IOCX is engineered for predictable, low‑latency static analysis across text, buffers, and Windows PE files. This document defines the performance guarantees that every release must uphold. All guarantees are enforced through automated CI performance tests.
IOCX must remain fast, stable, and deterministic — even under adversarial or malformed inputs.
The table below reflects measured performance on reference hardware under CI‑controlled conditions.
| Subsystem | Input Type | Size | Time | Throughput |
|---|---|---|---|---|
| Raw IOC extraction (domains) | Text | 1 MB | 0.0033 s | ~300 MB/s |
| Raw IOC extraction (crypto) | Text | 1 MB | 0.0037 s | ~270 MB/s |
| Raw IOC extraction (filepaths) | Text | 1 MB | 0.0040 s | ~250 MB/s |
| Raw IOC extraction (IP) | Text | 1 MB | 0.0064 s | ~156 MB/s |
| Pathological IPv6 blob | IPv6‑dense text | 1 MB | 0.0004 s | ~2500 MB/s |
| Pathological ETH‑like blob | Crypto‑dense text | 1 MB | 0.0012 s | ~830 MB/s |
| Typical PE | 39 KB PE | 39 KB | 0.0132 s | ~6–15 MB/s |
| Typical PE (with heuristics) | 39 KB PE | 39 KB | 0.0153 s | ~6–15 MB/s |
| Adversarial dense PE | 1.5 MB PE | 1.5 MB | 0.1977 s | ~7.6 MB/s |
| Malformed PE (“Franken”) | 64 KB PE | 64 KB | 0.0017 s | N/A |
| Full engine (non‑PE) | 1 MB text | 1 MB | 0.0411 s | ~24 MB/s |
Key takeaways:
- Raw IOC extraction: 150–300 MB/s
- Typical PE: ~13–15 ms
- Adversarial PE: ~0.197 s
- Worst‑case text blobs: sub‑millisecond to low‑millisecond
Raw IOC extraction is the fast path (no PE parsing, no heuristics).
- ≤ 10 ms for 1 MB mixed IOC‑rich text
- ≤ 5 ms for crypto‑dense or IPv6‑dense blobs
domains !MB: 0.0033s
crypto 1MB: 0.0037s
filepaths 1MB: 0.0040s
IP 1MB: 0.0064s
IPv6 blob: 0.0004s
ETH blob: 0.0012s
Punycode blob: 0.0125s
- Strict O(n) linear scanning
- No regex backtracking
- No pathological slow paths
- ≤ 15 ms for 1 MB mixed content
- ≤ 50 ms for deeply nested or adversarial paths
filepaths 1MB mixed-content: 0.0040s
pathological deep UNIX path: 0.0248s
- No recursion
- No exponential behaviour
- ≤ 15 ms for 1 MB mixed content
- ≤ 5 ms for IPv6‑dense blobs
IP 1MB mixed-content: 0.0064s
pathological IPv6 blob: 0.0004s
- IPv6 detector remains sub‑millisecond
- No catastrophic parsing behaviour
- ≤ 10 ms for 1 MB mixed crypto text
- ≤ 5 ms for pathological ETH/BTC‑like blobs
crypto 1MB mixed-content: 0.0037s
pathological ETH-like blob: 0.0012s
- Full Base58Check validation remains linear
- No backtracking or exponential behaviour
- ≤ 5 ms for 1 MB mixed domain text
- ≤ 15 ms for pathological punycode-like blobs
domains 1MB mixed-content: 0.0033s
pathological punycode-like blob: 0.0125s
- domains detector remains sub‑millisecond
- No catastrophic parsing behaviour
- ≤ 20 ms for a typical 30–60 KB PE
- Heuristics must not materially degrade performance
typical PE: 0.0132s
typical PE (heuristics): 0.0153s
- Deterministic PE parsing
- Minimal overhead from heuristics
Malformed or adversarial PEs must not degrade performance.
- ≤ 20 ms for malformed PEs
- No hangs, crashes, or exponential fallback behaviour
engine franken PE: 0.0017s
- Deterministic structural heuristics
- No repeated scanning
- No speculative parsing loops
- ≤ 250 ms for 1.5 MB adversarial PEs
dense PE (1.5MB): 0.1977s
- Stable under high‑entropy sections
- Stable under corrupted RVA/section tables
- Stable under adversarial import/TLS structures
IOCX must maintain strictly linear scaling with respect to input size.
300KB → ~0.001s
600KB → ~0.002s
1000KB → ~0.0029–0.0069s
1500KB → ~0.0044–0.0080s
- No superlinear behaviour
- No quadratic or exponential paths
Performance tests enforce:
- Upper‑bound thresholds for each subsystem
- Linear scaling checks
- No regression tolerance beyond jitter
- Hard failure if any guarantee is violated
IOCX is designed to be:
- Fast on normal inputs
- Fast on adversarial inputs
- Fast on malformed inputs
Performance is a core contract, not an optimisation.