gitwtfhub

wtf is metis?

jetnoir/metis — explained in plain English

Analysis updated 2026-05-18

6PythonAudience · researcher

TL;DR

An automated pipeline that screens compiled binaries, narrows down likely vulnerabilities using symbolic execution, and confirms them on a real running binary.

Mindmap

mindmap
  root((Metis))
    What it does
      Binary vulnerability triage
      Symbolic execution
      PoC validation
    Tech stack
      Python
      angr
      Z3
    Use cases
      Call graph screening
      Dataflow matching
      Vulnerability confirmation
    Audience
      Security researchers
      Vulnerability researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Screen a macOS, Linux, or Windows binary for functions with anomalous call patterns.

REASON 2

Narrow a large binary down to a handful of functions worth deep symbolic analysis.

REASON 3

Generate a proof-of-concept input for a suspected vulnerability automatically.

REASON 4

Confirm a candidate bug is real by validating it against the live binary.

What's in the stack?

PythonangrZ3

How it stacks up

jetnoir/metisashishdevasia/ha-proton-drive-backupbenchflow-ai/skillsbench-trajectories
Stars666
LanguagePythonPythonPython
Last pushed2026-06-14
MaintenanceMaintained
Setup difficultymoderateeasy
Complexity2/51/5
Audienceresearcherops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

Wtf does this do

Metis is an automated pipeline for finding security vulnerabilities in compiled binary programs, meaning executable files on macOS, Linux, or Windows, without needing the original source code. It chains four analysis stages that progressively narrow down where a real vulnerability likely exists, then attempts to confirm it by triggering the bug. The first stage, C2, screens the entire call graph, the map of which functions call which, using Random Matrix Theory, a statistical technique, to flag functions whose connection patterns look anomalous. The second stage, C3, takes those flagged functions and runs template based dataflow matching using SSA form, a precise way of representing data flow, to find patterns resembling known vulnerability classes. The third stage, C6, runs symbolic execution on the highest confidence hits. Symbolic execution treats program inputs as unknown variables and uses a constraint solver called Z3 to reason about which inputs would reach a vulnerable path. A path prioritization technique called C1 sits inside C6 and focuses effort on easier to solve paths first, reducing wasted computation by up to 60 percent on mixed difficulty binaries according to the project's own benchmarks. Once C6 finds a potential vulnerability, it synthesizes a proof of concept input. The final stage, C7, validates that proof of concept against the actual running binary using LLDB, DTrace, or a subprocess, confirming whether the finding is real before it gets reported anywhere. Written in Python, Metis depends on the angr binary analysis framework and the Z3 constraint solver. It is aimed at security researchers doing vulnerability research on compiled binaries rather than general application developers.

Yoink these prompts

Prompt 1
Walk me through running Metis's full pipeline on a sample binary.
Prompt 2
Explain what the C1 backbone-fraction path prioritizer does inside C6.
Prompt 3
What Python and system dependencies does Metis require, and which OS versions work?
Prompt 4
How does Metis's C7 stage validate a proof-of-concept without false positives?

Frequently asked questions

wtf is metis?

An automated pipeline that screens compiled binaries, narrows down likely vulnerabilities using symbolic execution, and confirms them on a real running binary.

What language is metis written in?

Mainly Python. The stack also includes Python, angr, Z3.

Who is metis for?

Mainly researcher.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.