Reverse engineering and binary analysis are essential skills for security researchers, malware analysts, and software developers who need to understand how compiled programs work. Whether you are auditing a third-party library, investigating a suspicious binary, or debugging a legacy system without source code, having the right tools makes all the difference.
In this guide, we compare three leading open-source binary analysis platforms that you can deploy and run on your own infrastructure: Ghidra, Radare2, and Rizin. Each tool takes a different approach to disassembly and decompilation, and each has strengths suited to particular workflows.
Comparison Overview
| Feature | Ghidra | Radare2 | Rizin |
|---|---|---|---|
| Developer | NSA (open-sourced) | pancake (community) | Rizin fork community |
| Language | Java | C | C |
| GUI | Swing-based desktop UI | Terminal (r2) + Cutter (optional) | Terminal (rz) + Cutter (optional) |
| Decompiler | Built-in (Ghidra Decompiler) | rz-ghidra plugin / r2dec | Built-in (Rizin Decompiler) |
| Scripting | Java, Python (via Jython) | Python, JavaScript, Scheme | Python, JavaScript |
| Collaboration | Ghidra Server (multi-user) | No native collaboration | No native collaboration |
| Architecture Support | 80+ processor modules | 50+ processor modules | 50+ processor modules |
| License | Apache 2.0 | LGPL-3.0 | LGPL-3.0 |
| GitHub Stars | ~68,000 | ~23,500 | ~3,500 |
| Docker Support | Community images | Official image (radare/radare2) | Official image (rizin/rizin) |
Ghidra: The Full-Featured Decompiler
Ghidra is a software reverse engineering framework developed by the National Security Agency and open-sourced in 2019. It has rapidly become the most popular open-source alternative to commercial tools like IDA Pro.
Key Strengths
- Built-in decompiler: Ghidra ships with a high-quality decompiler that converts assembly into readable C-like pseudocode for supported architectures. This is arguably its biggest advantage.
- Multi-user collaboration: The Ghidra Server enables teams to work on the same project simultaneously, sharing analysis results and comments.
- Extensive format support: Handles ELF, PE, Mach-O, COFF, raw binaries, and dozens of firmware formats out of the box.
- Plugin ecosystem: The Ghidra Extension Manager provides easy installation of community-developed plugins for additional processors, file formats, and analysis passes.
- Graph viewer: Interactive control flow graphs with cross-references, call graphs, and data flow visualization.
Docker Deployment
While Ghidra does not ship an official Docker image, several community-maintained images make it easy to run headless analysis:
| |
For the full GUI experience, you can use a Docker image with X11 forwarding or VNC:
| |
When to Choose Ghidra
Ghidra excels when you need a full-featured decompiler, collaborative analysis, or deep inspection of complex binaries. It is the best choice for malware analysis, vulnerability research, and binary auditing where understanding high-level program logic matters more than low-level byte manipulation.
Radare2: The Terminal Powerhouse
Radare2 is a Unix-like reverse engineering framework written in C. It provides a comprehensive set of tools for binary analysis, all accessible from the command line.
Key Strengths
- Command-line efficiency: Radare2 is designed for terminal workflows. Once you learn the keybindings, analysis is extremely fast.
- Comprehensive toolchain: Includes
r2(main analysis),rabin2(binary info extraction),rax2(math converter),rasm2(assembler/disassembler), andrafind2(search tool). - Scriptable: Supports Python, JavaScript, and Scheme for automation.
- Wide architecture support: x86, ARM, MIPS, RISC-V, PowerPC, SPARC, WebAssembly, and many more.
- Patch and modify: Radare2 can edit binaries in place, patch bytes, and write shellcode directly into files.
Docker Deployment
Radare2 has an official Docker image on Docker Hub with over 500,000 pulls:
| |
Run it interactively:
| |
Learning Curve
Radare2 has a notoriously steep learning curve. Commands use single-letter abbreviations (pdf = print disassembly function, px = print hex dump, aaa = analyze all). However, once mastered, it is one of the fastest tools for binary inspection.
When to Choose Radare2
Radare2 is ideal for developers and analysts comfortable with terminal environments who need fast, scriptable binary analysis. It excels at quick inspections, automated analysis pipelines, and scenarios where a GUI would slow you down.
Rizin: The Modern Fork
Rizin is a fork of Radare2 created in 2021 by developers who wanted a more maintainable codebase with better API design. It shares Radare2’s core philosophy but with significant architectural improvements.
Key Strengths
- Improved API: Cleaner, more consistent C API that makes plugin development and integration easier.
- Better UX: Improved command completion, better error messages, and a more intuitive command structure.
- Built-in decompiler: Rizin includes its own decompiler based on the Ghidra decompiler engine (via rz-ghidra integration), which Radare2 lacks by default.
- Active development: The Rizin project has a faster release cycle and more responsive issue triage than Radare2.
- Cutter integration: Cutter, the popular Qt-based GUI for reverse engineering, supports both Radare2 and Rizin as backends.
Docker Deployment
Rizin also has an official Docker image:
| |
| |
Rizin vs Radare2: Key Differences
| Aspect | Radare2 | Rizin |
|---|---|---|
| Codebase maturity | Older, larger, more complex | Cleaner refactor |
| Command syntax | r2 prefix | rz prefix |
| Decompiler | Plugin required (rz-ghidra) | Built-in integration |
| Release frequency | Irregular | Regular, predictable |
| Community | Established, large | Growing, enthusiastic |
When to Choose Rizin
Rizin is the right choice if you want the Radare2 experience with a more maintainable codebase, better defaults, and a built-in decompiler. It is also the better option for developers who want to write plugins or integrate binary analysis into their own tools.
Why Self-Host Your Binary Analysis Tools?
Running binary analysis tools on your own infrastructure offers several advantages over cloud-based or commercial alternatives.
Data sovereignty and privacy: When analyzing proprietary or sensitive binaries, keeping the analysis local ensures no data leaves your environment. This is critical for malware samples, confidential code audits, and proprietary firmware inspection.
No licensing costs: All three tools are fully open-source with permissive licenses. Unlike commercial alternatives (IDA Pro starts at several thousand dollars), these tools are free for both personal and commercial use.
Automation and CI/CD integration: Headless deployment via Docker enables automated binary analysis in CI/CD pipelines. You can run vulnerability scans, check for known CVEs, and validate binary integrity as part of your build process.
Custom toolchains: Self-hosted tools can be integrated with your existing security infrastructure, such as connecting Ghidra Server to your team’s vulnerability management platform or piping Radare2 output into your SIEM.
For more on self-hosted security tooling, see our container image scanning guide and server security auditing comparison.
Quick Start: Which Tool Should You Pick?
| Your Need | Recommended Tool |
|---|---|
| Deep decompilation and GUI analysis | Ghidra |
| Fast terminal-based inspection | Radare2 |
| Modern Radare2 with better defaults | Rizin |
| Team collaboration | Ghidra (with Ghidra Server) |
| CI/CD pipeline integration | Radare2 or Rizin (CLI-first) |
| Malware analysis | Ghidra (decompiler + collaboration) |
| CTF competitions | Rizin (speed + built-in decompiler) |
FAQ
Is Ghidra free to use for commercial purposes?
Yes. Ghidra is released under the Apache 2.0 license, which allows free commercial use, modification, and distribution. The NSA open-sourced Ghidra in 2019 specifically to make it available to the broader security research community.
Can I run Ghidra on a headless server without a GUI?
Yes. Ghidra includes a headless analyzer (analyzeHeadless) that can be run from the command line without any graphical interface. It supports importing binaries, running analysis passes, executing scripts, and exporting results. This is ideal for Docker deployments and automated analysis pipelines.
What is the difference between Radare2 and Rizin?
Rizin is a fork of Radare2 created in 2021. The main differences are a cleaner codebase, improved command-line UX, a built-in decompiler (via rz-ghidra), and a more active development cadence. If you are starting fresh, Rizin is generally recommended. If you have existing Radare2 scripts and workflows, Radare2 remains fully maintained.
Do these tools support ARM and RISC-V architectures?
Yes, all three tools support ARM (32-bit and 64-bit) and RISC-V. Ghidra supports over 80 processor architectures, while Radare2 and Rizin each support 50+. Both terminal tools also have strong support for less common architectures like AVR, 6502, and WebAssembly.
Can I use these tools for malware analysis?
All three tools are widely used for malware analysis. Ghidra is particularly popular due to its decompiler, collaboration features, and extensive plugin ecosystem. Many security teams use Ghidra as their primary malware analysis platform, supplemented by Radare2 or Rizin for quick inspections.
How do I deploy these tools in a Docker container?
All three tools have Docker images available. Ghidra uses community images (such as linuxserver/ghidra), while Radare2 and Rizin have official images (radare/radare2 and rizin/rizin respectively). Mount your binary files as volumes and run the tools interactively or in headless mode.
Are there GUI alternatives for Radare2 and Rizin?
Yes. Cutter is a free, open-source Qt-based GUI that uses Radare2 or Rizin as its analysis engine. It provides a visual interface with graphs, hex editors, and decompiler views, making reverse engineering accessible to users who prefer not to work in the terminal.