Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates

Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates

/in

Security leaders are under growing pressure to reduce the time between threat detection and response without adding more complexity to already overloaded SOC workflows. ANY.RUN’s May updates help teams act on security risks more efficiently, improve consistency across investigations, and maintain stronger protection as attacker tactics continue to evolve.

Discover the updates your team can use to strengthen SOC performance, reduce response delays, and stay ahead of emerging threats. 

Product Updates

In May, ANY.RUN introduced new capabilities to help SOC and MSSP teams reduce investigation delays, improve threat visibility, and make faster response decisions. The updates include decision-ready Tier 1 Reports with AI-powered insights and a new Threat Intelligence Feeds integration with Elastic Security.

Reduce Investigation Delays with Decision-Ready Tier 1 Reports 

SOC teams can now generate structured Tier 1 Reports directly in ANY.RUN’s Interactive Sandbox, turning complex analysis findings into clear, actionable intelligence for faster response decisions.

Tier 1 Reports available in ANY.RUN sandbox
Tier 1 Reports available in ANY.RUN sandbox

Instead of reviewing raw technical data or rebuilding investigation context during escalations, teams receive a ready-to-use report with a threat verdict, key IOCs, behavioral indicators, and MITRE ATT&CK mapping. Each report also includes an AI Summary with threat classification, a concise overview of the incident, and recommendations for the next response steps.

AI Summary providing a clear, structured overview of the threat

This gives SOC managers, Heads of SOC, and CISOs a clearer view of incident severity, potential business impact, and response priorities while helping teams move cases forward without unnecessary delays.

AI Recommendations generated by ANY.RUN's sandbox
AI Recommendations generated by ANY.RUN’s sandbox

With Tier 1 Reports, your SOC can: 

  • Accelerate alert triage: Help Tier 1 teams validate threats and make faster escalation decisions.
  • Reduce investigation delays: Give Tier 2 and incident response teams structured context without requiring them to reconstruct the case from raw data.
  • Improve SOC efficiency: Reduce repetitive reporting work and free senior teams to focus on high-priority incidents. 
  • Strengthen business-risk visibility: Help decision-makers understand which threats require urgent action and where response efforts should be focused.
  • Standardize incident reporting: Create consistent, easy-to-share reports for faster internal communication and more informed decisions.

Unlimited Tier 1 Report generation, including AI Summary and Recommendations, is available with Enterprise Suite and Hunter plans. Free plan users receive five shared generations.

Turn sandbox analysis into confident SOC decisions

with interactive investigations and refined reporting



Power Your SOC with ANY.RUN


ANY.RUN Threat Intelligence Feeds Are Now Available in Elastic Security 

SOC and MSSP teams can now integrate ANY.RUN Threat Intelligence Feeds directly into Elastic Security to bring fresh, sandbox-backed IOCs into their existing workflows.

Built from live sandbox investigations across more than 15,000 organizations and a community of 600,000 security professionals, ANY.RUN Threat Intelligence Feeds provide indicators linked to activephishing, malware delivery, and attacker campaigns.

Once configured, the integration ingests IP addresses, domains, URLs, and other IOCs into Elastic Security on a scheduled basis. Each indicator includes additional context and a direct link to the related sandbox report, helping teams quickly understand threat behavior and TTPs.

IOC overview of Threat Intelligence Feeds inside Elastic Security
IOC overview of Threat Intelligence Feeds inside Elastic Security

Here is what your team gains: 

  • Detect threats early: Use fresh indicators from live attacks to identify malicious activity sooner.
  • Validate alerts with real context: Use sandbox-backed evidence instead of relying only on static indicators.
  • Reduce manual work: Eliminate repetitive enrichment steps and tool switching. 
  • Improve detection quality: Use high-confidence indicators in detection rules and correlation logic.
  • Speed up triage and response: Access additional context directly in Elastic Security and make faster decisions.

The plug-and-play integration is available to teams with an active Threat Intelligence Feeds license (Threat Intelligence Live or Complete subscriptions).

Integrate ANY.RUN Threat Intelligence Feeds with Elastic Security → 

Threat Coverage Updates 

In May, the detection team continued to strengthen ANY.RUN’s threat coverage by adding 120 new behavior signatures, 1,327 new Suricata rules, and 7 new YARA rules. These additions expand detection capabilities across suspicious behaviors, network-level activities, and file-based indicators.

New Behavior Signatures 

The 120 new behavior signatures added in May cover malware-specific activities, mutex indicators, and exploitation-related behavior. These signatures focus on observable actions and artifacts that appear duringdetonation, helping security teams confirm sample behavior within the sandbox.

Highlighted detections include: 

P3TY ransomware analyzed inside ANY.RUN sandbox 

Cut response delays before threats become costly incidents.
Give your SOC faster, evidence-backed decisions



Integrate in your SOC


Tools, RMM & Exploitation: 

New Suricata Rules 

A total of 1,327 new Suricata rules were implemented in May to improve visibility into malicious network activity, including phishing kit communications and C2 check-ins.

  • Generic Fake Captcha HTTP activity (sid: 85007558): Detects fake captcha implementations used in the execution chains of various phishing campaigns.
  • DrimKit related HTTP GET request (sid: 85007566): Identifies activity associated with the emerged phishing kit known as DrimKit.
  • Tycoon2FA related JS file in HTTP response (sid: 84003241): Tracks client-side code loaded by phishing pages related to Tycoon2FA.

New Threat Intelligence Reports 

In May, ANY.RUN released three new Threat Intelligence Reports providing in-depth analysis of recent malware activity and attacker techniques. These reports are available to TI Lookup Premium subscribers tosupport faster investigations.

Threat Intelligence Reports available for deeper analysis
Threat Intelligence Reports available for deeper analysis

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.

Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.

ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.

Integrate ANY.RUN into your SOC workflow → 

The post Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More