Questions, answered
without the hand-waving.

Arxam rewrites your compiled executable into a hardened equivalent. It encrypts strings and resources, flattens and obfuscates control flow, converts the functions you mark into virtual-machine bytecode, and wraps the whole image in continuous integrity checks plus anti-debug and anti-VM defenses. The behavior your users see is identical. The binary an attacker sees is not.

No serious vendor should claim that, and we don't. The honest goal is economic: make breaking a build cost far more time and skill than it's worth, and make each break disposable. Per-build randomization means a crack for one release teaches an attacker almost nothing about the next, so the cost resets every time you ship.

For typical applications, under 3%. Integrity checks and anti-debug logic are cheap and run on a throttle you control. Code virtualization is the expensive part, so you apply it surgically, to license checks, crypto, and trade-secret routines, rather than the whole binary. The dashboard shows a measured overhead estimate for every build profile.

Packers and obfuscation can trigger heuristic false positives, and it's a real concern we engineer against. Arxam preserves valid PE structure, supports your existing Authenticode signing in the pipeline, and we maintain reputation relationships with major AV vendors. Catalyst customers get pre-submission to vendor allowlists. If a build is ever misflagged, support treats it as a priority incident.

Native Windows .exe and .dll targets for x86 and x64, including C, C++, Rust, Delphi, and other native toolchains. Managed .NET assemblies and Electron desktop apps are supported through dedicated paths. Windows 7 through 11 are covered. macOS and Linux are on the roadmap but not yet generally available.

No. Arxam works on the compiled artifact, so the baseline requires zero source changes. If you want to virtualize specific functions, you can mark them with a lightweight annotation or name them in the build profile, but that's an optimization, not a requirement.

It's a single command you add after your build and before signing: arxam build --profile prod app.exe. It runs in GitHub Actions, GitLab CI, Azure Pipelines, Jenkins, or locally. Builds are reproducible given the same profile and seed, and the step is cache-friendly so it won't dominate your pipeline time.

Node-locked, floating, subscription, trial, and feature-gated licenses, issued and revoked from the dashboard or the REST API. You control hardware-binding strictness, grace periods, and offline tolerance per product, so you can be strict with enterprise seats and forgiving with consumer trials.

Yes, on Compound and Catalyst. Air-gapped activation uses a signed challenge-response file pair, so a machine that never touches the internet can still be licensed and periodically re-verified. Catalyst customers can also run the entire activation server on-prem.

You choose the response policy per build: terminate immediately, degrade silently into incorrect behavior, or report-and-continue so you gather intelligence without tipping off the attacker. Every detection, whether a debugger attach, a patched byte, or a blocked VM, can stream to your threat telemetry feed in real time.

Hardening can run in our cloud or, on Catalyst, entirely inside your own infrastructure, so your unprotected binary never leaves your network. Telemetry is yours: export it, route it to your SIEM, or keep it in the Arxam dashboard. We're SOC 2 Type II and will sign a DPA.

A first protected build usually takes an afternoon; most teams reach production within two weeks once they've tuned a profile and validated it against their test suite. Compound and Catalyst include engineer support to get you there faster.