May 4, 2026
Company
Product
Introducing Delphos Labs: Securing the Software That Actually Runs
Revealing hidden threats in compiled software without source code.
DDCF
David Dubick, Caleb Fenton
A Binary Backdoor in Plain Sight
In early 2024, we watched a single backdoor slip into XZ Utils, a widely used compression library buried deep in the Linux stack. The malicious code was peer-reviewed, digitally signed, and shipped to millions of servers before anyone caught it. If a core dependency can be hijacked in plain sight, what else is running that defenders can’t see?
From Stuxnet, which crippled Iranian nuclear centrifuges, to Russian cyber operations that disabled parts of Ukraine’s infrastructure hours before physical strikes, to SolarWinds SUNBURST, which breached over 18,000 customers, attackers have proven the same point for more than a decade:
They’re not breaking in. They’re logging in with signed software, and the pace is accelerating.
With AI accelerating both software development and exploitation, defenders need to see inside the code they actually run before attackers weaponize that speed. For enterprise security teams and national security operators alike, that means validating third-party software, vendor updates, and mission-critical binaries for malicious or risky behavior before they introduce risk, without breaking existing workflows or compromising compliance obligations.
Today, we’re unveiling Delphos Labs, the AI-native platform we wish we’d had for years. It empowers security teams to understand compiled software without running it or accessing source code. No symbols, no sandbox, just instant insights. As digital threats evolve, our response must too. The launch marks the first step toward making software understandable at the speed modern systems demand.
AI is Reshaping the Cyber Battlefield
We’ve watched AI collapse the gap between discovery and exploit. It has made software creation and cyberattacks faster, cheaper, and more accessible. What once demanded state-level expertise can now be done in minutes by anyone with a GPU.
We’re already seeing the weaponization of AI in real time:
- LLMs churning out phishing kits in seconds
- Polymorphic payloads that evade signature scanners
- Automated chaining of multiple zero-days into single, coordinated campaigns
This shift forces us to ask a bigger, more critical question: How can we utilize these capabilities to improve cybersecurity and make the world safer?
Attackers Consistently Compromise Critical Compiled Code
AI is accelerating a long-standing reality: advanced and APT-level campaigns targeting supply chains, developers, and high-value systems are faster, stealthier, and more frequent than ever. Signed software is no guarantee of safety. Attackers routinely hide backdoors, logic bombs, and malicious updates where defenders are least likely to look: deep inside the compiled code.
A few examples:
- XZ Utils backdoor (CVE-2024-3094) (2024) - "Jia Tan" spent ~2 years as a trusted maintainer before injecting obfuscated code that could grant root SSH access across Linux distros--caught just days before mass release.
- Kaseya VSA (2021) - REvil exploited a zero-day in the RMM platform, pushing fake updates that ransomware'd 1,000+ downstream firms and demanding $70 million.
- SolarWinds "Sunburst" (2020) - APT modified Orion’s CI pipeline; a signed update planted a C2 backdoor on ~18,000 customers, including multiple U.S. federal agencies.
- CCleaner / ShadowPad (2017) - Compromised build server inserted a signed back-doored DLL, pushing malware to ~2.3 million PCs and later targeting tech giants.
- Juniper ScreenOS backdoor (2015) - Attackers tampered with firewall firmware, adding a hard-coded master password and Dual_EC tweak, exposing ~26,000 devices to admin takeover and VPN decryption.
- Stuxnet (2010) - Nation-state worm signed with stolen Realtek/JMicron certs and four 0-days rewrote PLC logic, physically destroyed ~1,000 Iranian centrifuges.
This is no longer just a software problem; it is a global defense priority. Nation-state actors now rely on trusted, signed software to establish persistent, long-term access to critical systems from financial markets to energy grids to government infrastructure. Many of these threats are already in place, dormant, and waiting to act.
Why Defenders Can’t See Inside the Software They Trust
Most of these attacks succeed because compiled code is a black box. Disassembling a binary into assembly is time-consuming and difficult for humans to read, like trying to understand a forest by inspecting each leaf under a microscope. As a result, most teams don’t condct a deep inspection of code.
The problem is compounded by volume. Modern build pipelines move enormous amounts of compiled artifacts, firmware updates, SaaS releases, third-party libraries, and closed-source components, far more than any team can manually analyze. Attackers exploit this blind spot by embedding backdoors and malicious logic directly into compiled software, where most defenses never look.
Legacy security defenses weren’t built for this challenge:
- Stripped, packed, or obfuscated binaries break most analyzers
- Sandboxes can’t run or fully emulate every environment
- Signature-based detection only flags what’s already known
- Most tools assume source access, leaving defenders blind with legacy OT firmware, vendor-controlled SaaS, or closed-source builds
As a result, most vendor-supplied firmware, SaaS updates, and closed-source components are deployed without ever truly being examined. We’ve repeatedly seen vendors unaware that they’ve been compromised.
The reason isn’t a failure of effort; it’s a failure of scale. Most organizations lack the specialized talent and budget required to reverse-engineer every file entering their networks, and even the best-resourced teams can only analyze a fraction of what they receive. Thus, the vast majority of malware goes unanalyzed, and nearly all commercial software and patches are never inspected. SBOMs help, but they remain just a stopgap.
The solution is automated reverse engineering at scale. Until recently, that simply wasn’t possible without source code. That constraint is now changing. Large language models enable parsing logic, describing behavior, and surfacing vulnerabilities across massive volumes of compiled software. If AI can write polymorphic malware in minutes, it should also be able to help defenders reverse it and understand software just as quickly, without source code.
That’s the gap we’re closing: what runs after the source is gone, what changed, and whether you can trust it before it’s too late. We built Delphos Labs to answer those questions quickly and at scale. We’re only getting started.
Meet the Team and Our Mission
Despite starting on opposite ends of the cyber battlefield, we kept running into the same problem: the most critical software often ran without ever being fully understood or validated. That shared frustration and determination to solve it brought us together to start Delphos Labs.
I (David Dubick), CEO and Co-Founder, cut my teeth as a CIA analyst before joining Palantir as a product manager, then became a successful venture capitalist funding frontier cyber and AI startups.
I (Caleb Fenton), CTO and Co-Founder, have worked in cybersecurity for over 15 years as a software engineer and malware analyst, building several widely used malware analysis and reverse-engineering tools. Before founding Delphos Labs, I led the Innovation team as an AVP at SentinelOne, where my team prototyped AI-powered security products and features.
We’ve since recruited industry-leading AI researchers, security researchers, and reverse engineers from Palo Alto Networks, Google, NASA, Lookout Mobile Security, and the FBI, bringing together the expertise needed to close this blind spot and outpace adversaries on the digital battlefield.
We aim to shift the balance of power in favor of defenders and red teams. We raised a $7.25M seed round backed by people who understand the urgency from enterprise cybersecurity to critical infrastructure and national security: Decibel Partners, In-Q-Tel (the Intelligence Community’s investment arm), SentinelOne Ventures, Matt Ocko of DCVC, Sequoia’s Bill Coughran, and Glenn Chisholm, Co-Founder of Obsidian Security.
What is Delphos Labs?
Instead of relying on static signatures or direct source access, Delphos Labs converts binaries into an intermediate representation that captures control flow, data flow, and key semantic patterns. This allows our models to generalize across architectures and compilers, from ARM firmware to stripped Linux binaries, and to map embedded components and library versions, even in closed-source code.
Delphos Labs reasons over compiled software the way experienced reverse engineers do, combining multiple analysis techniques to understand intent, not just indicators. By applying semantic understanding to compiled code, Delphos Labs detects logic and behaviors while extracting consistent, meaningful insights across architectures. It surfaces logic, components, and risks within obfuscated third-party apps, vendor patches, and packed executables at the same speed and accuracy across artifacts. This enables teams to identify threats, verify software integrity, and remediate risks at scale.
See Delphos Labs in action: Instantly vet any software, even without source code, and spot risks before they land in production. Try Us Now or Request a Demo to experience expert reverse engineering insights in minutes.
How Security Teams Use Delphos Labs
- Triage malware detections in minutes
- Find known and zero-day vulnerabilities more quickly
- Vet third-party software and vendor builds
- Reverse-engineer unknown or suspicious files and prioritize deeper analysis
- Validate software updates and patch integrity at machine speed
Whether you're responding to an incident or reviewing a vendor build, Delphos Labs gives you fast, efficient, and explainable answers about malicious or risky behavior without source code.
Key Capabilities
- Plain-language behavior summaries for SOC triage and executive briefings
- 0-day detection based on understanding the code, not brittle signatures
- Binary diffing that flags stealthy logic changes across builds
- Component identification and embedded library mapping (including versions), even in closed-source binaries
- Security mitigation detection
Workflow Integrations
Delphos Labs is designed to work where you already operate, inside your existing security and reverse engineering workflows.
- IDA Pro & Ghidra Plugins: Analyze binaries directly within your preferred tools using Delphos Labs’s plugins. Bring semantic understanding into your disassembly, surfacing behaviors, risks, and insights alongside the code you’re already analyzing.
- Chat with a Binary: Interact with compiled code via a natural language Q&A interface with Delphos. Quickly receive analyst-grade explanations: understand functions, uncover suspicious logic, and trace execution paths without manual reconstruction or expert reverse engineering skills.
- Ask questions such as:
- Help me understand this binary
- What does this function do?
- Find potential vulnerabilities
- Suggest better names of functions
- Seamless Workflow Integration: Whether triaging malware, analyzing third-party software, or reverse-engineering unknown or suspicious files, Delphos fits into your workflow without sandboxing or source access.
Who Uses Delphos Labs and Where?
Delphos Labs is used wherever organizations need to understand risk across the software they build, buy, and run, especially when blind trust and limited visibility create meaningful risk.
Advanced malware analysis beyond detection: Reveal hidden behavior, evasion techniques, and dormant logic, even in stripped or obfuscated binaries where signatures and sandboxes fail.
Third-party software risk inspection before trust: Vendor applications and closed-source software are examined directly to reveal inserted logic, unexpected behavior, or functionality that diverges from expected or documented behavior.
Software supply chain security inspection: Builds, updates, and dependencies are compared to surface meaningful logic changes, hidden functionality, or signs of tampering before deployment.
Critical-Infrastructure Operators: Validate firmware and OT binaries before deployment to keep the grid, plant, and fleet resilient.
National-Security Analysts: Analyze foreign or hostile software in source-denied or classified environments, at speed and scale.
Understanding Software at Machine Speed
Most systems weren’t built for this speed, scale, or deception. To keep up, defenses must operate at machine speed, delivering context, explainability, and precision in real time.
We built Delphos Labs for that reality with:
- Automated compiled code reasoning and reverse engineering
- Instant natural-language insights and summaries
- Continuous diffing of every build, before deployment
To make this possible, we’ve trained our models on millions of binaries, including malware, open-source, and vendor-supplied samples, to extract behaviorally meaningful patterns across architectures, formats, and obfuscation techniques. We're also building the largest dataset of vulnerabilities, so our models can recognize patterns and associated weaknesses that lead to Zero-day vulnerabilities before they’re exploited.
By converting opcodes into graph representations and learning architecture-agnostic semantics, Delphos Labs delivers analyst-grade insights in minutes, even on stripped or packed executables. By learning from every new file and user-shared insight, the platform continually adapts to keep pace with adversaries’ speed.
We built Delphos Labs to work where you work, without ever putting your code or your speed at risk.
- Privacy‑centric and enterprise-ready: your binaries are never shared externally or used for model training unless you explicitly opt in. Delphos Labs is SOC 2 Type II compliant.
- Deploy anywhere: SaaS cloud, lightweight plugin, or on‑prem.
- The result: deep insight without compromising speed, privacy, or compliance.
If you’re tired of trusting code you can’t verify, let’s talk. Connect with us and experience Delphos Labs in action.