Generating a Report
To create a report, simply ask the agent in your chat:“Generate a threat intelligence report for this sample”The agent will compile all findings from the current analysis session, including triage data, tool outputs, and its own conclusions, into a structured document. As an alternative to prompting the agent, DECODA also provides a report-type selector. Report types are grouped into three categories - Full Reports, Summary, and Threat Intelligence - and each card shows the report’s name, a short description, its intended audience, and the export formats it supports, so you can pick the right template at a glance.
Report Types
DECODA offers several report templates tailored to different audiences and use cases:| Template | Best For | Export formats |
|---|---|---|
| Full Technical Report | Analysts and reverse engineers who need full analysis detail | PDF, DOCX, Markdown, HTML, JSON |
| Executive Summary | Non-technical stakeholders who need risk assessment and business impact | PDF, DOCX, Markdown, HTML |
| Triage Summary | Quick-look assessment for initial incident response prioritisation | PDF, Markdown, JSON |
| IOC Report | Focused list of extracted indicators for threat intel feeds | PDF, Markdown, JSON, CSV |
| MITRE ATT&CK Report | Technique coverage analysis for detection engineering | PDF, Markdown, HTML, JSON, ATT&CK Navigator |
| STIX 2.1 Bundle | Machine-readable threat intelligence package for sharing between organisations | JSON, XML |
| Sample Comparison | Side-by-side comparison of multiple samples | PDF, DOCX, Markdown, HTML, JSON |
Not every report type supports every export format. For example, the STIX bundle is available only as JSON or XML, the Executive Summary cannot be exported as JSON, CSV, or XML, and the ATT&CK Navigator layer is offered only by the MITRE ATT&CK report.
“Generate an executive summary for this sample”
“Create a MITRE ATT&CK mapping report”
How Reports Are Generated
DECODA can produce a report along two paths:- AI-authored narrative (default). A language model writes the report from your analysis findings and chat transcript, producing a fluent, context-aware narrative tailored to the chosen report type and your perspective. If the primary model hits a retryable error, generation automatically retries once on a fallback model for resilience. If both attempts fail, DECODA surfaces an error so you can retry rather than returning an incomplete report.
- Template-based (deterministic). A programmatic template assembles the report directly from the structured findings, with no language model involved. This path is predictable and repeatable, which is useful when you want consistent output, are generating machine-readable formats such as the STIX bundle, or prefer not to use AI generation.
The AI-authored path is best when you want a readable, stakeholder-ready write-up. The deterministic template is best when you need consistent, reproducible structure or are exporting purely machine-readable data.
Report Structure
The full Technical Analysis report follows a consistent structure:Executive Summary
A high-level overview of the sample, its classification, and the assessed threat level. Written for non-technical stakeholders who need to understand the risk without diving into technical details.Technical Analysis
Detailed findings from the analysis, including:- File metadata and classification
- Code analysis highlights (decompiled functions, suspicious patterns)
- Behavioural indicators (API calls, string artefacts, embedded resources)
- Evasion techniques detected (packing, obfuscation, anti-analysis tricks)
Indicators of Compromise (IOCs)
Extracted indicators organised into three categories:| Category | Examples |
|---|---|
| Network | Domains, IP addresses, URLs, C2 endpoints |
| File | Hashes (MD5, SHA1, SHA256), file names, file paths, mutexes |
| Host | Registry keys, scheduled tasks, service names, process names |
MITRE ATT&CK Mapping
Techniques and tactics observed in the sample, mapped to the MITRE ATT&CK framework. Each mapping includes:- Technique ID (e.g., T1055 - Process Injection)
- Tactic category (e.g., Defense Evasion)
- Evidence from the analysis supporting the mapping
Export Formats
Reports can be downloaded in up to 8 formats. The formats available depend on the report type - see the Export formats column in the Report Types table above for which formats each type supports. Use the download menu on any report to choose from the formats it offers.Formatted document for stakeholders, incident reports, or archiving.
DOCX
Microsoft Word format for editing, annotation, or integration with existing report templates.
HTML
Self-contained HTML file viewable in any browser or embeddable in internal tools.
Markdown
Clean text format for wikis, tickets, or version-controlled documentation.
JSON
Structured data for SIEM ingestion, automation pipelines, or custom tooling.
CSV
Spreadsheet-compatible format for manual review or bulk import.
XML
Standard markup format for enterprise integrations and legacy systems.
ATT&CK Navigator
MITRE ATT&CK Navigator layer file for visualising technique coverage in the Navigator tool.
ZIP Bundle
You can also download a ZIP bundle containing all report formats and raw analysis data in a single archive - useful for archiving a complete analysis or sharing everything with a team.Raw Data Exports
Beyond formatted reports, DECODA lets you export the underlying analysis data directly:| Export | Contents |
|---|---|
| Strings | All extracted strings with categories and cross-references |
| YARA | YARA match results from all scans |
| Functions | Function list with addresses, sizes, and call counts |
| Imports | Import table with cross-references |
| IOCs | Extracted indicators of compromise |
| Crypto | Detected cryptographic constants and algorithms |
| Decompilation | Decompiled source output |
IOC Export
In addition to full reports, you can export just the IOCs in machine-readable formats:- JSON - Structured data for ingestion into SIEMs or threat intel platforms
- CSV - Spreadsheet-compatible format for manual review or bulk import
- STIX 2.1 - Standard format for sharing threat intelligence between organisations and tools
“Extract all IOCs from this sample and export as STIX”
Managing Reports
All generated reports are saved and linked to the sample and chat session that produced them. You access them from the file context panel within that chat, where each report offers download, bundle, and raw export actions - so you can always trace findings back to the original analysis. From here you can list your saved reports, view any of them, and delete the ones you no longer need. Saved reports persist indefinitely - they have no expiry and remain available until you delete them.Saved reports are distinct from analysis artifacts. Artifacts (such as large tool outputs cached during analysis) expire automatically after 24 hours, whereas reports you generate are kept permanently until you remove them.