Threatray relies on core entities across both API and UI: sample, analysis, code region, and function. Analyzing a sample yields one or more analyses, with each analysis comprising one or more code regions. Each code region may contain functions for binary files with code. The term code region generically refers to a potential code-containing section within an analysis, such as memory dumps from dynamic analysis or the static analysis of a submitted file.

These base entities are uniquely identifiable:

sample: Identified by Hash (MD5, SHA1, SHA256)
analysis: Identified by UUID
code region: Identified by analysis identifier, hash (MD5, SHA1, SHA256), PID, base address
function: Identified by code region identifier, effective address

API endpoints return adequate information on these entities, enabling subsequent API calls, like fetching an analysis report after searching for analyses.

Certain API actions initiate tasks lasting seconds or minutes, notably file/URL submissions, and YARA ruleset modifications. These actions return a task ID used to track task status as follows:

queued: Awaiting processing
analyzing: Undergoing processing
done: Successfully completed
failed: Unsuccessful due to an error