Skip to main content

General

What is the difference between Ask mode and Agent mode?

Ask mode is a fast Q&A interface that responds instantly using the triage data already collected for your sample. It doesn’t run any tools. Agent mode gives the AI full access to the analysis toolkit (Ghidra, YARA, Python, etc.) inside an isolated sandbox. Use Ask for quick questions, Agent for deep analysis. See Analysis Modes for the full breakdown.

What file types can I upload?

DECODA supports 26+ file type categories including Windows PE, .NET, ELF, Mach-O, Office documents, PDFs, scripts, Java JARs, Android APKs, PCAP captures, Windows event logs, registry hives, and more. See Supported File Types for the complete list.

Is my malware sample executed during analysis?

No. DECODA performs static analysis only. Your sample is never executed. Tools like Ghidra decompile the binary, YARA scans for signatures, and Python scripts parse file structures — but the malware code itself never runs.

Can malware escape the sandbox?

The sandbox runs inside a Firecracker microVM with no network access, no root privileges, and strict command blocking. Each analysis gets a fresh VM that is destroyed afterwards. There is no persistent state between sessions.

Analysis

Why didn’t the agent use Ghidra on my sample?

Ghidra scripts are only available on Pro and Max tiers. On the Free tier, the agent uses other tools like strings analysis, YARA, and Python. Additionally, Ghidra is best suited for native code (PE, ELF, Mach-O) — for .NET samples, the agent uses ILSpyCMD instead, and for Java, it uses CFR/JADX.

The agent seems stuck or is taking a long time

Agent mode analyses can take up to 13 minutes for complex samples, especially when running Ghidra scripts on large binaries. Each tool has its own timeout (60 seconds for Python, up to 10 minutes for Ghidra), and the agent can auto-continue across multiple steps. If an analysis appears stuck, you can start a new message — the previous tool execution will time out gracefully.

Can I use my own YARA rules?

Yes. Go to Settings > Preferences and add your custom YARA rules using the built-in YARA rule editor. These are applied alongside DECODA’s built-in rulesets during triage and are available to the agent for on-demand scanning. Rule limits depend on your tier: 5 (Free), 50 (Pro), Unlimited (Max).

What VirusTotal data does DECODA show?

During triage, DECODA checks the sample’s SHA256 hash against VirusTotal and shows the detection ratio, engine-specific labels, and first/last seen dates. By default, DECODA uses a shared platform key. You can add your own VT API key in Settings for higher rate limits.

How are samples deduplicated?

Samples are deduplicated by SHA256 hash within your account. If you upload the same file twice, the existing triage data is reused rather than re-running the pipeline.

Billing

What happens when I hit my monthly limit?

If you’re on the Pro or Max tier, you can continue with credits. Credits are purchased in packs and deducted one per query when your monthly allocation is exhausted. On the Free tier, you’ll need to wait until the next month or upgrade. See Plans & Billing for details.

Do credits expire?

No. Credits never expire and carry over between billing periods.

Can I downgrade my plan?

Yes. Downgrade from Settings > Billing. The change takes effect at the end of your current billing period — you keep your current tier’s limits until then.

Reports

What formats can I export reports in?

Reports can be downloaded in 8 formats: PDF, DOCX, HTML, Markdown, JSON, CSV, XML, and MITRE ATT&CK Navigator layers. You can also download a ZIP bundle containing all formats. IOCs can be separately exported as JSON, CSV, or STIX 2.1. See Reports for details.

Can I share a report with my team?

Download the report in your preferred format and share it directly. Reports are self-contained documents that don’t require a DECODA account to view.

Privacy & Security

Who can see my samples and analysis results?

Only you. All data is isolated to your account. There is no cross-user data access, and DECODA does not share samples with third parties.

How is my VirusTotal API key stored?

Your API key is encrypted with AES-256-GCM before storage. It is never logged, exposed in API responses, or accessible to other users.

Can I delete all my data?

Yes. Go to Settings > Security and select Delete Account. This permanently removes all your samples, analyses, reports, and settings.

Getting Help

If you can’t find an answer here, reach out to support@decodalabs.com.