Skip to main content

1. Create Your Account

Head to decodalabs.com and sign up. DECODA supports OAuth and SAML authentication via WorkOS. Once you’ve signed in, you’ll land on the analysis screen.
The free tier includes 25 Ask queries and 5 Agent Credits per month, so you can try everything without a credit card.
When you first sign up, DECODA sends a welcome email to your address with a link straight to your dashboard.

2. Upload a Sample

From the main screen, you can upload a file in two ways:
  • Drag and drop a file directly onto the input area
  • Click the attach button to browse your filesystem
DECODA supports executables (PE, ELF, Mach-O), scripts, Office documents, PDFs, JAR files, and archives (ZIP, with zip bomb detection). Each tier enforces a file-size limit when you attach a file. If a file exceeds your limit, an error toast appears and the file is not attached. DECODA also surfaces informational warning toasts for suspicious files, such as a double extension (for example document.pdf.exe) or an executable. These warnings are advisory only and do not block the upload, since the sandbox provides isolation. The per-tier size limits are Free 30 MB, Pro 100 MB, and Max 200 MB; see Billing for the full plan comparison.
Uploaded files are stored securely. All analysis runs inside isolated sandboxes with no network access.

3. Wait for Triage

As soon as your file uploads, DECODA’s automated triage pipeline kicks in. You’ll see real-time progress as it:
  1. Hashes the file (MD5, SHA1, SHA256; plus imphash for PE files)
  2. Scans with built-in YARA rulesets (malware families, packers, ransomware signatures)
  3. Classifies the binary type and extracts metadata (PE sections, compilation timestamps, security flags)
Triage results appear as a summary card in your chat within seconds.

4. Start Analysing

You have two modes to choose from. Toggle between them at the top of the input area.

Ask Mode

Type a question in plain English and get an instant response. Great for:
  • “What type of file is this?”
  • “Does this sample use any known packing techniques?”
  • “Explain what the YARA matches mean”
Ask mode uses a fast LLM and doesn’t run any sandbox tools. It’s ideal for quick triage questions.

Agent Mode

For deeper analysis, switch to Agent mode. The AI will autonomously decide which tools to run, execute them in a sandboxed microVM, and synthesise the results. For example:
  • “Decompile the main function and explain what it does”
  • “Extract all network IOCs from this sample”
  • “Run a full static analysis and generate a report”
You’ll see each tool execution streamed in real time as the agent works.
See the Analysis Modes guide for a full breakdown of both modes and the available tools.

5. Generate a Report

Once you have enough findings, ask the agent to generate a report:
“Generate a threat intelligence report for this sample”
The report includes an executive summary, technical analysis, IOCs (network, file, and host indicators), and MITRE ATT&CK technique mappings. You can download it as Markdown, PDF, or HTML.

Next Steps

Analysis Modes

Deep dive into Ask vs Agent mode and the full tool catalogue.

Triage Pipeline

Learn exactly what the automated triage does and how to read the results.