FAQ

​

General

​

What is the difference between Ask mode and Agent mode?

Ask mode is a fast Q&A interface that responds instantly using the triage data already collected for your sample. It doesn’t run any tools. Agent mode gives the AI full access to the analysis toolkit (Ghidra, YARA, Python, etc.) inside an isolated sandbox. Use Ask for quick questions, Agent for deep analysis. See Analysis Modes for the full breakdown.

​

What file types can I upload?

DECODA supports 26+ file type categories including Windows PE, .NET, ELF, Mach-O, Office documents, PDFs, scripts, Java JARs, Android APKs, PCAP captures, Windows event logs, registry hives, and more. See Supported File Types for the complete list.

​

Is my malware sample executed during analysis?

By default, DECODA performs static analysis - tools like Ghidra decompile the binary, YARA scans for signatures, and Python scripts parse file structures without running the sample. Agent mode can also perform isolated dynamic analysis when needed: Speakeasy emulates PE binaries, strace traces ELF syscalls, and FakeNet-NG captures network intent. All dynamic analysis runs inside a network-disabled Firecracker microVM, so the malware can never reach the real internet or escape the sandbox.

​

Can malware escape the sandbox?

The sandbox runs inside a Firecracker microVM with no network access, no root privileges, and strict command blocking. Each analysis gets a fresh VM that is destroyed afterwards. There is no persistent state between sessions.

​

Analysis

​

Why didn’t the agent use Ghidra on my sample?

Ghidra scripts are only available on Pro and Max tiers. On the Free tier, the agent uses other tools like strings analysis, YARA, and Python. Additionally, Ghidra is best suited for native code (PE, ELF, Mach-O) - for .NET samples, the agent uses ILSpyCMD instead, and for Java, it uses CFR/JADX.

​

The agent seems stuck or is taking a long time

Agent mode analyses can take up to 13 minutes for complex samples, especially when running Ghidra scripts on large binaries. Each tool has its own timeout (60 seconds for Python, up to 10 minutes for Ghidra), and the agent can auto-continue across multiple steps. If an analysis appears stuck, you can start a new message - the previous tool execution will time out gracefully.

​

Can I use my own YARA rules?

Yes. You can add custom YARA rules to your account. These are applied alongside DECODA’s built-in rulesets during triage and are available to the agent for on-demand scanning. Rule limits depend on your tier: 5 (Free), 50 (Pro), Unlimited (Max).

​

How are samples deduplicated?

Samples are deduplicated by SHA256 hash within your account. If you upload the same file twice, the existing triage data is reused rather than re-running the pipeline.

​

Can DECODA open password-protected sample archives?

Yes. For ZIP, 7z, and RAR archives, DECODA tries the passwords commonly used to share malware samples - infected, malware, virus, password, and 123456 - inside the sandbox. If one works, it selects the primary file from the archive and analyses that. Extraction is bounded by size and file-count limits to guard against zip bombs.

​

Billing

​

What happens when I hit my monthly limit?

If you’re on the Pro or Max tier, you can continue with credits. Credits are purchased in packs and deducted one per query when your monthly allocation is exhausted. On the Free tier, you’ll need to wait until the next month or upgrade. See Plans & Billing for details.

​

Do credits expire?

Yes. Top-up credits expire 6 months (182 days) after purchase, on a rolling per-purchase basis. Each credit is one additional Agent mode analysis beyond your monthly allocation.

​

Can I downgrade my plan?

Yes. Downgrade from Settings > Billing. The change takes effect at the end of your current billing period - you keep your current tier’s limits until then.

​

Can I cancel my subscription?

Yes. Cancel from Settings > Billing. Cancellation takes effect at the end of your current billing period, so you keep access to your tier’s features until then. There is no refund for the remainder of the period. If you change your mind before the period ends, a Resume button reactivates the subscription so it continues renewing normally.

​

When are credits refunded?

Credits are automatically refunded when an Agent mode analysis is cancelled or fails before any meaningful work is done. This covers analyses you cancel yourself (user_cancelled), sandbox failures (sandbox_failed), AI provider errors (provider_error), and runs that finish with no usable output (no_output). You don’t need to request the refund - it happens automatically.

​

What do the subscription statuses mean?

​

Reports

​

What formats can I export reports in?

Reports can be downloaded in up to 8 formats: PDF, DOCX, HTML, Markdown, JSON, CSV, XML, and MITRE ATT&CK Navigator layers. The formats available depend on the report type - not every type supports every format - so check the Export formats column for your chosen report. You can also download a ZIP bundle containing all formats. IOCs can be separately exported as JSON, CSV, or STIX 2.1. See Reports for details.

​

Can I share a report with my team?

Download the report in your preferred format and share it directly. Reports are self-contained documents that don’t require a DECODA account to view.

​

Privacy & Security

​

Who can see my samples and analysis results?

Only you. All data is isolated to your account. There is no cross-user data access, and DECODA does not share samples with third parties.

​

Can I delete all my data?

Yes. Go to Settings > Security and select Delete Account. This permanently removes all your samples, analyses, reports, and settings.

​

Getting Help

If you can’t find an answer here, reach out to support@decodalabs.com.