This page covers runtime limits, execution mode, and debugging controls.
Primary flags:
--timeout: wall-clock timeout in seconds--max-api-count: cap API calls per run--max-instructions: cap executed instructions per run
Use these together to bound long-running or looping samples.
Primary flags:
--raw: emulate target as raw bytes--arch: architecture override (x86,amd64)--raw-offset: raw-mode execution start offset (hex)--emulate-children: emulate spawned child processes--no-mp: run in current process instead of worker process
Example: raw shellcode run with bounded execution
speakeasy -t shellcode.bin \
--raw --arch x86 --raw-offset 0x40 \
--timeout 15 --max-api-count 3000 --max-instructions 500000 \
-o report.jsonPrimary flags:
--verbose: DEBUG logging--gdb: start GDB stub and pause before first instruction--gdb-port: GDB stub port
Notes:
--gdbimplies--no-mpautomatically.- Use
gdborgdb-multiarchto connect tolocalhost:<port>.
Example: debugger-first startup profile
speakeasy -t sample.dll --gdb --gdb-port 1234 --verbosespeakeasy -t sample.exe \
--timeout 20 \
--max-api-count 4000 \
--max-instructions 800000 \
--no-analysis-memory-tracing \
-o report.jsonUse this as a fast triage baseline for samples that often spin in loops.
speakeasy -t sample.exe \
--gdb --gdb-port 2345 \
--no-mp \
--analysis-coverage \
--analysis-memory-tracing \
--verbose \
-o report.jsonUse this when you want step control and richer telemetry during one run.
Speakeasy is Python-based, so runtime is sensitive to telemetry scope and stop conditions.
Practical tuning:
- disable heavy collectors unless needed:
--no-analysis-memory-tracing--no-analysis-coverage--no-snapshot-memory-regions
- set hard stop limits for unstable or looping samples:
--timeout--max-api-count--max-instructions
- run fast triage and deep telemetry as separate profiles