DECODA offers two distinct analysis modes. You can switch between them using the toggle at the top of the chat input.
Ask Mode
Ask mode is a conversational Q&A interface. You type a question, and the AI responds immediately using its knowledge of your uploaded sample and triage results.
Best for:
- Quick triage questions (“Is this file packed?”, “What do these YARA matches mean?”)
- Conceptual explanations (“How does process injection work?”, “What is a PE import table?”)
- Discussing findings from a previous Agent mode analysis
How it works:
- Uses a fast language model for low-latency responses
- Does not execute any tools or access the sandbox
- Draws on the triage data (hashes, YARA matches, VirusTotal results) already collected for your sample
- Rate limited to 60 requests per minute
Ask mode is great for learning. If the agent produces a technical finding you don’t understand, switch to Ask mode and ask it to explain.
Agent Mode
Agent mode gives the AI autonomous control over a full analysis toolkit. It decides which tools to run, executes them inside an isolated sandbox, reviews the output, and iterates until it has enough information to answer your question.
Best for:
- Deep static analysis (“Decompile the entry point and trace the execution flow”)
- IOC extraction (“Find all network indicators in this binary”)
- Detection engineering (“Generate a YARA rule for this malware family”)
- Full reports (“Produce a comprehensive threat intelligence report”)
How it works:
- Uses Claude Sonnet for reasoning and tool selection
- Each analysis runs inside a fresh Firecracker microVM with network disabled
- The agent can chain multiple tools together across iterations
- Rate limited to 20 requests per minute
When in Agent mode, the AI has access to the following tools:
Core Analysis
| Tool | What it does |
|---|
| File Info | Full metadata, all hash types (MD5, SHA1, SHA256, ssdeep, imphash), and entropy calculation |
| YARA Scan | Scan with built-in rulesets plus any custom rules you’ve added |
| Strings Analysis | Extract strings with automatic categorisation (URLs, IPs, API calls, registry keys) |
| Terminal Command | Run safe shell commands inside the sandbox (dangerous commands are blocked) |
| Python Code | Execute custom Python scripts with pefile, capstone, lief, PyCryptodome, and more |
Reverse Engineering
| Tool | What it does |
|---|
| Ghidra Scripts | 16 pre-built scripts covering decompilation, crypto detection, packer identification, cross-references, and call graphs |
| .NET Analysis | Decompile .NET assemblies using ILSpyCMD and monodis |
| Cross References | Map function cross-references across the binary |
| Call Graph | Generate function call graphs |
| Crypto Detection | Identify cryptographic algorithms and constants |
| Python Unpacker | Detect and unpack PyInstaller/py2exe binaries |
Document Analysis
| Tool | What it does |
|---|
| OLE Analysis | Analyse Office documents and OLE files for macros and embedded objects |
| PDF Analysis | Inspect PDF structure for suspicious JavaScript, embedded files, and launch actions |
| JAR Analysis | Analyse Java archive contents and class files |
Output
| Tool | What it does |
|---|
| Generate IOCs | Extract and export indicators of compromise as JSON, CSV, or STIX 2.1 |
| Generate YARA Rule | Create detection rules based on the sample’s characteristics |
| Save Artifact | Save extracted payloads, configs, or other artifacts for download |
| Save Report | Generate a structured analysis report |
Choosing the Right Mode
| Scenario | Recommended Mode |
|---|
| ”What type of file is this?” | Ask |
| ”Explain the YARA match for Emotet” | Ask |
| ”Decompile the main function” | Agent |
| ”Extract all network IOCs” | Agent |
| ”Is this file malicious?” | Start with Ask, switch to Agent for confirmation |
| ”Generate a report for my team” | Agent |
| ”How does DLL sideloading work?” | Ask |
| ”Find any encrypted strings and decrypt them” | Agent |
Analysis Perspectives
In your settings, you can choose from five analysis perspectives that shape how the AI communicates its findings:
- Executive - High-level summaries focused on business impact and risk
- Professor - Educational explanations that teach concepts alongside findings
- Analyst - Balanced technical detail for SOC workflows
- Reverse Engineer - Deep technical analysis with assembly-level detail
- Threat Hunter - TTPs, detection opportunities, and adversary behaviour focus
