Find bugs in firmware, fast
Metalware is a binary analysis platform that combines rehosting, fuzz testing, and program analysis to uncover crashable bugs and vulnerabilities in embedded systems.
$ mw run --file firmware.bin --board esp32s3 [upload] firmware.bin (6.2 MB)… ok [target] board=esp32s3 arch=xtensa io=peripherals [init] auto-wiring IO model… ok [fuzz] running… [stat] tests: 0 paths: 0 cov: 0% [crash] heap-buffer-overflow @ io::rx_frame (repro #0) [report] successfully exported: reports/runs/0001/
Who We Serve
Metalware accelerates the teams on the frontlines of embedded systems by delivering reproducible, actionable, and hardware-free analysis.
Product Security
Sweep firmware builds to catch crashable bugs before release.
Metalware outputs replayable repro packages so engineering receives deterministic triggers and traces, not vague alerts.
DevSecOps
Continuously test firmware in CI/CD and compliance workflows.
Every execution produces an auditable trail (config, artifacts, results) you can attach to releases, gates, and regulator-facing reports.
Reverse Engineering & Vulnerability Research
Prioritize findings for researchers.
Accelerate new-target exploration with I/O-aware analysis and trace-rich crashes so teams stay focused on high-impact bug classes.
Firmware Engineers
Test peripherals before hardware arrives.
Validate drivers, protocols, and RTOS glue earlier and turn findings into regression tests that prevent repeat escapes.
Purpose-built for embedded workloads powering the most critical hardware programs.
How It Works
Launch tests from our web interface or integrate Metalware into CI/CD via API for fully automated runs.
- Firmware ELF / ROM
- Device / board profile
- Optional symbols + metadata
Emulation + IO-aware fuzzing + analysis
- Replayable crash + trace
- Coverage + PoC artifact
- CWE mapping + report
-
01
Upload firmware
Provide the firmware file (binary image, update blob, or extracted component).
-
02
Select board
Choose the target board profile so IO/peripheral behavior matches the real device.
-
03
Run
Start fuzzing immediately—no hardware and no harnessing required.
-
04
Repro + report
Every crash is reproducible and shipped with a proof-of-concept and a human-readable report.
Analysis Engine
Embedded targets don’t look like server or desktop software; data transmits over peripherals (UART, SPI, I²C, GPIO, DMA, etc.), not stdin or sockets.
Emulation
Rehost and execute firmware binaries inside a virtual target that models CPU, memory, interrupts, and peripheral I/O. Code boots, initializes, and runs without physical hardware.
- Prebuilt board profiles for embedded ISAs
- Peripheral and bus I/O exercised through realistic models
- No physical targets, probes, or test rigs required
Static Analysis
Analyze structure, memory layout, and input-dependent behavior, mapping control and data flow to guide execution toward security-critical code paths.
- Automatic lifting and memory mapping
- Data-flow, control-flow, symbolic and taint analysis
- Findings correlated to CWEs and execution context
Dynamic Analysis
Coverage-guided fuzzing combined with forced execution and symbolic input generation pushes firmware past initialization logic and deep into drivers, protocols, and edge cases.
- Runs via web UI, CLI, or CI/CD API
- Crashes with full traces, coverage, and proof-of-concept inputs
- Reproducible artifacts engineers can debug and fix
Contact Us
Let's discuss your firmware challenges. Response within 24 hours.