Binary analysis engine

Ghidra for
AI agents.

Load PE, ELF, or Mach-O binaries. Disassemble x86-64 and ARM64. Lift to SSA-form IR. Decompile to typed C with inter-procedural type recovery. Find security vulnerabilities with concolic falsification. Fuzz with coverage-guided hybrid fuzzing. All through 62 structured MCP tools.

Get Early Access See How It Works

62 MCP tools — structured JSON input/output for every capability

SSA-form decompilation with Cooper-Harvey-Kennedy algorithm

16 Rust crates, 1,600+ tests, 186K lines of Rust — v0.4.0

aletheia — session: binary-analysis

How It Works

From raw binary to structured intelligence

Traditional RE tools give you a GUI. Aletheia gives your agent 62 JSON APIs to reason with.

Step 01

Load

Parse ELF, PE, and Mach-O binaries. Extract sections, symbols, DWARF debug info, and relocations automatically.

Step 02

Disassemble

Decode x86-64 and ARM64 instructions, discover functions via recursive descent, and build control flow graphs with petgraph.

Step 03

Lift & Decompile

Lift to custom IR with 35 opcodes and explicit EFLAGS. Construct SSA form via Cytron phi insertion. Decompile to typed C.

Step 04

Detect & Verify

Identify evasion techniques with MITRE ATT&CK mapping. Find buffer overflows, command injection, and use-after-free with concolic falsification. Fuzz with coverage-guided hybrid fuzzing.

Honest Comparison

Aletheia vs. the tools you already know

Ghidra is powerful. IDA is the standard. Binary Ninja innovates. Aletheia is built for a different user: agents.

Capability	Aletheia	Ghidra	IDA Pro	Binary Ninja
AI agent integration (MCP)	62 MCP tools, structured JSON
Structured API output	Native JSON, agent-optimised	Ghidra Script (Java/Python)	IDAPython	Python API
SSA-form IR	Full SSA, Cooper-Harvey-Kennedy	P-Code (not SSA)	Microcode (limited SSA)	BNIL (SSA variants)
Evasion / anti-analysis detection	Built-in, MITRE ATT&CK mapped	Plugins only	FLARE plugins	Plugins only
Crypto signature identification	Built-in, structured results	FindCrypt plugin	FindCrypt plugin	Sigkit
Full-text search across binary	Tantivy full-text engine	Basic string search	String / byte search	Cross-references
Headless / CLI mode	Native CLI + MCP server	analyzeHeadless	Batch mode	Headless
Memory safety	Pure Rust, zero unsafe	Java / JVM	C++ (manual)	C++ core
Multi-architecture	x86-64 & ARM64	Many architectures	Many architectures	Many architectures
Data flow analysis	SSA def-use, taint, slicing	P-Code emulation	Microcode analysis	MLIL SSA slicing
Price	Free tier + Pro	Free (NSA)	$1,879+ / yr	$299+

Ghidra and IDA are battle-tested with decades of plugin ecosystem. Binary Ninja's IL design is excellent. Aletheia's advantage is agent ergonomics and structured output — it's complementary for AI-driven workflows.

Engineering

The numbers behind Aletheia

A 16-crate Rust workspace. Clean-room implementation. Every algorithm from published literature.

Rust Crates

Modular workspace architecture

1,600+

Tests

Unit, integration & fuzz targets

MCP Tools

17 categories, full agent integration

IR Opcodes

Custom IR with EFLAGS modelling

Architectures

x86-64 & ARM64

186K

Lines of Rust

Pure Rust, zero unsafe

Capabilities

What Aletheia actually does

Every capability exposed as a structured MCP tool. Built for agents that need to reason about binaries.

Core Architecture

SSA-Form Decompilation Pipeline

A full decompilation pipeline from raw bytes to typed C. Instructions are lifted to a custom intermediate representation with 35 opcodes and explicit EFLAGS modelling. SSA construction uses the Cooper-Harvey-Kennedy algorithm with Cytron-style phi insertion — the same foundations as production compilers.

35 IR Opcodes

SSA Form IR

3 Binary Formats

Five-pass type inference recovers integers, pointers, arrays, and structs. Inter-procedural propagation refines types across the call graph. Control flow structuring detects loops, if/else chains, and switch statements. Every pipeline stage is independently accessible through MCP tools.

AI-Native

62 MCP Tools

Every capability — loading, disassembly, decompilation, search, detection, data flow tracing, type recovery, concolic analysis, and hybrid fuzzing — is exposed as a structured MCP tool across 17 categories. Connect Aletheia to Claude and the agent orchestrates entire analysis workflows autonomously.

stdio + SSE transport • Risk-tiered permissions • Knowledge graph • Audit logging

Threat Intelligence

Evasion & Anti-Analysis Detection

Built-in detection for anti-debugging, anti-VM, packing, obfuscation, and other evasion techniques. Every finding is mapped to MITRE ATT&CK technique IDs for structured threat intelligence integration.

MITRE ATT&CK mapping • Anti-debug • Anti-VM • Packing detection • Obfuscation scoring

Cryptographic Analysis

Crypto Signature Detection

Identifies cryptographic constants, S-boxes, and algorithm signatures embedded in binaries. Detects AES, DES, SHA-256, MD5 constants, and custom implementations through byte-pattern and structural analysis.

AES / DES • SHA-256 / MD5 • S-box detection • Byte-pattern matching

Search Engine

Tantivy Full-Text Search

Blazing-fast full-text search across all analysis artifacts — strings, function names, cross-references, and disassembly output. Powered by Tantivy, the Rust search engine library. Query results are structured JSON.

Full-text indexing • Bidirectional xrefs • petgraph CFG • Sub-millisecond queries

Vulnerability Research

Data Flow & Taint Analysis

Trace how data moves through a binary. Backward slicing computes the minimal instruction set influencing a target variable. Taint tracking follows untrusted input from sources like recv and read to dangerous sinks like system and exec. Both work across function boundaries.

Backward slicing • Forward slicing • Taint propagation • Cross-function • Xref tracking

Concolic Falsification

Security Variant Detection

Combines concrete emulation with sparse symbolic shadow to find machine-checkable security property violations. Detects buffer overflows, command injection, format strings, use-after-free, integer overflow, and path traversal with parallel constraint solving.

Z3 SMT solver • Parallel constraint solving • UNSAT caching • Attacker model inference • Sandboxed Unicorn emulation

Fuzzing Engine

Hybrid Coverage-Guided Fuzzing

AFL-compatible coverage-guided fuzzing integrated with concolic exploration. Corpus management, validation campaigns, and A/B comparison framework for exploration strategies. Scheduler automatically balances fuzzing with symbolic execution.

64KB edge bitmap • AFL-compatible • Corpus management • Concolic integration • A/B comparison

Pricing

Start free. Scale when you're ready.

No credit card required. Upgrade as your analysis workload grows.

Free

$0/mo

3 binaries per month
Core disassembly
x86-64 architecture
Basic decompilation
Community support

Join Waitlist

Frequently asked questions

What binary formats does Aletheia support?

ELF, PE, and Mach-O. Both x86-64 and ARM64 architectures. Format detection is automatic — load any supported binary and Aletheia identifies the format and architecture.

How does this differ from using Ghidra with a Python script?

Aletheia is purpose-built for agent consumption. Every capability returns structured JSON. No GUI, no Java runtime, no script glue. 62 MCP tools across 17 categories, with risk-tiered permissions and full audit logging.

Can I use Aletheia for malware analysis?

Yes. Built-in evasion detection identifies anti-debugging, anti-VM, packing, and obfuscation techniques with MITRE ATT&CK mapping. Unicorn-based sandboxed emulation lets you safely test hypotheses about binary behaviour.

What decompilation quality can I expect?

Aletheia uses SSA-form IR with the Cooper-Harvey-Kennedy dominance algorithm and Cytron-style phi insertion. Output is typed C with variable naming and control flow structuring. Quality is actively improving with each release — currently at v0.4.0.

How do the MCP tools scale without overwhelming the AI's context window?

Both Aletheia and Arbiter integrate with Forgemax, our open source MCP gateway. Traditional MCP dumps every tool schema into the LLM's context window — at 62 tools, that's ~12,000 tokens of overhead before the agent even starts working. Forgemax collapses all tools into just two: search and execute. The agent discovers capabilities dynamically and writes JavaScript to chain tool calls inside a sandboxed V8 isolate. Context overhead drops to ~1,100 tokens regardless of tool count — a 91% reduction. The sandbox provides full security isolation with AST validation and opaque credential bindings.

Can I use Aletheia without AI agents?

Yes. Aletheia has a full CLI with subcommands for loading, analyzing, disassembling, listing functions, extracting strings, and generating reports. The MCP server is an additional interface — not a requirement.

How does Aletheia handle stripped binaries?

Aletheia uses recursive descent analysis to discover functions from entry points and call targets, assigning confidence scores to each detection. FLIRT-style library function signatures match common library functions by byte patterns even without symbol information. When DWARF debug info is present, it's used to enrich results.

Does Aletheia support taint analysis?

Yes. Aletheia traces data flow from untrusted sources (recv, read, fgets) to dangerous sinks (system, exec, memcpy) across function boundaries. Backward slicing computes the minimal instruction set influencing any target variable. Both are exposed as MCP tools.

Early Access

Aletheia is currently in closed development.

Join the waitlist to get early access when we open the beta. No spam. One email when it's ready.

Questions? Interested in collaborating?

[email protected]

Ghidra for AI agents.