binautopsy · /opt/research/when-not-to-do-reverse-engineeringtechnical note26 APR 2026~3 min
← /opt/research

0x · technical note

When Reverse Engineering Is the Wrong Tool — and Who Should Look Elsewhere

26 APR 2026~3 min readartefact-first · evidence-led

The Pre-Procurement Binary Autopsy is a $35,000–$90,000, two-week, partner-signed engagement built for the moment a regulated enterprise is about to put third-party software inside its perimeter and cannot defend the decision on a vendor questionnaire alone.

It is the wrong purchase for a long list of situations. This post is about that list. Buying the wrong tool wastes budget that is not coming back, and security teams who lose credibility on one over-engineered engagement do not get a second one funded.

Knowing when not to do reverse engineering is part of the job.

When a Vendor Questionnaire Is Genuinely Sufficient

If the software in question is a low-blast-radius SaaS — a project management tool, a marketing analytics platform, a contract redlining service — and it will never touch regulated data or production systems, a questionnaire and a SOC 2 report are the right artifacts.

A binary autopsy on a SaaS product is also frequently impossible to scope. There is no binary to hand over. The vendor runs the code on their infrastructure. What you would actually want in that case is a penetration test of the deployed instance or a review of the vendor’s security program, not a forensic dissection.

If the conversation starts with we want to reverse engineer our SaaS vendor, the conversation should usually end there.

When the Decision Has Already Been Made

A binary autopsy produces a ship/no-ship/ship-with-conditions verdict. If the contract is signed, the deployment is live, and the goal is to feel better about a decision that is no longer reversible, the deliverable is wasted on the question.

The right tool post-deployment is a penetration test, an attack surface assessment, or a continuous monitoring program. Those answer the question what should we do now. A pre-procurement review answers should we do this at all. They are not interchangeable.

The exception is M&A: if the acquisition has closed and the integration team is inheriting a product they never reviewed, an autopsy of the inherited binary is genuinely useful. That is a different engagement structure than the pre-procurement version.

When the Real Problem Is Source-Side

If you are an ISV trying to improve your own SDLC, fix vulnerabilities in your own codebase, or harden your build pipeline, a binary autopsy is not the right entry point. SAST, DAST, dependency scanning, threat modeling, and source-level review are the tools for that work.

The Pre-Release Self-Autopsy exists for a narrower case: an ISV who has done that source-side work and now needs to see what an adversarial buyer’s TPRM team will find when they tear the shipped binary apart. It is a check on the result, not a substitute for the build-time hygiene that produces the result.

If the build-time hygiene is not there yet, a self-autopsy will tell you what you already suspect, expensively. Fix the pipeline first.

When Headcount and Process Are the Real Gap

Some organizations buy expert engagements to paper over a structural problem. The TPRM team is two people. The vendor intake process is a shared inbox. There is no procurement gate that actually blocks anything.

A partner-signed verdict delivered into that environment will be filed and forgotten. The Verdict Retainer is built for teams who have the process and need the capacity. It is not a fix for teams who do not have the process. Neither is any other deliverable.

If the honest assessment is that no verdict — however well-evidenced — would actually change a procurement outcome at your organization, the prerequisite work is internal, not vendor-facing.

When the Regulator Has Not Actually Asked

The Regulatory Readiness Autopsy is mapped to specific regimes — CRA, FDA premarket cybersecurity, EO 14028, NIS2 — that demand binary-level evidence. If your obligation is generic SOC 2 or ISO 27001, those frameworks do not require binary forensics. Spending six figures preparing for a regulator who has not asked is a budget conversation you will lose.

The right move is to confirm with counsel or compliance which regime actually applies, and what evidence that regime actually accepts. Then buy to that bar. Not above it.

When Reverse Engineering Is the Right Tool

For completeness: it is right when the artifact is real, the decision is reversible, the blast radius is high, and the timeline is short enough that traditional appsec consultancies will miss it. That is a narrower band than most security marketing implies.

Binautopsy works best with buyers who already know they are inside that band. If you are not sure, the cheapest thing we can tell you is that you do not need us yet.

filed under research · binautopsy labs request scoping →