explaingit

jetnoir/metis

Analysis updated 2026-05-18

6PythonAudience · researcher

TLDR

An automated pipeline that screens compiled binaries, narrows down likely vulnerabilities using symbolic execution, and confirms them on a real running binary.

Mindmap

mindmap
  root((Metis))
    What it does
      Binary vulnerability triage
      Symbolic execution
      PoC validation
    Tech stack
      Python
      angr
      Z3
    Use cases
      Call graph screening
      Dataflow matching
      Vulnerability confirmation
    Audience
      Security researchers
      Vulnerability researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Screen a macOS, Linux, or Windows binary for functions with anomalous call patterns.

USE CASE 2

Narrow a large binary down to a handful of functions worth deep symbolic analysis.

USE CASE 3

Generate a proof-of-concept input for a suspected vulnerability automatically.

USE CASE 4

Confirm a candidate bug is real by validating it against the live binary.

What is it built with?

PythonangrZ3

How does it compare?

jetnoir/metisashishdevasia/ha-proton-drive-backupbenchflow-ai/skillsbench-trajectories
Stars666
LanguagePythonPythonPython
Last pushed2026-06-14
MaintenanceMaintained
Setup difficultymoderateeasy
Complexity2/51/5
Audienceresearcherops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

In plain English

Metis is an automated pipeline for finding security vulnerabilities in compiled binary programs, meaning executable files on macOS, Linux, or Windows, without needing the original source code. It chains four analysis stages that progressively narrow down where a real vulnerability likely exists, then attempts to confirm it by triggering the bug. The first stage, C2, screens the entire call graph, the map of which functions call which, using Random Matrix Theory, a statistical technique, to flag functions whose connection patterns look anomalous. The second stage, C3, takes those flagged functions and runs template based dataflow matching using SSA form, a precise way of representing data flow, to find patterns resembling known vulnerability classes. The third stage, C6, runs symbolic execution on the highest confidence hits. Symbolic execution treats program inputs as unknown variables and uses a constraint solver called Z3 to reason about which inputs would reach a vulnerable path. A path prioritization technique called C1 sits inside C6 and focuses effort on easier to solve paths first, reducing wasted computation by up to 60 percent on mixed difficulty binaries according to the project's own benchmarks. Once C6 finds a potential vulnerability, it synthesizes a proof of concept input. The final stage, C7, validates that proof of concept against the actual running binary using LLDB, DTrace, or a subprocess, confirming whether the finding is real before it gets reported anywhere. Written in Python, Metis depends on the angr binary analysis framework and the Z3 constraint solver. It is aimed at security researchers doing vulnerability research on compiled binaries rather than general application developers.

Copy-paste prompts

Prompt 1
Walk me through running Metis's full pipeline on a sample binary.
Prompt 2
Explain what the C1 backbone-fraction path prioritizer does inside C6.
Prompt 3
What Python and system dependencies does Metis require, and which OS versions work?
Prompt 4
How does Metis's C7 stage validate a proof-of-concept without false positives?

Frequently asked questions

What is metis?

An automated pipeline that screens compiled binaries, narrows down likely vulnerabilities using symbolic execution, and confirms them on a real running binary.

What language is metis written in?

Mainly Python. The stack also includes Python, angr, Z3.

Who is metis for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.