Raven

Inspiration

Every day, security operations centers are flooded with suspicious files, email attachments, downloaded executables, extracted archives, and analysts must triage them fast. Most open-source tools dump raw output (hex strings, PE headers, YARA hits) and leave the analyst to connect the dots. We asked: what if a triage platform could reason like a junior analyst, linking evidence across multiple tools, mapping findings to ATT&CK techniques, and producing actionable reports for both technical and executive audiences, all without ever executing the sample? Raven was born from the desire to close the gap between raw tool output and analyst-ready conclusions

What it does

Raven is a malware triage platform that helps security teams quickly understand what a suspicious file does, how risky it is, and what to do next. When a file is uploaded, Raven initializes its own sandbox, searches autonomously for suspicious behavior, and turns that evidence into a clear, actionable report. It gives analysts the technical details, leadership a simple risk summary, and incident responders practical containment and remediation steps.

How we built it

We built Raven as a full-stack platform that combines a Next.js + React front end, a FastAPI backend and an agentic orchestration layer. That layer accepts a file, and passes it through open source deobfuscation, malware signature matching and decompiler software. We then bring all of those results together into one report, with every finding tied back to the analysis metrics. That gave us a system that is fast, explainable, and useful for blue-team workflows.

Challenges we ran into

One of our biggest challenges was context management. We first tried using Google ADK for an autonomous malware analysis pipeline, but it felt much better suited for chat-style workflows than for handling megabytes of malware data in a long automated process. Keeping the right evidence in context at the right time was extremely difficult, and that became our biggest technical hurdle. We eventually switched to the Claude Agent SDK near the end of the hackathon, and found that giving the agent Python execution inside the sandbox worked much better than limiting it to narrow pre-made wrappers of tools like grep. That gave the agent more flexibility to investigate and make its own discoveries while the sandbox was hardened. Another challenge was validating our results on a sample whose hashes did not appear in public threat-intel sources, so we had to rely on our own open-source analysis pipeline and evidence-backed reporting instead.

Accomplishments that we're proud of

We’re proud that we built Raven as a full end-to-end malware triage platform that goes from file upload to an actionable report without ever executing the malware. We also made the scoring transparent, built a dashboard that supports analysts, executives, and responders at the same time, using static analysis. It can even generate a containment playbook automatically using real indicators extracted from the sample.

What we learned

Building Raven taught us that effective malware analysis is not just about finding threats, but about making the results clear and actionable for defenders. We learned the value of explainable scoring, evidence-based conclusions, and designing for multiple audiences at once. We also learned that static analysis can provide a surprising amount of insight when done well, while also showing us where dynamic analysis could make the platform even stronger in the future.

What's next for Raven

In the future, we want to expand Raven with secure dynamic analysis for samples that evade static detection, add deeper reverse engineering tools like capa, Ghidra, and radare2, and improve scalability with a real database and async job queue. We also plan to broaden support beyond PE files to include ELF and Mach-O binaries.