumps every tool schema into the LLM's context window — at 97 tools, that's ~19,000 tokens of overhead before the agent even starts working. Forgemax collapses all tools into just two: search and execute. The agent discovers capabilities dynamically and writes JavaScript to chain tool calls inside a sandboxed V8 isolate. Context overhead drops to ~1,100 tokens regardless of tool count — a 91% reduction. The sandbox provides full security isolation with AST validation and opaque credential bindings.
Can I use Aletheia without AI agents?
Yes. Aletheia has a full CLI with subcommands for loading, analyzing, disassembling, listing functions, extracting strings, and generating reports. The MCP server is an additional interface — not a requirement.
How does Aletheia handle stripped binaries?
Aletheia uses recursive descent analysis to discover functions from entry points and call targets, assigning confidence scores to each detection. FLIRT-style library function signatures match common library functions by byte patterns even without symbol information. When DWARF debug info is present, it's used to enrich results.
Does Aletheia support taint analysis?
Yes. Aletheia traces data flow from untrusted sources (recv, read, fgets) to dangerous sinks (system, exec, memcpy) across function boundaries. Backward slicing computes the minimal instruction set influencing any target variable. Both are exposed as MCP tools.
Early Access

Aletheia is currently in closed development.

Join the waitlist to get early access when we open the beta. No spam. One email when it's ready.

Questions? Interested in collaborating?

contact@arbitersec.com