Interpreter
Maximum introspection
A portable, codegen-free core that executes guest instructions one at a time. Every memory access, register write, and branch is observable.
Xion boots real, unmodified firmware and operating systems, then lets you choose how they run — a fully introspectable interpreter, an impossibly fast LLVM-based JIT, or bare-metal hardware virtualization — without changing your target or your tooling.
$ xion init firmware.qcow2
[+] booting guest · uefi · 2048M · arch=x86_64
[+] guest reached idle · taking checkpoint
[✓] checkpoint written · 41,920 pages
$ xion fuzz firmware.ckpt --backend jit --workers 64
[+] enlightenment: Windows · ntoskrnl + 214 modules
[+] coverage probes armed · snapshot reset @ 0.9M/s
exec/s 1.84M corpus 5,210 blocks 73,118 crashes 3
$ ▋Every emulator forces a trade between speed and visibility. Xion refuses to make it permanent. Because we own the execution layer, the same guest can run under whichever backend the moment calls for — and your plugins, coverage, and crash detection come along unchanged.
Maximum introspection
A portable, codegen-free core that executes guest instructions one at a time. Every memory access, register write, and branch is observable.
Performance at scale
Guest blocks are lifted and compiled through LLVM, then cached as native code — block-level coverage and OS-aware hooks intact, orders of magnitude faster.
Bare-metal speed
Hand the guest to the silicon for near-native throughput — boot fast, reach deep states, then drop back into a slower backend right where it matters.
↺ Switch backends mid-run — boot under virtualization, then drop into the interpreter the instant you hit the code you care about.
Xion is developed by Crystal Peak Security and licensed to vetted research teams. Tell us what you're trying to take apart.