A Business Built in the Blind Spot
Here is a fact about your computer that is technically boring and practically alarming: before the operating system you can see wakes up, a smaller, older, less-supervised pile of code called firmware runs first. It decides what to trust. Almost nobody checks it. Binarly is a company whose entire premise is that somebody should.
The standard way to think about software supply chain security is to look at the software - the apps, the libraries, the open-source packages with names and version numbers and, increasingly, a "software bill of materials" listing what's inside. This is good and useful. It is also, if you're an attacker, exactly where the security team is looking. The interesting move, competitively speaking, is to go somewhere else. Binarly went below the operating system, into UEFI firmware, BMC controllers and the binaries that ship on devices, and set up shop in the part of the stack that most tools treat as a sealed box.
The company was founded in 2021 by Alex Matrosov and Claudiu Teodorescu, two reverse engineers who spent their careers on the offensive side of this problem - finding firmware flaws at NVIDIA, Intel, ESET, FireEye and others. Matrosov co-wrote Rootkits and Bootkits, a book about the exact category of threat his company now sells a defense against. This is a common and slightly funny pattern in security: the best way to build a product that finds bad things is to hire the people who are extremely good at making them.
Don't Trust the Manifest
The flagship product is the Binarly Transparency Platform, an enterprise, AI-powered system used by device manufacturers, OEMs, independent BIOS vendors and product-security teams. Its job is to look at a firmware image and answer questions the vendor often can't answer about their own device: what's actually in here, is any of it known to be vulnerable, is any of it vulnerable in a way nobody's catalogued yet, and did somebody slip in something that shouldn't be here at all.
The clever part is the approach to the software bill of materials. A lot of SBOMs are, functionally, a list somebody typed once. Binarly's pitch is what it calls a Zero Trust approach: rather than believe the manifest, it reconstructs the dependency graph from the binary itself - reading the bytes and rebuilding the truth. The uncomfortable finding, over and over, is that the list and the reality don't match.
Transparency Platform
Detects known and unknown firmware vulnerabilities, implants and misconfigurations. Plugs into SDLC and CI/CD pipelines.
Zero Trust SBOM
Reconstructs a dependency graph directly from binaries instead of trusting a supplied manifest or hashes.
Binary Risk Hunt
A free scanner that generates SBOMs and surfaces firmware risk - the on-ramp to the full platform.
Version 3.0, released in 2025, added the sort of features that tell you where the market is going: real-time threat-intelligence prioritization, exploitation maturity scoring, a microcode vulnerability checker, cryptographic artifact discovery and auto-validated secret detection. The recurring theme is triage. A scanner that returns four thousand findings is not a security tool; it is a way to generate alert fatigue at scale. Binarly's argument is that a vulnerability matters when it is reachable and exploitable, not merely present - so it tries to rank the twelve things you should actually panic about above the rest.
The Twelve-Year Key
If you want to understand what Binarly does, look at PKfail. In July 2024 the company disclosed that hundreds of device models were shipping with an insecure Platform Key - the cryptographic root of trust for UEFI Secure Boot. The keys had been generated by a firmware vendor and, it appears, handed around as a reference example with a label that amounted to "do not use in production." They were used in production. Widely.
Tagged CVE-2024-8105, PKfail makes it trivial to defeat Secure Boot on affected machines, which is a polite way of saying an attacker can load firmware-level malware - the BlackLotus class of threat - and have it survive nearly everything you'd normally do to clean an infected computer. The affected devices weren't just laptops. They included ATMs, medical equipment and voting machines.
The detail that lands hardest: the first vulnerable firmware shipped in May 2012, and the latest in June 2024. That's over twelve years of the same shortcut, copied and pasted across an industry, sitting quietly in the layer nobody reads. Supply-chain convenience always wins in the short run. It just sends the invoice later.
The Server in Your Blind Spot
Binarly sells to the companies whose products contain firmware they didn't fully write. Server-market firmware often passes through three sets of hands - an ODM builds it, an IBV licenses the BIOS, an OEM ships it - and visibility drops at every handoff. Binarly inserts a checkpoint. Its research has probed Supermicro BMC firmware, uncovering a signature-verification bypass (CVE-2024-10237) among a year-long chain of flaws, and its customer and partner orbit includes names like Cisco, Meta, Dell, Framework and OnLogic.
The business model is straightforward B2B subscription software, sharpened by a research arm that publishes openly. The free Binary Risk Hunt scanner and a steady drip of CVE-numbered disclosures do the marketing that a slide deck can't: they demonstrate the product works by pointing at real vendors who patched real problems because Binarly told them to.