Skip to main content
After analysing a sample in Agent mode, you can ask DECODA to generate a structured threat intelligence report that captures all findings in a shareable format.

Generating a Report

To create a report, simply ask the agent in your chat:
“Generate a threat intelligence report for this sample”
The agent will compile all findings from the current analysis session, including triage data, tool outputs, and its own conclusions, into a structured document.
For the best reports, run a thorough analysis in Agent mode first. The more tools the agent has run and the more findings it has collected, the richer the report will be.

Report Types

DECODA offers several report templates tailored to different audiences and use cases:
TemplateBest For
Executive SummaryNon-technical stakeholders who need risk assessment and business impact
Technical AnalysisAnalysts and engineers who need full analysis detail
Triage ReportQuick summary of automated triage findings
IOC ReportFocused list of extracted indicators for threat intel feeds
MITRE ATT&CK MappingTechnique coverage analysis for detection engineering
Comparison ReportSide-by-side comparison of multiple samples
STIX BundleMachine-readable threat intelligence package for sharing between organisations
You can ask the agent for a specific type:
“Generate an executive summary for this sample”
“Create a MITRE ATT&CK mapping report”

Report Structure

The full Technical Analysis report follows a consistent structure:

Executive Summary

A high-level overview of the sample, its classification, and the assessed threat level. Written for non-technical stakeholders who need to understand the risk without diving into technical details.

Technical Analysis

Detailed findings from the analysis, including:
  • File metadata and classification
  • Code analysis highlights (decompiled functions, suspicious patterns)
  • Behavioural indicators (API calls, string artefacts, embedded resources)
  • Evasion techniques detected (packing, obfuscation, anti-analysis tricks)

Indicators of Compromise (IOCs)

Extracted indicators organised into three categories:
CategoryExamples
NetworkDomains, IP addresses, URLs, C2 endpoints
FileHashes (MD5, SHA1, SHA256), file names, file paths, mutexes
HostRegistry keys, scheduled tasks, service names, process names

MITRE ATT&CK Mapping

Techniques and tactics observed in the sample, mapped to the MITRE ATT&CK framework. Each mapping includes:
  • Technique ID (e.g., T1055 - Process Injection)
  • Tactic category (e.g., Defense Evasion)
  • Evidence from the analysis supporting the mapping

Export Formats

Reports can be downloaded in 8 formats. Use the download menu on any report to choose your preferred format.

PDF

Formatted document for stakeholders, incident reports, or archiving.

DOCX

Microsoft Word format for editing, annotation, or integration with existing report templates.

HTML

Self-contained HTML file viewable in any browser or embeddable in internal tools.

Markdown

Clean text format for wikis, tickets, or version-controlled documentation.

JSON

Structured data for SIEM ingestion, automation pipelines, or custom tooling.

CSV

Spreadsheet-compatible format for manual review or bulk import.

XML

Standard markup format for enterprise integrations and legacy systems.

ATT&CK Navigator

MITRE ATT&CK Navigator layer file for visualising technique coverage in the Navigator tool.

ZIP Bundle

You can also download a ZIP bundle containing all report formats and raw analysis data in a single archive — useful for archiving a complete analysis or sharing everything with a team.

Raw Data Exports

Beyond formatted reports, DECODA lets you export the underlying analysis data directly:
ExportContents
StringsAll extracted strings with categories and cross-references
YARAYARA match results from all scans
FunctionsFunction list with addresses, sizes, and call counts
ImportsImport table with cross-references
IOCsExtracted indicators of compromise
CryptoDetected cryptographic constants and algorithms
DecompilationDecompiled source output

IOC Export

In addition to full reports, you can export just the IOCs in machine-readable formats:
  • JSON — Structured data for ingestion into SIEMs or threat intel platforms
  • CSV — Spreadsheet-compatible format for manual review or bulk import
  • STIX 2.1 — Standard format for sharing threat intelligence between organisations and tools
To export IOCs, ask the agent:
“Extract all IOCs from this sample and export as STIX”

Managing Reports

All generated reports are saved to your account and accessible from the reports page. Each report is linked to the sample and chat session that produced it, so you can always trace findings back to the original analysis.