Introducing Symbiotic Code - Secure AI Code Generation. Backed by $10M from Top Investors.
.png)
If you reverse engineer binaries, you already know how this goes. You open a binary in IDA. You hit F5. You stare at pseudocode. You scroll. You grep mentally for patterns you've seen before - hardcoded keys, unsafe copies, sketchy API calls. You do this for hours.
It's tedious. It's error-prone. And if you're honest with yourself, you miss things.
IDA is the best disassembler and decompiler on the market. But it has zero built-in awareness of security patterns. Hex-Rays gives you beautiful pseudocode and then leaves you completely on your own to figure out if that code is dangerous.
Every external SAST tool requires you to export code, run it through a separate pipeline, cross-reference line numbers back to IDA addresses, and context-switch constantly. Nobody actually does this in practice. So most binary analysis is still manual pattern recognition in your head.
That's a problem when you're auditing firmware, hunting 0days, or doing incident response on stripped binaries.
Anthony Bondu, one of our security researchers, got tired of this and built a plugin. It's called IDA Security Scanner. It's open-source. It's free.
https://github.com/SymbioticSec/ida-security-scanner
Here's what it does: it takes the pseudocode output from Hex-Rays, runs SAST rules against it using Opengrep, and highlights dangerous patterns directly inside IDA. No export. No context-switching. No separate tool.
You press Ctrl+Shift+S to scan a function. Ctrl+Shift+L to scan the entire binary. Vulnerable functions get flagged in the Functions window. You click, you see the finding, you see the severity, you keep working.
Findings are graded by severity so you know what to look at first. It also has an optional AI explanation feature - point it at a finding and get a plain-language breakdown of why it's flagged and what the risk is.
It doesn't fix anything. It doesn't modify your IDA database. It doesn't phone home. It's a read-only scanner that tells you where to look.
It's also not magic. SAST on decompiled pseudocode has inherent limitations - variable names are gone, types are sometimes wrong, and the code is a reconstruction. But it catches patterns that are tedious to find manually, and it catches them in seconds instead of hours.
If you use IDA, you should try it. It installs in under a minute and it's one less reason to stare at pseudocode hoping you'll spot the bug.
hcli plugin install ida-security-scannerIf you find something interesting with it, we'd love to hear about it. If you want to contribute rules, PRs are open.
