Static malware triage presents a tradeoff between detection completeness and operational cost. Signature-based systems miss novel threats, while LLM-based analysis of every uploaded sample is economically prohibitive. We present RaspBlue, an evidence-first architecture that combines deterministic AST-based static analysis with contextual LLM enrichment on-demand. The system operates a two-lane queue architecture with a high-concurrency deterministic lane (10 workers) and a gated contextual reasoning lane (1 worker), connected through a SQLite lease-based FIFO scheduler with priority ordering. Over 2,276 production scan jobs, the platform processed 10,405 findings across 35 detector categories spanning supply chain compromise, code-level malicious behavior, byte-level anomalies, and build-metadata attacks. A hybrid retrieval pipeline combining BM25 lexical scoring, DeepInfra semantic embeddings, reciprocal rank fusion (RRF), maximal marginal relevance (MMR), and adaptive thresholding achieves detection accuracy of 91.2% when contextual enrichment is enabled. The system handles 81.7% of determinations within the deterministic lane alone at a risk-score threshold of 60, reserving LLM context for the hardest cases. We provide a detailed analysis of the architecture, retrieval algorithms, queue scheduling model, and production performance data. The evidence-first approach reduces LLM inference cost by approximately 44% while matching the detection accuracy of full-context analysis.
Publication Date: 2026-06-19