Skip to main content
The Custom Rule Manager lets you bring your own detection logic to the platform. You can write rules in the Playground, package them as Rulesets, and deploy them to run automatically during image scans.

Workflow

1

Write and test in the Playground

The Playground is an interactive editor where you write rules and run them against images to see matches in real time. Use it to prototype and validate rules before packaging them.
2

Package rules into a Ruleset

A Ruleset is a collection of rules packaged as an OCI artifact and pushed to the Binarly Registry. Rulesets are versioned and can contain a mix of rule types.
3

Deploy the Ruleset

A Deployment attaches a Ruleset to an organization or a specific product. Once deployed, the Ruleset runs automatically on every new scan and any matches appear as findings in the platform.

Supported rule types

YARA

YARA is a pattern-matching language widely used in malware research and threat intelligence. A YARA rule defines one or more strings — byte sequences, text patterns, or regular expressions — and a condition that must be true for the rule to fire. Rules can target any binary: executables, firmware images, libraries, or raw file blobs. Use YARA when you need to:
  • Hunt for known malware families or implants by signature
  • Flag binaries containing specific imports, strings, or magic bytes
  • Express complex multi-condition logic (e.g., “PE file AND contains these two strings AND file size under 1 MB”)
See the YARA documentation for the full rule syntax and the YARA GitHub repository for source and issue tracking.

FwHunt

FwHunt is Binarly’s YAML-based rule format for UEFI firmware threat hunting. Rules match on UEFI module GUIDs, code patterns within firmware binaries, and firmware-specific characteristics. Because FwHunt is designed for firmware, it understands UEFI module structure natively — you can scope a rule to a specific module by GUID rather than scanning the entire image. Use FwHunt when you need to:
  • Detect known-bad UEFI implants or SMM callout patterns
  • Match firmware modules by GUID with optional code-level conditions
  • Write firmware-specific detections that would be impractical to express in YARA
See the FwHunt specification for the full rule format and the FwHunt rule repository for example rules.

Roles and permissions

RoleCapabilities
Rule AdminCreate, edit, delete, and deploy Rulesets. Manage permissions for other users.
Rule EditorCreate and edit rules. Cannot deploy Rulesets.
Rule ViewerRead-only access to rules and Rulesets.
Organization Admins and Product Admins can manage deployments regardless of their rule-specific role. See Roles for the full permissions matrix.