Built by the Worthify engineering team

Binary analysisthat can be checked.

ReAgent reads disassembly, runs samples in isolated sandboxes, and answers questions about a binary in plain language. Every answer is linked to a specific address so you can verify findings before you take action.

See how it works
~ reagent · firmware-v3.binstringsgrapharm64 · 2.4 MB · 4 sections
explain the boot path of this firmware.
REAGENT
Boot starts at 0x0, jumps to setup_clocks, loads a u-boot blob from 0x80000, then chain-loads a Linux kernel.
tool · disassemble(0x0..0x200)tool · find_strings("u-boot")
anything sketchy in the bootloader?
REAGENT · risk found
Custom XOR decoder at 0x401780 reads .rdata through a length param taken straight from the input — heap overflow when len > 0x40.
→ poc generated · poc.py · 142 bytes
agent stream live
STstaticdecompiled 412 functions00:02
DYdynamicbooting arm-vexpress sandbox00:06
AGagentfound suspicious xor loop00:11
FZfuzzerfuzzing target · 1,240 i/s00:14
AGagentcrash · SIGSEGV @ 0x40123400:18
CURRENT FINDING
HIGHCVE-pending heap overflow in parse_packet()
cvss 8.8 · poc available · 1 of 3 issues
// the thesis

Most reverse engineering is bottlenecked by context, not by talent.

Teams often rely on one or two people who can read assembly and keep the thread together. The work is split across notes, binaries, and task queues. ReAgent keeps the follow-up questions in one place: it follows references, runs targeted checks, and points to the exact bytes behind each conclusion. When you need it, your workflow can stay in your own stack through MCP clients and your own model path.

// what it does

Four capabilities, one workflow.

01
conversational analysis

Ask questions, get answers you can reproduce.

Ask in plain language. Every response includes concrete references so you can jump directly to symbols, xrefs, and bytes in the binary view.

reagent · workspace · firmware-v3.bin
why does main call geteuid at startup?
Privilege check. If geteuid() != 0 the binary forks setuid_helper at 0x4015e0via execve — which is itself setuid root. Classic local-privesc handle.
0x4012a0 main+0x140 → cmp eax, 00x4015e0 setuid_helper · setuid bit set
show me callers of setuid_helper
3 callers · main, handle_signal, .init_array
02
dynamic + fuzz

Static checks plus runtime checks, in one workspace.

Run samples in disposable cross-platform sandboxes. Coverage-guided fuzzing surfaces crashes; the results are captured with repro steps so you can confirm each issue.

sandbox · linux-x64 · fuzzer running
10,402
execs / sec
87%
edge coverage
3
unique crashes
edge coverage · 2,448 / 2,820
CRASHSIGSEGV@ 0x401234· heap overflow · auto-triaged
03
agent workflows

Open protocol. Connect your tools.

ReAgent exposes the same analysis capabilities through MCP. Connect your existing agents, CI bots, and analyst scripts without duplicating tooling or building separate wrappers.

reagent platform · MCP endpoint · /mcp and /mcp-sse
A1 your agent · connected
C1 Claude Code
C2 Codex CLI / Codex agent
C3 internal CI bots
C4 Cursor-style MCP clients
C5 custom in-house agents
RA reagent (in-app) · primary
analyze_binary()
get_vulnerabilities()
extract_functions()
search_strings()
run_fuzz()
get_xrefs()
decompile_function()
get_callgraph()
+ 18 more
04
deployment

Air-gapped deployment with your model.

For sensitive work, deploy on your own hardware with a model you control. The full stack — decompiler, agent, fuzzer, and sandbox — stays inside your environment.

secure mode · network ✕ · outbound ✕
deploymenton-prem · single binary
modelbring-your-own · local
decompilerbundled · local
sandboxisolated · seccomp filters
auditsyslog · 100% commands logged
complianceSOC2 · FedRAMP-ready · IL5 path
// the loop

Every answer gets tested. Every action feeds back into the analysis.

  1. 1
    upload
    PE / ELF / Mach-O / firmware

    Drop a binary or point to a build artifact. Reagent hashes, unpacks, and fingerprints the input automatically.

  2. 2
    ground
    static analysis · symbols

    Sections, functions, strings, and xrefs are prepared first so follow-up questions have a stable base.

  3. 3
    ask
    MCP-aware tools

    Ask through Claude Code, Codex, or your CI agent. Reagent routes that request to the right tool chain and returns address-level evidence.

  4. 4
    prove
    sandbox · fuzz · execute

    Run focused detonation in an isolated environment. Fuzzing shows crash paths and stores reproductions.

  5. 5
    report
    markdown · pdf · STIX 2.1

    Export findings as a report, STIX bundle, or merge request. Each claim points back to the source location.

Findings feed the next question. ReAgent tracks the whole graph — across artifacts, sessions, teams.
// what's in the box

Specifications.

What ReAgent supports today. If a capability is not listed here, treat it as unavailable until it appears in a release note.

Architectures
x86x86-64ARMAArch64MIPSPowerPCRISC-V
File formats
PEELFMach-Oraw / shellcodecommon firmware images
Deployment
Hosted SaaSSelf-hosted (Kubernetes)Air-gapped — bring your own modelCustom model endpoint support (on-prem or private cloud)
Integrations
REST tool APIMCP endpoint: /mcp (streamable) and /mcp-sseClaude Code, Codex CLI, and other MCP clientsPython SDKCI hook (GitHub, GitLab)
Security & compliance
SSO / SAML on EnterprisePer-action audit logEU + US data residencySOC 2 Type I in audit
Provenance
Every claim cites a virtual addressEvery tool call and model output is loggedSessions export as a reproducible bundle
// pricing

Pricing.

Every tier includes the full conversational UI. Tiers differ in scale, deployment surface, and what you can extend.

Free
$0

For independent researchers and smaller teams.

  • 1,000 credits / month
  • Up to 50 MB per artifact
  • Static analysis: disassembly, symbols, strings, xrefs
  • Conversational UI (cloud)
  • Standard tool catalog
  • Markdown report export
Enterprise
Custom

For regulated environments, internal tooling, and air-gapped operations.

  • Everything in Pro, plus —
  • On-prem and air-gapped deployments — bring your own model
  • SSO / SAML, RBAC, per-action audit log
  • Tool authoring SDK and private tool registry
  • Custom analysis workflows, prompts, and runbooks
  • Ingest your own documentation, runbooks, and malware corpus
  • Dedicated solutions engineer · onboarding workshop
// model spend comparison

Public API rates and isolated custom-model economics.

Mythos and GPT-5.5 are public token-model baselines. For cyber teams in restricted environments, the ReAgent custom-model path shifts spend to your infrastructure.

model
input
output
notes
Mythos (public preview access)
$25 / 1M input tokens
$125 / 1M output tokens
Research-preview access model, published token spend
GPT-5.5
$5 / 1M input tokens
$30 / 1M output tokens
Standard API pricing
GPT-5.5 Cyber
Special-access cyber profile (program-specific terms)
Program-specific terms
More permissive cyber workflow policy versus standard
ReAgent custom model
infra + model overhead (your environment)
infra + model overhead (your environment)
No per-token API spend from hosted provider; suitable for isolated cyber labs
Takeaway: Mythos total spend is about 4.3x GPT-5.5 on a 1M in / 1M out basis. Custom models in isolated environments remove token-billing from API usage and keep secrets inside your own boundary.
// or pay-as-you-go
One binary at a time.

Need to check one binary? Pay by size and run a full analysis. No subscription. No commitment.

full RE suite per analysis · volume discount at $250+
price per binary, by size
Tiny≤1 MB$0.20
Small1–10 MB$0.60
Medium10–100 MB$2.40
Large100 MB–1 GB$8.00
XL1 GB+$0.012/MB

public model rates shown in USD for comparison · platform pricing still placeholder until finalized · contact sales for volume / academic discounts

// get started

Try it on one of your own samples.

Free analysis for samples up to 50 MB. No card required. Air-gapped install options for restricted environments.

SOC 2 Type I in audit · SSO + SAML on Enterprise · EU + US data residency