What happens when a malware analyst decides to build a product he always wished he had? The case of ANY.RUN tells us that ten years later it may turn into an industry-standard solution, adopted by 74 Fortune 100 companies. 

Celebrating a decade of ANY.RUN, CEO Aleksey Lapshin shared his perspective on the evolution of the company, the reality of AI in cybersecurity, and why human expertise remains the most valuable asset in the age of AI. 

Key Takeaways 

• According to Aleksey Lapshin, ANY.RUN was created to solve real problems analysts faced every day: slow investigations, fragmented tools, and inefficient workflows.  

• Lapshin believes that despite rapid AI adoption, human expertise and manual verification are becoming even more valuable in modern SOC operations.  

• One of ANY.RUN’s biggest competitive advantages is its community-driven threat intelligence built from thousands of daily analyst investigations.  

• The company’s long-term vision is to create a faster, less stressful, and more effective environment for cybersecurity teams.  

• The CEO argues that AI will not replace cybersecurity professionals; instead, it will increase the need for skilled analysts capable of validating and responding to complex threats. 

The Foundation of ANY.RUN 

Q: Going back a decade, what was the initial spark that led to the creation of ANY.RUN in 2016? 

Aleksey Lapshin: It started as a very personal mission. I worked as a malware analyst and the tools we had at the time were simply ineffective for the reality of the job. Most antiviruses only gave a simple “yes/no” verdict, while my actual task was to deeply research malware behavior and extract valuable IOCs. Analyzing just one sample and getting meaningful results often took an entire day of manual work.  

I wanted to build a malware sandbox that removed that manual routine of setting up your virtual environment, gave you full interactive control over the VM, and brought the whole process to a unified standard. The main goal was simple: get results fast. I wanted to see what a threat actually does in real time, within seconds of detonating the malware, instead of waiting 10+ minutes for a standard sandbox report.  

Q: How did you go from building a personal project to launching a full product? 

At first, it was just my personal project that I kept using and improving. Then I thought maybe others could use this too. I made a basic landing page, spent $100 on Google Ads, and quickly got more than 100 requests, many from security professionals at large enterprises. The unexpected response inspired me to try to make the sandbox available to the public. But for that, I needed more hands on deck. 

We started with just two people, then grew to three. With this small team, we launched the first public version and even built the very first paid version. For a long time, I personally handled marketing, spoke with potential customers, and closed sales myself. Thanks to that hands-on approach, we reached operational profitability almost from the very beginning. 

We also made a strategic decision to offer a free tier, which was instrumental in building a community around the service early on. Instead of being a solution forced on teams from the top down by management, SOC teams began to adopt us because the analysts themselves found it faster and more effective than anything else they had. This allowed the product to grow naturally within organizations.  

Evolution and the Modern SOC 

Q: How have the company’s goals evolved over these 10 years? 

For a long time, we grew by focusing almost exclusively on the analyst’s technical needs and their individual workspace. Today, we’ve shifted to looking at the landscape from two sides: the analyst and the business.  

Our goal now is to ensure that ANY.RUN’s solutions provide the value businesses and MSSPs need. That means not just helping analysts investigate threats, but helping organizations reduce detection gaps that directly translate into business risk, incident impact, and operational disruption. 

Q: In small versus large SOCs, how does the role of ANY.RUN differ? 

It is hard to speak for every SOC, but I can give you the most common scenarios. In smaller teams where a SOC might not even be fully formed, ANY.RUN’s solutions often become the primary, central workstation. The analysts there are usually handling Tier 1, 2, and 3 duties all at once. They need a “do-it-all” environment where they can perform manual investigations and get immediate results.  

In large-scale enterprise SOCs, where there is a massive and constant flow of alerts, we integrate into a much larger chain of products like SIEM, SOAR, and EDR to provide actionable context. But no matter how advanced the company’s security or how strong their automation is, manual verification is still essential, even more so in the age of AI.  

Attackers now can generate countless sophisticated and convincing phishing variants in seconds. This is exactly why ANY.RUN’s solutions are where SOC teams go to get the real ground truth, remove uncertainty, and make final decisions about risk.  

“No matter how advanced the company’s security or how strong their automation is, manual verification is still essential, even more so in the age of AI.” 

Q: What is the ideal place for ANY.RUN in a modern SOC environment? 

I’ve always wanted it to be a place where people actually feel comfortable and confident working, which is rare in this industry. Most security solutions can be sterile, exhausting, and quite dull. 

I aim for ANY.RUN to be a burnout-free environment SOC teams actually want to return to because it reduces their fatigue and gives them certainty in their findings. We want to be recognized as one of the primary, essential locations in a SOC, and I’m really happy that clients confirm in their reviews that we’re succeeding in this. But we also know that it requires us to keep working hard to maintain that level of trust and responsibility. 

“I aim for ANY.RUN to be a burnout-free environment SOC teams actually want to return to.” 

Philosophy of Growth 

Q: What were the biggest personal milestones and challenges for you during this journey? 

I don’t really view our history through “big bang” milestones or singular moments of triumph. To me, the most important part of the journey has been the constant, incremental improvements we make every single day. 

That said, there is one moment that really stands out to me. Just a couple of months after we released the paid version, the first company reached out and told us they wanted to buy an ANY.RUN subscription for 7 users on a three-year contract. It felt both exciting and overwhelming. I wasn’t sure if we were ready for that level of responsibility, but it made me very proud. It was the real validation that we were solving a genuine pain point for companies.   

As for the biggest challenge, I would say it is always the next step right in front of us, especially since we usually have multiple development streams running at the same time. 

Q: What’s your personal philosophy on growth and success after 10 years of building the company? 

I don’t believe in the traditional cycle of setting a target, reaching it, and then stopping to rest before the next one. What works for me is simply moving forward step by step. I’m always in the middle of achievements, which means less rest but also constant progress. When you look back, you realize how far you’ve come. 

The AI Landscape and ANY.RUN’s Biggest Competitive Advantage 

Q: With AI dramatically lowering the bar for software development, what is ANY.RUN’s biggest competitive advantage today? 

Modern AI can indeed recreate an interface or mimic basic detection logic, but it cannot copy ten years of community trust and human-driven telemetry.   

Our real capital isn’t just the software, it’s the data moat we’ve built over a decade of focusing on the real needs of security professionals. Every day, more than 10,000 companies contribute valuable data to this ecosystem. Their analysts investigate the latest malware and phishing in the sandbox, which generates large volumes of unique telemetry on active threats. 

In theory, AI could build a clone of our sandbox that looks just as good, or even better, but without the community-sourced threat data, it would be like a beautiful car with no gas. 

Our “gas” is over 35,000+ daily human-driven investigations every day, creating a continuous stream of real-world threat intelligence. This data directly translates into faster detection, better context, and earlier understanding of emerging attacks for our paid clients, giving them a clear advantage against attackers. 

That’s why we’ve been investing in and supporting the ANY.RUN community for 10 years, and it continues to be our number one priority. 

“AI could build a clone of our sandbox that looks just as good, or even better, but without the community-sourced threat data, it would be like a beautiful car with no gas.” 

Q: What’s your take on the idea of fully autonomous AI SOCs? 

I see AI as a double-edged sword. It drives rapid innovation on both the attacking and defending sides of the cybersecurity landscape.  

Yet, attackers will always be faster because defense must be massive and cover everything, while an attack only needs one successful vector to succeed. Criminals don’t just target systems; they target people. In a phishing attack, for example, they can leverage AI to craft a message designed to bypass another AI so that a human will eventually click on it. 

Because of this reality, I believe the idea of a fully autonomous SOC where AI simply fights cyber threats without any human involvement is totally unrealistic. That is exactly the reason why, with the rise of AI threats, manual verification of alerts by SOC analysts is actually becoming more valuable than ever before. You need a person to validate what the AI might miss or what the attacker has specifically designed to appear benign to an automated filter. 

Of course, many basic attacks can already be largely handled by AI, especially at the detection and initial triage stages. But as more attackers adopt AI, the volume of attacks grows exponentially, so even with higher automation, the total amount of work requiring human validation is likely to increase rather than decrease. 

“With the rise of AI threats, manual verification of alerts by SOC analysts is becoming more valuable than ever before.” 

Q: What are the main risks for companies that are trying to replace their Tier 1 analysts with AI? 

I would say there are two core risks that companies often overlook.  

First, as I said, if you rely solely on AI, attackers will eventually adapt their methods specifically to bypass those filters, and if you’ve removed the human element, you have no last line of defense.  

Second is the “knowledge erosion” problem. Tier 1 is the essential training ground for future specialists; if you automate it entirely, where do your Tier 2 and Tier 3 analysts come from in a few years? You’ll eventually end up with a workforce that lacks foundational experience and “gut feeling” because they never “grew up” handling those initial, real-world alerts. Over time, this creates a structural risk where organizations lose their ability to investigate, contain, and respond to incidents effectively. 

Q: Would you say the cybersecurity industry in 2026 actually needs more people than ever before? 

Absolutely, and thinking otherwise is a self-delusion. While AI helps us automate certain tasks, it also allows attackers to scale the volume and complexity of their strikes exponentially.  

AI doesn’t reduce the need for people in security. It increases the number of problems only people can solve. We’ve found that with the arrival of AI, the industry actually requires more skilled people to deal with the new categories of problems that AI-driven attacks are creating. 

“AI doesn’t reduce the need for people in security. It increases the number of problems only people can solve.” 

Looking Forward 

Q: As you look forward, what are the key strategic tasks for ANY.RUN in the coming years? 

Our main goal right now is to provide a powerful decision-making layer for SOC and MSSP teams. We want to bring all critical information together so analysts can move from alert to a final decision as quickly and easily as possible. 

We will continue doubling down on our biggest advantage, the unique data we have, while expanding detection capabilities, scaling our infrastructure, and ensuring our solutions deliver real value to both analysts and the business. 

Get Special ANY.RUN Offers Before May 31 

To mark its 10th anniversary, ANY.RUN is offering special conditions for SOCs, MSSPs, and enterprise security teams that want to strengthen phishing analysis, threat intelligence, and response readiness. 

Trusted by security teams worldwide, including 74 Fortune 100 companies, ANY.RUN helps organizations bring earlier threat visibility into the workflows where response decisions happen. 

Until May 31, teams can access anniversary offers across key ANY.RUN solutions, including: 

• Interactive Sandbox‘s Enterprise Suite plan to safely analyze suspicious links, files, emails, and phishing pages with behavior-based visibility, with bonus seats and exclusive pricing available for teams. 

• Threat Intelligence’s Complete plan with extra months to help teams connect single cases to related infrastructure, IOCs, campaigns, and broader threat activity. 

This is a great opportunity to close social engineering blind spots, reduce gray-zone investigations, and give teams clearer evidence before trusted workflows turn into exposure. 

About ANY.RUN 

ANY.RUN delivers cybersecurity solutions designed to support security operations in businesses and organizations. The company’s goals is to help security teams understand threats faster, make informed decisions, and use threat intelligence across detection, investigation, and response workflows in SOCs and MSSPs.  

The company’s solutions include Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as ANY.RUN Threat Intelligence solutions accumulating investigation data from 15,000+ SOCs for instant enrichment and early threat detection. 

ANY.RUN is SOC 2 Type II attested, reflecting strong security controls and a commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, ANY.RUN helps reduce investigation uncertainty, improve triage speed, and turn threat analysis into clear, actionable evidence.  

The post Inside ANY.RUN’s 10-Year Evolution: An Interview with CEO Aleksey Lapshin appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More