Security Isn't a Feature.
It's the Foundation.
We built Binary2English with one assumption: you are going to upload live, weaponized malware. Our infrastructure is designed like a digital blast chamber.
Isolation
Three-Layer Protection
Your binary never touches our servers. Not metaphorically \u2014 literally.
Memory-Backed Quarantine
When your file uploads, it is written to a tmpfs mount — a filesystem that exists entirely in RAM, with noexec and nosuid flags. Nothing in this filesystem can be executed. The binary sits in volatile memory — if the server loses power, the file vanishes.
gVisor Kernel Isolation
The analysis runs inside a gVisor container — Google’s open-source container runtime that reimplements the Linux kernel in userspace. Unlike standard Docker containers which share the host kernel, gVisor intercepts every system call. If the malware contains a zero-day kernel exploit, it hits gVisor’s userspace implementation — not the real Linux kernel.
Enforced Resource Boundaries
Beyond runtime isolation, strict resource constraints are enforced at the container level. Each analysis session operates within fixed boundaries that prevent resource abuse regardless of what the binary attempts.
Memory ceiling
Hard cap prevents exhaustion attacks
CPU core limit
Bounded compute prevents resource DoS
Process cap
Fork bomb mitigation at the kernel level
Network isolation
No outbound connectivity permitted
Read-only filesystem
Immutable except designated workspace
Privilege lock
No capability escalation after launch
Provenance
Every Conclusion Traces to Source Bytes
When the report says “Format string vulnerability at offset 0x401890,” there is a cryptographic chain connecting that sentence to the specific bytes.
The specific bytes at offset 0x401890 in your binary
The disassembly engine that decoded those bytes
The dataflow engine that traced user input to that offset
The semantic engine that classified the function
The NLG engine that wrote the sentence
Each link is hashed with SHA-256 so you can verify that no finding was modified, inserted, or removed after analysis.
Quality Assurance
8 Mandatory Validation Gates
A phase cannot pass its gate until quality criteria are satisfied. If a gate fails, the pipeline loops back and re-evaluates.
| Gate | Phase | What It Checks |
|---|---|---|
| 1 | Binary Ingest | File format correctly identified, SHA-256 computed, all sections parsed |
| 2 | Instruction Decode | Architecture confirmed, instruction stream valid, no decoder errors |
| 3 | Control Flow | CFG complete and connected, no orphan nodes, all branches resolved |
| 4 | Semantic Analysis | Behavioral profile consistent, function classifications validated |
| 5 | Knowledge Base | Enrichment data verified against source databases, no stale CVE data |
| 6 | Validation | 240 QA checks passed: evidence references valid, narrative matches data |
| 7 | Final QA | Cross-role consistency verified, internal terminology removed |
| 8 | Output | Report structure valid, all sections present, export formats generated |
Unverified claims do not appear in the report. If Gate 6 detects a narrative claim not confirmed by dataflow, the finding is rejected — not included with a lower confidence score.
Data Handling
Zero Data Retention
Your binary is destroyed after analysis. Not archived. Not backed up. Destroyed.
Container terminated
tmpfs unmounted (RAM zeroed)
Temporary directory deleted
Only the report persists — you control it
For organizations with strict data residency: Enterprise plans include on-premises and air-gapped deployment.
Access Control
Enterprise Authentication
SSO
- SAML 2.0 (Okta, OneLogin)
- OpenID Connect (Microsoft, Google, Auth0)
- GitHub OAuth
MFA
- Authenticator app (TOTP)Recommended
- Hardware security key (FIDO2/WebAuthn)
- SMS (fallback only)
RBAC
- Admin — Full access
- Analyst — Analysis + API
- Viewer — Report viewing only
Compliance
SOC 2 Type II
Enterprise-grade compliance with independent audit verification. TLS 1.3 in transit, AES-256 at rest. Quarterly penetration testing.
| Aspect | Policy |
|---|---|
| Binary storage | RAM only (tmpfs). Destroyed after analysis. |
| Report storage | Encrypted at rest (AES-256). User-controlled retention. |
| Data residency | Cloud (default) or on-premises (Enterprise). |
| Network encryption | TLS 1.3 for all connections. |
| Third-party sharing | Never. Your data is yours. |
| GDPR compliance | Right to erasure available. Full data export available. |
| Penetration testing | Quarterly, by independent third party. |
| Incident response | Published IR plan. 24-hour notification SLA. |
What's Hiding in Your Binary?
Right now, compiled software is running on your servers, embedded in your devices, and processing your customers' data. You didn't write it. You can't read the source code. You're trusting it because someone told you to.