DECODA offers two distinct analysis modes. You can switch between them using the toggle at the top of the chat input.
Your default analysis mode and response format are configurable in Settings. See
Personalization to set the mode new conversations start in.
Ask Mode
Ask mode is a conversational Q&A interface. You type a question, and the AI responds immediately using its knowledge of your uploaded sample and triage results.
Best for:
- Quick triage questions (“Is this file packed?”, “What do these YARA matches mean?”)
- Conceptual explanations (“How does process injection work?”, “What is a PE import table?”)
- Discussing findings from a previous Agent mode analysis
How it works:
- Uses Kimi K2.6 (served via Fireworks AI) for fast, low-latency responses, with Claude Sonnet 4.6 as fallback
- Does not execute any tools or access the sandbox
- Draws on the triage data (hashes, YARA matches, entropy, binary type, static analysis) already collected for your sample
- Rate limited to 60 requests per minute
Ask mode is great for learning. If the agent produces a technical finding you don’t understand, switch to Ask mode and ask it to explain.
Agent Mode
Agent mode gives the AI autonomous control over a full analysis toolkit. It decides which tools to run, executes them inside an isolated sandbox, reviews the output, and iterates until it has enough information to answer your question.
Best for:
- Deep static analysis (“Decompile the entry point and trace the execution flow”)
- IOC extraction (“Find all network indicators in this binary”)
- Detection engineering (“Generate a YARA rule for this malware family”)
- Full reports (“Produce a comprehensive threat intelligence report”)
How it works:
- Uses Kimi K2.6 (served via Fireworks AI) for reasoning and tool selection (Claude Sonnet 4.6 as fallback)
- Each analysis runs inside a fresh E2B microVM (8 GB RAM, 4 CPU cores) with network disabled
- The agent can chain multiple tools together across iterations
- Ghidra projects persist across messages within the same chat session, so follow-up questions reuse the already-analysed project
- The agent can auto-continue analysis across multiple steps when a single response isn’t enough
- Rate limited to 20 requests per minute
When in Agent mode, the AI has access to the following tools:
Core Analysis
| Tool | What it does |
|---|
| File Info | Full metadata, hash types (MD5, SHA1, SHA256, ssdeep), and entropy calculation |
| YARA Scan | Scan with built-in rulesets plus any custom rules you’ve added |
| Strings Analysis | Extract strings with automatic categorisation (URLs, IPs, API calls, registry keys) |
| Terminal Command | Run safe shell commands inside the sandbox (dangerous commands are blocked) |
| Python Code | Execute custom Python scripts with pefile, capstone, lief, PyCryptodome, and more |
Reverse Engineering
| Tool | What it does |
|---|
| Ghidra Scripts | 23 pre-built scripts covering decompilation, control flow, crypto detection, packer identification, API chain analysis, cross-references, and call graphs |
| .NET Analysis | Decompile .NET assemblies using ILSpyCMD and monodis |
| Cross References | Map function cross-references across the binary |
| Call Graph | Generate function call graphs |
| Crypto Detection | Identify cryptographic algorithms and constants |
| Python Unpacker | Detect and unpack PyInstaller/py2exe binaries |
Dynamic Analysis
| Tool | What it does |
|---|
| Speakeasy | Emulate a Windows PE, DLL, driver, or shellcode blob with Mandiant Speakeasy to capture API call traces, network attempts, file and registry operations, and dropped files |
| strace | Execute an ELF or Linux binary and trace its system calls (file, network, process, memory) |
| runScript | Detonate a script (Python, PowerShell, Bash, or JAR) under strace to capture its behaviour |
| FakeNet-NG | Run a sample with fake DNS, HTTP/HTTPS, and TCP/UDP listeners to capture C2 domains, URLs, and connection attempts without real network access |
| capa | Map a native PE, ELF, or Mach-O binary’s capabilities to MITRE ATT&CK and MBC techniques |
Document Analysis
| Tool | What it does |
|---|
| OLE Analysis | Analyse Office documents and OLE files for macros and embedded objects |
| PDF Analysis | Inspect PDF structure for suspicious JavaScript, embedded files, and launch actions |
| JAR Analysis | Analyse Java archive contents and class files |
Threat Intelligence
| Tool | What it does |
|---|
| Web Search | Search the web for CVE details, malware family documentation, and campaign context via Perplexity |
| Analysis Skills | Load specialised methodology for specific scenarios (PE deep-dive, Go binaries, packed samples, YARA hunting, etc.) |
Output
| Tool | What it does |
|---|
| Generate IOCs | Extract and export indicators of compromise as JSON, CSV, or STIX 2.1 |
| Generate YARA Rule | Create detection rules based on the sample’s characteristics |
| Save Artifact | Save extracted payloads, configs, or other artifacts for download |
| Save Report | Generate a structured analysis report in 8 formats (PDF, DOCX, HTML, Markdown, JSON, CSV, XML, MITRE Navigator) |
Watching an Agent Run
In Agent mode the response streams live so you can follow the agent’s progress:
- Tool status - Each tool the agent runs shows its current state: executing, completed, or error.
- Reasoning - The agent’s reasoning steps stream into a collapsible section as it decides which tools to run and interprets their output.
- Final report - Once the agent has gathered enough information, it assembles the findings into the final report. When the run completes, the reasoning collapses into a pill and the report is shown.
Handling Large Outputs
Some tools can return very large results (for example, archive extraction or verbose syscall traces). To stay within the model’s context window, any tool output larger than roughly 100 KB is capped: the agent receives a truncated preview together with a notice that the output was truncated.
Truncation is expected behaviour, not a failure. The agent can still work from the preview and follow up with more targeted calls.
- Narrowing the query (for example, ask about a specific function, offset, or category rather than the whole binary).
- Applying filters so the tool returns only the relevant slice.
- Saving the data as an artifact for download rather than asking the agent to print it inline.
Choosing the Right Mode
| Scenario | Recommended Mode |
|---|
| ”What type of file is this?” | Ask |
| ”Explain the YARA match for Emotet” | Ask |
| ”Decompile the main function” | Agent |
| ”Extract all network IOCs” | Agent |
| ”Is this file malicious?” | Start with Ask, switch to Agent for confirmation |
| ”Generate a report for my team” | Agent |
| ”How does DLL sideloading work?” | Ask |
| ”Find any encrypted strings and decrypt them” | Agent |
Analysis Perspectives
In your settings, you can choose from four analysis perspectives that shape how the AI communicates its findings:
- Professor - Educational explanations that teach concepts alongside findings
- Analyst - Balanced technical detail for SOC workflows
- Reverse Engineer - Deep technical analysis with assembly-level detail
- Threat Hunter - TTPs, detection opportunities, and adversary behaviour focus
