Spectra Detect
Spectra Detect is a file analysis system available in two deployment configurations:
- OVA/AMI deployment: traditional virtual machine deployment with Workers, Hubs, and Spectra Detect Manager (SDM).
- K8s Micro deployment: redesigned architecture where traditional Workers and Hubs are decomposed into specialized microservices.
- Workers are broken down into individual processing components.
- Hub functionality is currently supported only for S3 connector integration.
- SDM is not included in this preview release.
About Spectra Detect
Spectra Detect uses a flexible cluster architecture that scales incrementally to support distributed or centralized file processing across physical and cloud environments. The cluster can incrementally scale file processing capacity from 100K to 100M files per day by adding Worker nodes.
Spectra Detect is an enterprise-scale automated malware detection platform built for organizations that need to inspect millions of files per day across email gateways, file shares, S3 buckets, ICAP proxies, and other ingestion points — without creating bottlenecks or slowing down production workflows. Powered by Spectra Core, it performs deep static analysis on over 400 file formats, identifying malware, suspicious indicators, and embedded threats in seconds per file. Analysis results include full indicator extraction, threat names, risk scores, and mapping to MITRE ATT&CK tactics — all delivered without executing files.
File analysis
The platform scales horizontally from 100,000 to 100 million files per day by adding Worker nodes. In virtual machine deployments (OVA/AMI), Workers can be provisioned manually to match capacity needs. In Kubernetes deployments (K8s Micro), Workers auto-scale based on queue depth. Results feed directly into existing security infrastructure — SIEM, SOAR, EDR, and threat intelligence platforms — through webhooks, S3 output, and REST APIs. Enterprise YARA rule deployment and synchronization across all Workers is managed centrally through Spectra Detect Manager.
In OVA/AMI deployments, every Worker contains an instance of Spectra Core, a platform for automated static decomposition and analysis of files.
Architecture
In K8s Micro deployment, the Spectra Core functionality is distributed across multiple microservice components that work together to analyze files.
Spectra Detect uses a three-tier cluster architecture: a central manager for control and configuration, one or more Hubs for ingestion and load distribution, and horizontally scalable Workers that perform the analysis.
Spectra Core can automatically unpack and extract information from more than 300 PE packers, archives, installation packages, firmware images, documents, and mobile application formats.
The extracted information includes metadata such as strings, format header details, function names, library dependencies, file segments, and capabilities. This information is contained in the Worker analysis report (JSON file).
Components
Spectra Detect Manager (SDM)
SDM is the central control plane for the entire cluster. It provides a web UI and REST API for monitoring appliance health, managing licenses, deploying software updates, and synchronizing YARA rules across all connected Workers and Spectra Analyze appliances. SDM connects to Spectra Intelligence for cloud-enriched classifications and automatic update delivery.
Spectra Detect Manager (SDM) is a management platform that provides a centralized view of the status of ReversingLabs appliances, centralized software upgrades, configuration of authorized appliances, and YARA rules deployment.
SDM is available in OVA/AMI deployments. It is not included in the K8s Micro preview (v5.7).
SDM is available in OVA/AMI deployments, but is not included in the K8s Micro deployment preview (v5.7).
Hub
The Hub is the ingestion and distribution layer between file sources and Workers. It receives files from configured input connectors — S3 buckets, file shares, ICAP proxies, email gateways, and direct API submissions — and distributes them to available Workers for analysis. In high-availability configurations, two Hubs can be deployed for redundancy.
Workers
Workers perform the actual file analysis using Spectra Core. Each Worker unpacks and inspects submitted files, extracts indicators, assigns a risk score, and returns the result to the Hub. Workers scale horizontally: additional Workers are added manually in OVA/AMI deployments or provisioned automatically by Kubernetes based on queue depth.
Deployment models
| Model | Description | Scaling |
|---|---|---|
| OVA/AMI | Virtual machine with Workers, Hubs, and SDM | Manual — provision new VMs |
| K8s Micro | Microservices architecture on Kubernetes | Automatic — per-component scaling |
The Manager functions as a mediator between ReversingLabs appliances connected to it. When YARA rulesets are uploaded to any of the connected appliances that support them, the Manager ensures the rulesets are synchronized across all applicable appliances.
Multi-region deployment
In multi-region deployments, global load balancers are added in front of each tier to distribute traffic across geographic locations and provide fault tolerance.
- Status overview for multiple ReversingLabs product types
- License management for connected Spectra Analyze and Spectra Detect Worker appliances
- Control for upgrading Spectra Analyze, Spectra Detect Worker and Hub
- Centralized YARA rules deployment and synchronization between Spectra Analyze, and Spectra Detect Worker
- Alerts for critical system services
- Support for sample search across all connected and authorized Spectra Analyze appliances
- Configuration modules for centralized management of Spectra Analyze, Spectra Detect Worker and Hub
- Support for configuring the Connectors service on Spectra Analyze and Spectra Detect appliances
A global load balancer sits in front of the SDM cluster, routing management and API traffic to the active SDM instance regardless of which region handles the request. A separate load balancer sits in front of the Hub cluster, distributing file submission traffic across Hubs. Workers are deployed in two or more independent regional clusters — each region runs its own Hub-and-Worker pool, so file analysis stays local to the region where files are submitted. The SDM cluster spans regions for centralized control while Worker clusters remain regionally isolated for performance and data residency.
Components added in multi-region deployments:
- Global Load Balancer (SDM) — routes SDM API and UI traffic to the active SDM node; handles failover between SDM instances across regions
- Global Load Balancer (Hub) — distributes incoming file submissions across regional Hub clusters; can route by geography to keep analysis traffic local
- Regional Hub + Worker clusters — each region runs an independent Hub-and-Worker pool; Workers in each region auto-scale independently based on local queue depth
Documentation
Getting started
- Getting started — first login, cloud connection, and first analysis
Deployment
- AWS EKS Micro Deployment — microservices architecture deployment on AWS EKS
- On-Premises Deployment — hardware and virtual machine deployment options
Configuration
- Appliance Configuration — network, storage, and system settings
- Analysis Input — configure file sources and input connectors
- YARA Sync — synchronize YARA rules across appliances
- Certificate Management — TLS/SSL certificate configuration
Usage
- Dashboard — monitoring cluster status and analysis results
- Analysis — understanding analysis results and classifications
- YARA Rules — managing and deploying YARA rulesets
API
- Management API — REST API for appliance management and automation
Administration
- Manager Settings — Spectra Detect Manager configuration reference
- Updating — software update procedures
- Troubleshooting — common issues and solutions