capa is the Mandiant FLARE team’s open-source tool for analyzing malicious programs. It detects capabilities in executable files and provides a framework for the community to encode, recognize, and share behaviors that the team has seen in malware. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Regardless of your background, when you use capa, you invoke decades of cumulative reverse engineering experience to figure out what a program does to help triage workflow.