How Project Ire works
Microsoft Defender scans over one billion active devices monthly that routinely require manual review of software by experts, resulting in errors and alert fatigue. Hence, Project Ire’s architecture allows for reasoning at multiple levels, from low-level binary analysis to control flow reconstruction and high-level interpretation of code behavior.
Project Ire starts by identifying the file type and structure, then reconstructs the software’s control flow graph using tools such as angr and Ghidra. It analyzes key functions through an API, building a detailed “chain of evidence” to show how it reached its verdict. A built-in validator cross-checks findings against expert input to ensure accuracy before the system classifies the software as malicious or benign.
“Project Ire, as an autonomous AI prototype, advances beyond existing tools that rely on reverse engineering software to detect threats. Unlike current TDIR tools on the market, which depend on known machine learning or AI models and signatures for identifying known threats and patterns, Project Ire appears to perform deep, independent analysis of a file’s behaviour,” said Charanpal Bhogal, senior director analyst at Gartner. He added, “This enables it to identify new or previously undetected malicious code by using AI agents to examine the attack surface and deliver a clear ‘chain of evidence’ for action. The agentic AI element shifts from human-supported to fully autonomous approaches, while still maintaining a human in the loop.”
