From the Worthify research team

An AI analystfor binary work.

ReAgent reads disassembly, runs samples in sandboxes, and answers questions about a binary in plain English — with every claim grounded in a specific address. Built for reverse engineers, AppSec teams, and incident response.

See how it works
~ reagent · firmware-v3.binstringsgrapharm64 · 2.4 MB · 4 sections
explain the boot path of this firmware.
REAGENT
Boot starts at 0x0, jumps to setup_clocks, loads a u-boot blob from 0x80000, then chain-loads a Linux kernel.
tool · disassemble(0x0..0x200)tool · find_strings("u-boot")
anything sketchy in the bootloader?
REAGENT · risk found
Custom XOR decoder at 0x401780 reads .rdata through a length param taken straight from the input — heap overflow when len > 0x40.
→ poc generated · poc.py · 142 bytes
agent stream live
STstaticdecompiled 412 functions00:02
DYdynamicbooting arm-vexpress sandbox00:06
AGagentfound suspicious xor loop00:11
FZfuzzerfuzzing target · 1,240 i/s00:14
AGagentcrash · SIGSEGV @ 0x40123400:18
CURRENT FINDING
HIGHCVE-pending heap overflow in parse_packet()
cvss 8.8 · poc available · 1 of 3 issues
// the thesis

Reverse engineering is bottlenecked by attention, not by talent.

Most security and research teams have one or two people who can read disassembly fluently. Their day is fragmented across tools, samples, and tickets. ReAgent answers the questions those people would have asked next — it follows references, runs the sample, and reports back with citations to the exact bytes that matter. Nothing is invented. Every finding is reproducible.

// what it does

Four capabilities, one workspace.

01
conversational analysis

Conversational analysis, grounded in disassembly.

Ask questions in plain English. Every answer cites a specific virtual address; click any reference to jump to the disassembly. The agent reads xrefs, follows imports, and never invents a function or a byte.

reagent · workspace · firmware-v3.bin
why does main call geteuid at startup?
Privilege check. If geteuid() != 0 the binary forks setuid_helper at 0x4015e0via execve — which is itself setuid root. Classic local-privesc handle.
0x4012a0 main+0x140 → cmp eax, 00x4015e0 setuid_helper · setuid bit set
show me callers of setuid_helper
3 callers · main, handle_signal, .init_array
02
dynamic + fuzz

Sandboxed execution and coverage-guided fuzzing, in one workspace.

Run samples in disposable cross-platform sandboxes. Coverage-guided fuzzing surfaces crashes; the agent triages each crash, narrows the input, and produces a reproducible proof of concept.

sandbox · linux-x64 · fuzzer running
10,402
execs / sec
87%
edge coverage
3
unique crashes
edge coverage · 2,448 / 2,820
CRASHSIGSEGV@ 0x401234· heap overflow · auto-triaged
03
open platform

An open tool server for the agents and pipelines you already run.

ReAgent is also a tool server. The same capabilities the workspace uses are exposed over a clean, open protocol — callable from any agent or CI pipeline you operate.

reagent platform · 1 endpoint · open protocol
A1 your agent · connected
CI ci pipeline · connected
RA reagent (in-app) · primary
analyze_binary()
get_vulnerabilities()
extract_functions()
search_strings()
run_fuzz()
get_xrefs()
decompile_function()
get_callgraph()
+ 18 more
04
deployment

Air-gapped, on your infrastructure, with a model of your choice.

For classified or destructive samples. The full platform — agent, decompiler, fuzzer, sandbox — deploys to your own hardware. The artifact never leaves your environment.

secure mode · network ✕ · outbound ✕
deploymenton-prem · single binary
modelbring-your-own · local
decompilerbundled · local
sandboxisolated · seccomp filters
auditsyslog · 100% commands logged
complianceSOC2 · FedRAMP-ready · IL5 path
// the loop

Every answer ends in evidence. Every action loops back into the analysis.

  1. 1
    upload
    PE / ELF / Mach-O / firmware

    Drop a binary or point at a build artifact. Hash, unpack, fingerprint — all automatic.

  2. 2
    ground
    static analysis · symbols

    Sections, functions, strings, xrefs. The agent reads everything the decompiler emits.

  3. 3
    ask
    natural language → tool calls

    Talk in English. The agent picks the tools, runs the queries, and grounds every answer in an address.

  4. 4
    prove
    sandbox · fuzz · execute

    Detonate in an isolated sandbox. Coverage-guided fuzzing finds the crashes; the agent triages them.

  5. 5
    report
    markdown · pdf · STIX 2.1

    Findings export as a writeup, a STIX bundle, or an MR. Every claim still cites the address.

findings feed the next question. ReAgent remembers the whole graph — across artifacts, sessions, teams.
// what's in the box

Specifications.

What ReAgent supports today. Anything not listed here is either on the roadmap or off it — we'd rather you know which.

Architectures
x86x86-64ARMAArch64MIPSPowerPCRISC-V
File formats
PEELFMach-Oraw / shellcodecommon firmware images
Deployment
Hosted SaaSSelf-hosted (Kubernetes)Air-gapped — bring your own model
Integrations
REST tool APICommand-line clientPython SDKCI hook (GitHub, GitLab)
Security & compliance
SSO / SAML on EnterprisePer-action audit logEU + US data residencySOC 2 Type I in audit
Provenance
Every claim cites a virtual addressEvery tool call and model output is loggedSessions export as a reproducible bundle
// pricing

Pricing.

Every tier includes the full conversational UI. Tiers differ in scale, deployment surface, and what you can extend.

Free
$0

For solo researchers and CTF players.

  • 1,000 credits / month
  • Up to 50 MB per artifact
  • Static analysis: disassembly, symbols, strings, xrefs
  • Conversational UI (cloud)
  • Standard tool catalog
  • Markdown report export
Popular
Pro
from$49/mo

Daily driver for working reverse engineers and AppSec teams.

  • 50,000 credits / month
  • Up to 2 GB per artifact
  • Full RE suite — static analysis, decompilation, sandboxed execution, fuzzing
  • Sandboxed VMs: Windows, Linux, macOS, ARM — syscall + library tracing, network capture, snapshot/restore
  • Coverage-guided fuzzing with automated crash triage and PoC generation
  • Custom tool configuration — register your own tools and override defaults
  • Open tool API for your agents and CI pipelines
  • Documentation library and runbook templates
  • Structured exports (PDF report, STIX 2.1, JSON bundle)
  • Priority cloud queue · email support
Enterprise
Custom

Air-gapped deployments for classified work and regulated industries.

  • Everything in Pro, plus —
  • On-prem and air-gapped deployments — bring your own model
  • SSO / SAML, RBAC, per-action audit log
  • Tool authoring SDK and private tool registry
  • Custom analysis workflows, prompts, and runbooks
  • Ingest your own documentation, runbooks, and malware corpus
  • Dedicated solutions engineer · onboarding workshop
// or pay-as-you-go
One binary at a time.

Need to look at one binary? Pay by size, get the full analysis. No subscription, no commitment.

full RE suite per analysis · volume discount at $250+
price per binary, by size
Tiny≤1 MB$0.20
Small1–10 MB$0.60
Medium10–100 MB$2.40
Large100 MB–1 GB$8.00
XL1 GB+$0.012/MB

all prices in usd · placeholder numbers · contact sales for volume / academic discounts

// get started

See it on one of your samples.

Free analysis on samples up to 50 MB. No card required. Air-gapped install available for restricted work.

SOC 2 Type I in audit · SSO + SAML on Enterprise · EU + US data residency