Azoth is a small AI model that decides whether a binary, package, or source file is malicious. It reads cleave's output — MITRE ATT&CK techniques and Malware Behavior Catalog behaviors — and returns a label, a confidence, and the capabilities that drove the decision. Whatever cleave can decompose, azoth can classify: ELF, PE, Mach-O, Java .class, Python .pyc, and compiled AppleScript on the binary side; raw source in 20+ languages; and packaged forms like Python wheels, npm modules, and VS Code extensions.

Plenty of open-source classifiers exist for one format at a time — PE, JavaScript, Android, take your pick. Azoth is the first that covers general malware in one model.

Runs locally on the host that calls it. No network, no telemetry. litmus is the reference scanner; the weights, the training pipeline, and the capability schema are Apache 2.0, so any tool can drive the model or retrain it.

Why a small, dedicated model

Cost. Per-token pricing falls apart for continuous scanning. A dependency update, a CI run, an artifact in a registry — each one is another classification, and at fleet scale the bill is real. Azoth runs on CPU. There is no per-call charge.

Footprint. No GPU. No accelerator. The training pipeline distills analyst-labeled corpora, public threat reports, and frontier LLMs into a model small enough for a Raspberry Pi. Same weights on a laptop, a CI runner, an endpoint agent.

Inputs above bytes. Azoth sees ATT&CK techniques and MBC behaviors, not raw bytes or disassembly tokens. Recompiling or shuffling strings does not change the feature vector. What does change it: anything that defeats cleave — packers it doesn't recognize, dynamic loaders it can't follow, control flow it can't reconstruct. The model is exactly as good as cleave's coverage, no better.

Hierarchy-aware. MBC is a tree. Leaf behaviors roll up into objectives; objectives roll up into intent. Azoth doesn't just count leaves — it learns combinations across the tree. A sample whose individual capabilities each look unremarkable can come back hostile when the combination is one real families actually use.

License. Apache 2.0. Weights, training pipeline, runtime. Same as the rest of atomdrift.

Status

In active development. Weights, evaluation results, and the training pipeline land on Codeberg with the first release. Until then this page is design intent, not a benchmark. If that distinction matters to you — good.