Three cities, three cybersecurity conferences, and plenty of conversations with security professionals across Europe. 

Over the past few weeks, the ANY.RUN team joined Infosecurity Europe in London, CONFidence Conference in Kraków, and C1b3rWall Congress in Ávila. While every event had its own focus, the discussions pointed in the same direction: security teams need faster investigations, clearer evidence, and more confidence in every response decision. 

Infosecurity Europe 2026: From Alerts to Business Outcomes 

Infosecurity Europe was the biggest stop of our conference season. Over three days in London, the ANY.RUN team met with CISOs, SOC leaders, and MSSP teams to discuss the challenges shaping security operations today. 

One thing was hard to miss: the conversation has moved beyond alert volumes and technical metrics. 

Security leaders are under growing pressure to show how SOC performance supports the wider business. Boards do not simply want to know how many alerts were reviewed or how quickly a case was closed. They want to understand whether threats are identified early, whether risks are clearly assessed, and whether the team can act before an incident affects operations. 

Three priorities came up repeatedly during our conversations: 

From Alerts to Outcomes 

MTTR still matters, but the number alone does not tell the full story. Security teams need enough context to understand the impact of a threat, prioritize the right cases, and explain their decisions clearly. 

Behavioral analysis plays an important role here. By investigating suspicious files and URLs inside an interactive environment, teams can see how a threat behaves in real time and gather the evidence needed for a more confident response. 

Intelligence Where the Work Happens 

Security teams are not looking for another disconnected platform that adds extra steps to an already complex process. 

They want fresh threat intelligence and investigation-backed insights inside the tools they already use, including SIEM, SOAR, and EDR platforms. This helps teams move from detection to investigation and response without losing time switching between separate systems. 

Resilience Over Headcount 

Growing alert volumes cannot always be solved by growing the team. 

SOC leaders are looking for ways to make existing workflows more effective: reducing manual work, giving teams clearer evidence, and helping junior specialists handle routine investigations with greater confidence.

The goal is not simply to process more alerts. It is to build a more resilient SOC that can make consistent decisions even when the pressure rises. 

Infosecurity Europe was a valuable opportunity to discuss these priorities directly with the cybersecurity community and explore how behavioral visibility and live threat intelligence can support faster, clearer, and more reliable investigations. 

CONFidence Conference 2026: Practical Conversations with the Security Community 

Our next stop was CONFidence Conference in Kraków, where we joined cybersecurity professionals for two days of technical discussions, live demos, and conversations about the realities of modern threat investigation. 

Many of the challenges were familiar: rising alert volumes, increasingly sophisticated phishing campaigns, and the need to investigate threats faster without adding more pressure to already busy teams. 

At the ANY.RUN stand, visitors explored how behavioral visibility, investigation-backed threat intelligence, and cross-platform detection coverage can help SOCs and MSSPs analyze malware and phishing more consistently. 

But choosing the right security solution is not only about detection capabilities. Teams also need to know how they fit into their wider security environment: how sensitive data is handled, whether it supports controlled workflows, and whether the provider has the experience needed to support critical investigations. 

These questions matter even more for organizations operating in regulated industries, where security tools need to support effective threat response while meeting strict internal compliance requirements. 

This is an area ANY.RUN has continued to strengthen throughout its 10 years in cybersecurity. Today, our malware analysis and threat intelligence solutions are used by more than 15,000 organizations worldwide, including 74 of the Fortune 100 companies. ANY.RUN is also SOC 2 Type II attested, reflecting our commitment to strong security controls and careful handling of customer data. 

C1b3rWall Congress 2026: Exploring Ransomware Analysis in Action 

Our final stop was C1b3rWall Congress in Ávila, where cybersecurity professionals from both the public and private sectors gathered at the National Police School to discuss the threats shaping today’s security landscape. 

The event gave us a chance to look more closely at one of the most pressing challenges for security teams: ransomware. 

During our session, we demonstrated how ransomware can be analyzed inside ANY.RUN’s Interactive Sandbox and showed how interactive analysis helps teams move beyond a basic verdict.

Instead of simply confirming that a file is malicious, teams can observe how the attack unfolds in real time, identify suspicious processes, examine network activity, and understand the sequence of actions behind the threat. 

This kind of visibility is especially valuable when every decision matters. It gives security teams the context they need to assess risk faster, document their findings, and respond with greater confidence. 

C1b3rWall was also a valuable opportunity to connect with professionals working across different sectors and discuss how clearer behavioral evidence can support stronger, more reliable investigations.

 What Comes Next 

These events gave us the opportunity to connect with security professionals across Europe, exchange ideas, and discuss the challenges teams are facing today. 

The message was clear: faster investigations matter, but so do visibility, trust, and control. Security teams need solutions that help them act with confidence, even when the pressure is high. 

These conversations will continue to shape how we develop ANY.RUN and support SOCs and MSSPs worldwide. 

Thank you to everyone who stopped by, shared their experience, and joined the discussion. See you at the next events. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior, and collect clear evidence for response without maintaining complex in-house infrastructure.

ANY.RUN’s Threat Intelligence solutions also help organizations uncover deeper threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger threat response, and more efficient security operations at scale.

The post From Infosecurity Europe to CONFidence and C1b3rWall: What Security Teams Are Prioritizing in 2026 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker behavior and writing detections against technique descriptions that were never meant to be operationalized directly. 

The challenge is not that analysts lack skill. Most hunting teams are sharp, methodical, and deeply familiar with attacker playbooks. The real friction is structural: the intelligence feeding hunts is often stale, decontextualized, or missing the behavioral granularity needed to write anything more than a broad, noisy detection. 

The core tension 

Threat hunting is a high-skill, time-intensive activity that justifies itself by finding what automated systems miss. But when the intelligence inputs are low-fidelity, even the most skilled hunters spend the majority of their time generating work rather than reducing risk. 

MITRE ATT&CK tells you a technique exists. It does not tell you how it behaves in a real attack chain against a real target. That gap between abstract TTP and concrete execution behavior is where many hunts quietly die. IOCs arrive stripped of context: you block an IP, a rotated domain from the same campaign lands in your environment three days later, and sails straight through.  

And then there is the false-positive problem. Not a technical inconvenience but a morale and process killer. Every alert that turns out to be Outlook talking to a Microsoft licensing server erodes confidence in the detection pipeline. Over-tuned rules miss real threats; under-tuned rules train analysts to discount the queue. 

In this article, we’ll explore how threat intelligence supports core hunting workflows and how ANY.RUN’s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence. 

Key Takeaways

• Threat hunting fails structurally, not skillfully. The bottleneck is intelligence quality.
• Behavioral context beats indicators. A single IOC blocked solves nothing if the campaign behind it isn’t understood. Pivoting from one artifact — a mutex, a file path, a Suricata tag — into a full attack chain is what separates hunting from blocklisting.
• Hypothesis validation requires real attack data. ATT&CK describes techniques in the abstract. Effective hunting needs to know how a technique behaves in live, active campaigns — which tools operationalize it, what infrastructure it touches, what artifacts it leaves.
• False positives are a strategy problem, not just a noise problem. Every low-fidelity alert that consumes analyst attention is a detection that wasn’t built right. Validating rules against real samples before deployment is the difference between a detection pipeline and a distraction pipeline.
• Intelligence layers serve different operational needs. TI Lookup drives active investigations; TI Feeds keep automated defenses current; TI Reports bridge the gap between raw campaign data and detection engineering or executive briefings.
• AI-assisted triage is a force multiplier, not a replacement. Tier 1 reports, AI summaries, and sandbox recommendations don’t replace analyst judgment — they eliminate the translation work between analysis output and operational action, freeing analysts for work that actually requires them.
• Hunting ROI is measurable — if you instrument it correctly. Earlier detection, defense calibrated to active threats, and analyst time redirected to genuine risk: each is quantifiable. Programs that cannot demonstrate these outcomes don’t lack value — they lack the intelligence infrastructure to produce it consistently.

1. Hypothesis Validation: Device Code Phishing

Scenario: A hunter develops a hypothesis: adversaries may be abusing Microsoft’s Device Code authentication flow to compromise organizational accounts without triggering MFA. The technique is real, but the team needs evidence it is active now and a way to identify the behavioral signatures that distinguish attacks from legitimate device authorization. 
 
The struggle: Generic queries against authentication logs produce enormous volume. Without knowing what a malicious device code flow actually looks like in practice — which referrer domains initiate the redirect, which PhaaS kits are operationalizing the technique, what the email delivery chain looks like — the team is essentially querying blind. 

The solution: TI Lookup allows the hunter to query the Microsoft device auth endpoint directly and immediately retrieve sandboxed sessions where the technique is observed in the wild. 
 
url:”https://login.microsoftonline.com/common/oauth2/deviceauth?code=*” 

Sessions are tagged automatically: Phishing, oauth-ms-phish, and kit-specific tags like Kali365 (a PhaaS platform specializing in Device Code Phishing). 

We can view any of the analyses sessions, for example: https://app.any.run/tasks/fc973b26-7cc8-4253-a313-1b77ff27f04c/  

The hunter can inspect the full referrer chain: 

In live cases, the redirect to Microsoft’s legitimate device auth endpoint originates from external domains, including those with unusual TLDs. 

Subsequent queries can filter by TLD against the device code URL, giving the team a concrete list of suspicious referring domains to feed into SIEM monitoring or block lists. 

url:”https://login.microsoftonline.com/common/oauth2/deviceauth” and domainName:”.de$” 

For more targeted investigation, the hunter can also query by threat name and file path to retrieve the actual phishing emails (.eml files) used to deliver the initial lure, exposing sender patterns, subject line templates, and infrastructure metadata. 

Impact: 

• Hypothesis validated against real, live attack data rather than technique abstractions. 
• Concrete IOCs and behavioral signatures ready for SIEM query development. 
• Email metadata exposed for deeper organizational log correlation. 

2. Behavioral Pivots: Tracking a Stealer Family via Mutex 

Scenario: A suspicious executable is submitted for analysis and identified as a stealer. The analyst notices a mutex with a hardcoded prefix — GlobalEVOLUTION — followed by a randomized suffix. The question is whether this prefix is unique to this malware family and, if so, how widely deployed it is. 
 
The struggle: A mutex with a random suffix has no stable IOC value. Standard threat feeds will not carry it. Searching for the full string is guaranteed to miss variants. The behavioral pattern is clearly significant but there is no obvious path from a single sample to campaign-level coverage. 

The solution: A wildcard query in TI Lookup (syncObjectName:”Global\EVOLUTION*”) immediately surfaces a number of additional samples sharing the same hardcoded prefix with different randomized tails, confirming the pattern is not incidental but a structural artifact of this malware family. 

Cross-referencing the mutex results against file path artifacts reveals that affected systems consistently produce a dump archive at C:UsersadminAppDataLocalTempevo_[random]stolen.zip — a second independent behavioral indicator that definitely looks like a stealer.  

Running OR and AND lookup combinations of both indicators allows the hunter to tune coverage: OR for maximum reach, AND for high-confidence, low-noise detections:

• filePath:”C:UsersadminAppDataLocalTempevo_stolen.zip” OR syncObjectName:”GlobalEVOLUTION”
• filePath:”C:\Users\admin\AppData\Local\Temp\evo_*\stolen.zip” AND syncObjectName:”Global\EVOLUTION*” 

Starting from a single mutex observation, the hunter has now built a multi-indicator behavioral profile of an entire malware family. 

Impact:  

• Single behavioral artifact expands into full campaign coverage. 
• Multi-indicator detection logic developed and validated before touching production systems. 
• No reliance on stable IOCs — detection survives malware updates. 

3. Enrichment: Suspicious Domain in an Inbound Email 

Scenario: An email from an unknown sender arrives containing a link to an unfamiliar domain. Standard policy would flag this for review. The analyst needs to determine quickly whether the domain is genuinely malicious or simply unknown, and if malicious, what the full attack chain looks like. 

The struggle: WHOIS data shows the domain is recently registered. Passive DNS shows limited history. Reputation feeds return no verdict. The analyst has a suspicious domain but no behavioral context — no sense of what the domain delivers, what it steals, or what infrastructure it connects to. 

The solution: The domain search in TI Lookup returns sandbox sessions where the domain has been analyzed. 

domainName:”miracleplayssystems.com” 

The hunter opens one and immediately sees a Microsoft 365 login page clone hosted on the suspicious domain, automatically tagged by ANY.RUN.  

Suricata network threat detections reveal the specific phishing kit — FlowerStorm.

The rule details expose the exfiltration endpoint:  

HTTP tab features a separate domain to which stolen credentials are posted:  

The HTTP traffic view makes the data flow explicit: M365 credentials submitted to the fake login page are forwarded to infrastructure the attacker controls, not to any Microsoft domain.  

This gives the analyst not just a verdict but a full attack chain — delivery domain, phishing kit identity, exfiltration endpoint — all from a single lookup. 

Impact:  

• Unknown domain enriched with full attack chain in minutes. 
• Exfiltration infrastructure identified and added to block lists proactively. 
• Phishing kit attribution enables broader campaign hunting. 

4. Expansion: LOLBin Abuse and Campaign Attribution 

Scenario: An alert fires: MSBuild.exe — a standard Microsoft .NET build component — is establishing a network connection to an unknown IP on a non-standard port. This is a textbook living-off-the-land technique, but the specific context (which campaign, which malware family, how widespread) is unknown. 
 
The struggle: MSBuild.exe connecting outbound is not inherently malicious; it is used legitimately in CI/CD pipelines. The challenge is distinguishing targeted abuse from normal build activity and understanding whether the destination IP is part of a broader campaign or an isolated incident. 

The solution: Combining the destination IP with the MSBuild.exe command-line pattern in a TI Lookup query surfaces sessions where the same combination has been observed. 

destinationIP:”212.34.141.103″ and commandLine:”C:\Windows\Microsoft.NET\Framework64\v*\MSBuild.exe” 

Opening a representative session shows MSBuild.exe establishing a C2 connection and exfiltrating host reconnaissance data — CPU, OS version, running processes:  

The Processes tab in the sandbox shows what user data gets exfiltrated:

A vendor-specific detection tag (rmrlx) links this activity to a named malware family: 

threatName:”rmrlx” 

Pivoting on that tag reveals associated infrastructure across multiple IP addresses and exposes the threat actor group responsible — Colombian Smugglers — which uses SVG smuggling as a delivery mechanism and has evolved from targeting Colombian organizations to targeting US and European companies. The hunter can now see the full threat actor profile: initial delivery technique (SVG smuggling), malware families used (vjw0rm, quasar, remcos, xworm, rmrlx), geographic targeting, and infrastructure overlap with adjacent groups like BlindEagle. 

threatName:”colombian-smugglers” 

Use this TI Lookup request to find sandbox analyses exposing SVG smuggling technique:  

threatName:”colombian-smugglers” and filePath:”.svg$” 

Impact: 

• Single alert pivots into full threat actor profile and campaign map. 
• Infrastructure correlation surfaces additional C2 endpoints for blocking. 
• Geographic and targeting intelligence enables prioritized defensive response. 

5. False Positive Validation: Hunting Rule Noise Reduction 

Scenario: ANY.RUN’s hunting rules include a signature that fires when a Windows PC hostname is observed being transmitted in network traffic — a behavior common to stealers and RATs that use hostname as a victim identifier.  

suricataMessage:”HUNTING [ANY.RUN] Windows PC hostname observed” 

The rule catches real threats, but the analyst needs to verify that every hit is genuinely malicious before adding it to production detection. 

The struggle: Hunting rules cast wide nets by design. A rule targeting hostname exfiltration will fire on legitimate software that also transmits device identifiers. Without behavioral context, distinguishing malicious exfiltration from legitimate telemetry requires manual investigation of every hit. 

The solution: Let’s view one of the found sandbox analyses: https://app.any.run/tasks/56e01444-87a2-4cf4-874a-41e56ce60221/ 

The analyst sees the Suricata alert firing on Outlook.exe, but the destination is licensing.m365.svc.cloud.microsoft, a legitimate Microsoft licensing endpoint.  

The HTTP details confirm the behavior: Outlook is sending device and license metadata as part of a standard Office perpetual license renewal (renewperpetuallicense), and the server responds with a 200 OK confirming the HomeBusiness2021Retail license status. This is unambiguously legitimate. The analyst documents this as a known false-positive pattern and adds an exclusion for Microsoft licensing endpoints — keeping the rule sharp without discarding it. 

Impact:  

• False positive identified and documented before reaching production. 
• Detection logic refined without reducing coverage of genuine threats. 
• Analyst time focused on confirmed malicious activity. 

6. Detection Engineering: YARA Rule Development and Validation 

Scenario: During stealer sample collection, an analyst encounters a .NET executable that drops a zip archive named with a consistent pattern: Unix-[HOSTNAME]-[ID].zip. The behavioral artifact is interesting but the analyst wants to build a durable, validated detection rule, not just add a file path indicator that will break when the malware author changes the naming convention. 

The struggle: Writing YARA rules against behavioral artifacts requires understanding what strings are genuinely hardcoded into the binary versus what is generated at runtime. Testing rules against a small sample set risks both false positives from broad string matches and false negatives from a sample set too small to represent the full malware family. 

The solution: Static analysis of the .NET binary in Detect It Easy reveals human-readable strings embedded in the assembly — a common characteristic of .NET malware.  

Filtering for strings containing “Unix” surfaces several hardcoded identifiers specific for this malware:  

• Unix Stealer Log 
• UnixStealer 
• UnixStealerIV!@# 
• UnixStealer2024Key! 

A YARA rule built around these strings uses wide matching for Unicode-encoded strings and fullword to minimize false positives.  

rule UnixStealer { 

    meta: 

        description = "Detects UnixStealer malware" 

        date = "2025-12-18" 

        author = "ANY.RUN:A.Adhikara" 

    strings: 

        $x1 = "Unix Stealer Log" fullword wide 

        $x2 = "UnixStealer" fullword 

        $x3 = "UnixStealerIV!@#" fullword wide 

        $x4 = "UnixStealer2024Key" fullword wide 

    condition: 

        uint16(0) == 0x5A4D and any of ($x*) 

}

Running the rule through TI Lookup’s YARA Search validates it against millions of real malware samples — returning 17 matching samples with no unrelated hits.  

Noticing that the year is hardcoded in one string, the analyst refines it to a regex pattern (/UnixStealer20d{2}Key/ wide) to ensure the rule covers future builds where the author updates the year.  

Re-validation against the corpus confirms the refined rule catches the same 17 samples and introduces no new noise. 

Impact:  

• YARA rule validated against millions of real samples before deployment. 
• Rule designed to survive malware version updates through regex generalization. 
• Detection shipped with high confidence — no post-deployment tuning required. 

How Threat Intelligence Feeds Support Threat Hunting 

WhileTI  Lookup excels at interactive investigations, Threat Intelligence Feeds help operationalize hunting at scale. 

Threat Intelligence Feeds can be integrated directly into SIEM, EDR, XDR, SOAR, firewalls, and other security platforms, providing continuously updated indicators and threat context. 

For threat hunters, this supports several key workflows: 

• Prioritizing investigations involving known malicious infrastructure. 
• Correlating internal telemetry with active attacker infrastructure. 
• Identifying emerging campaigns before internal detections trigger. 
• Automating enrichment during hunts. 
• Reducing manual IOC collection and maintenance. 

By continuously injecting fresh intelligence into security tooling, feeds allow hunting teams to focus on analysis rather than data gathering. 

Accelerating Hunts with Sandbox Intelligence 

ANY.RUN’s Interactive Sandbox provides additional capabilities that reduce investigation time and improve analyst productivity. 

Tier 1 Reports 

Tier 1 Reports automatically summarize malware behavior in analyst-friendly language, making it easier for junior and mid-level analysts to understand threats without spending significant time reviewing every artifact manually. 

This helps SOC teams rapidly assess suspicious files and decide whether deeper hunting activities are necessary. 

AI Summary 

AI Summary condenses complex malware executions into concise narratives, highlighting the most important findings, suspicious behaviors, and attack stages. Hunters can quickly understand what happened during execution before diving into technical details. 

AI Recommendations 

AI Recommendations suggest potential next steps for investigation, including relevant artifacts, indicators, and behaviors worth examining further. This helps analysts identify additional hunting opportunities and reduces the likelihood of missing important evidence. 

Why Threat Hunting Matters to the Business 

Threat hunting is often discussed as a purely technical discipline, but its ultimate purpose is business protection. Organizations invest in hunting because reactive security alone is no longer sufficient. Modern attackers frequently evade automated detections, abuse legitimate tools, and remain hidden for extended periods. 

However, threat hunting itself introduces operational challenges: 

• Significant analyst time requirements. 
• Skill shortages. 
• Investigation fatigue. 
• High volumes of telemetry. 
• Difficulty prioritizing hunting activities. 
• Challenges demonstrating measurable business value. 

Without proper intelligence support, threat hunting can become expensive and inefficient. Threat intelligence helps address these challenges by reducing investigation time, improving prioritization, increasing analyst productivity, and enabling teams to focus on the threats that matter most to the business. 

The result is faster threat discovery, reduced dwell time, lower incident response costs, and improved resilience against advanced attacks. 

For MSSPs, intelligence-driven hunting also enables more scalable operations, allowing analysts to investigate more environments without proportionally increasing staffing requirements. 

Conclusion 

Threat hunting is no longer about manually searching through massive volumes of logs and hoping to uncover something suspicious. 

Successful hunting depends on context. 

Threat intelligence provides that context by connecting indicators, behaviors, infrastructure, malware families, campaigns, and threat actors into a coherent picture. It transforms hunting from a reactive research exercise into a focused, intelligence-driven process. 

With Threat Intelligence Lookup, Threat Intelligence Feeds, Threat Intelligence Reports, YARA Search, and AI-assisted analysis capabilities, SOC teams can validate hypotheses, enrich investigations, expand discoveries, improve detections, and reduce time spent on manual research. 

The result is a threat hunting program that is faster, more scalable, and more closely aligned with both security and business objectives. 

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure. 

ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale. 

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.

Scale your SOC with faster threat validation →

FAQ

The post Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Securing a university means defending a highly open environment, where thousands of users, devices, and external connections create constant exposure to risk. We had a unique opportunity to get an inside look at how these operations are run at a powerhouse R1 institution, the University of Massachusetts Boston.   

We sat down with Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, to discuss how ANY.RUN’s solutions help their team scale triage, prevent incidents, and achieve consistent security risk reduction.

Lean Team, Broad Responsibility  

UMass Boston operates as a premier R1 research university with a digital footprint encompassing a population of over 50,000 students, faculty, and staff.   

The core security operations team tasked with defending this environment is remarkably compact, consisting of only three specialists and the SISO. Because of this lean staffing model, the team utilizes a cross-pollination strategy where each member manages various roles, including endpoint security, threat hunting, and threat management.   

This small group of professionals carries the primary responsibility for the entire institution’s digital safety.   

The Challenge of Balancing Threat Response and Infrastructure Overhead  

Before adopting a cloud-based sandbox, the team was under constant operational pressure to keep up with incoming threats while maintaining speed and accuracy in triage.  

At the time, their setup included an internal detection lab for threat analysis and validation. Yet, managing physical space, equipment, software licensing, and constant updates for an in-house environment pulled limited team resources away from active security operations.   

The recent departure of two team members further increased this strain, making it difficult to balance infrastructure maintenance with the daily requirement to fight incoming threats.

“We had a detection lab that was also used to help teach the students, but you have to maintain it as well as fight the things that are coming in as they’re happening.” 

The university needed more than a safe, secluded environment to test and validate malware without risking the production network. It needed a way to support faster triage, consistent threat validation, and real-time decision-making as part of everyday SOC workflows, without adding operational overhead.  

Introducing ANY.RUN’s Sandbox into the Security Loop  

Integration of the Interactive Sandbox was a necessity driven by the critical goal to support faster and more scalable threat validation. The team also needed to teach students in the SOC, within a safe, secluded environment that would not put the institution’s production network at risk.  

The university integrated ANY.RUN’s solution as a behavioral validation layer within their defense stack alongside Microsoft Defender and Abnormal Security.  

“It’s kind of a big lift to be able to just rely that when I go to ANY.RUN, I know that it’s being maintained.” 

The solution was easy to set up and fit into the team’s existing workflows without disruption.  

Instead of spending time maintaining their own lab, the team now had a ready-to-use, air-gapped environment for analyzing malicious content at scale. This provided immediate operational value, freeing up time, and allowing the SOC to focus on detecting and responding to critical threats more efficiently.   

Scaling Detection and Speeding up Triage with the Same Team  

At UMass Boston, the ANY.RUN sandbox now acts as a central component of the daily triage process for the phishing and abuse of mailboxes.   

By utilizing ANY.RUN’s API integration with Abnormal, the team automatically sends suspicious emails, links, and attachments for analysis at the click of a button, removing manual steps and standardizing the triage process.   

Where previously analysts relied on incomplete signals, they now have a visual confirmation of threats’ behavior.   

“Having ANY.RUN’s API connection with our email security vendor has really increased our performance in detecting and being able to tell whether it’s actually phishing.” 

The automation transformed how quickly detection and verification happen, reducing the time required to analyze and get conclusive verdicts on suspicious submissions.   

“Instead of minutes, [investigations] take seconds.” 

Faster, evidence-based triage reduced uncertainty, stabilized operations, and ensured that real threats are identified and handled without delay.   

As a result, the team can make confident security decisions at speed and scale, allowing them to process higher volumes of alerts without increasing the headcount or sacrificing decision quality.  

Preventing a Phishing Incident Missed by Email Filters  

The effectiveness of the team’s sandbox-based defense was demonstrated during a mass email campaign that occurred just before Christmas in 2025, a holiday period when attack volume increases and users are more likely to engage with incoming emails.   

Despite having established email security controls in place, the attack passed through primary filters undetected. This is exactly where most organizations become exposed, as missed threats can lead to incidents without a sandbox layer in place.  

Instead of relying on the initial verdict, the team escalated the suspicious emails through their sandbox workflow. Using the API integration, they detonated the content and observed its behavior in a controlled environment.  

This analysis revealed that the email was a sophisticated phishing scam hosted through Google.  

“If we didn’t have ANY.RUN, we would have never picked that up.” 

The combination of a proactive team and immediate access to sandbox capabilities allowed UMass Boston to validate the threat, make a confident decision, and contain it before it reached users.  

Without this step, the attack could have resulted in credential theft and unauthorized access to internal systems, putting users, research continuity, and institutional trust at risk.

Reducing Risk in Access Control  

Beyond email security, ANY.RUN’s solution helps the team manage internal requests regarding blocked websites. When students or staff encounter a firewall block, the security team uses the sandbox to determine if a site is truly malicious or merely misclassified.   

“We can take a look at a [potential threat] and see what’s going on and have actual analytics around it.”  

This visual verification allows them to see if a legitimate website has been hijacked to serve malware, providing the analytics needed to make accurate access decisions. The team confidently requests re-categorization from their firewall vendor based on observed behavior.  

With ANY.RUN, access decisions have become faster and more defensible. Analysts have concrete behavioral evidence to support allow or block actions, reducing unnecessary restrictions for users while maintaining security.  

Meeting Compliance and Cyber Insurance Requirements  

UMass Boston operates under frequent state audits that require detailed evidence of security processes. These are directly tied to regulations such as FERPA, which governs the protection of student data, and the Massachusetts Data Security Law, which mandates safeguards around personal information and access control.  

Modern auditors demand documented artifacts and evidence of how the university manages security. ANY.RUN’s sandbox gives the team this proof. Each analysis shows what the threat does, making it easier to explain decisions and demonstrate how incidents are handled.  

Having a dedicated sandbox environment is also a mandatory requirement for many cyber insurance brokers to maintain coverage. Adopting the solution allowed the university to fill a previous gap in their compliance posture and meet these rigorous insurance standards. 

A Practical Model for Teams Facing Similar Challenges

The security model developed at UMass Boston is starting to extend beyond a single campus, particularly among teams operating with similar staffing constraints. The team regularly shares real cases and demos with other SISOs and security teams, including peers at Bridgewater State University.   

“We have shown people demos and told them that we have also had that problem and this is how we fixed it.”  

For teams with limited resources, the sandbox-driven approach provides a way to handle more threats without increasing headcount, while lowering the risk of missed or misclassified incidents.  

Conclusion  

The UMass Boston case highlights how a lean team can successfully defend a massive research institution by relying on a multi-layered “mesh approach” in security and powering it with effective solutions like ANY.RUN’s Interactive Sandbox.  

We would like to thank the University of Massachusetts Boston for allowing us an inside look at their security operations. We are especially grateful to Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, for sharing their time and professional insights.    

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions. 

With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure. 

ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale. 

Scale your SOC with faster threat validation →

The post Protecting 50,000 Users: How ANY.RUN Drives Incident Prevention at UMass Boston appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

We are proud to announce that ANY.RUN has earned the title of Momentum Leader and ranked #1 in the Relationship Index in the latest G2 Summer Reports. Reflecting real security teams’ actual experience, these rankings once again prove how critical ANY.RUN’s solutions are for daily SOC operations in modern enterprises. 

Why ANY.RUN’s Momentum Leader Title Matters for Your Team 

G2 awards the Momentum Leader spot to companies that show high growth and strong market resonance. They calculate this score by looking at real customer feedback and how quickly teams are adopting the solution. 

Modern SOCs often deal with high alert volumes and evasive attacks that beat traditional defenses. The ranking shows that more security teams are choosing ANY.RUN as a better way to respond to these challenges and detect malware & phishing early.  

When an analyst can clearly see what a suspicious file or link is doing in real-time, they stop guessing and start taking action. This speed directly improves both security metrics like MTTR and overall business security, helping prevent incidents, downtime, and financial losses. 

Building Strong Relationships Through Usability 

G2 also awarded ANY.RUN with the title of a #1 Malware Analysis Vendor in the Relationship Index, demonstrating customers’ high regard for our products’ usability, support, and overall reliability over time. 

As noted by ANY.RUN CEO, we aim to provide “a burnout-free environment SOC teams actually want to return to”. Recognition by G2 shows that we deliver on our vision by creating a consistent experience for everyone on the client’s team: 

• Tier 1 analysts use ANY.RUN’s products to reach accurate threat verdicts faster. 

• Tier 2/3 professionals save time on routine tasks so they can focus on deep, complex investigations. 

• CISOs, Heads of SOC, and other security leaders see more stable performance across different shifts and a significant risk reduction for the company. 

Stronger Results for Modern Security Operations 

When SOC and MSSP teams use ANY.RUN’s malware analysis & threat intelligence solutions, they get full context on files, URLs, IOCs, IOAs, and IOBs for fast and confident decisions. 

The clarity ANY.RUN provides, reduces uncertainty and leads to measurable improvements in security posture: 

• Accelerated Triage and Detection: Direct observation lets teams move from uncertainty to action fast, lowering investigation time and operational costs. 

• Immediate Confirmation of Business Exposure: Instant visibility helps leaders understand threat impact earlier and prevent successful breaches. 

• Enhanced SOC Efficiency and Stability: ANY.RUN supports decision-making across tiers, enabling consistent quality of investigations and reduced operational friction. 

• Comprehensive Multi-Platform Analysis: Broad visibility across Windows, macOS, Linux, and Android environments provides the exact execution context needed for precise, enterprise-scale incident response. 

• Secure and Controlled Investigations: Private analysis, SSO, and team-based access let teams collaborate within shared workflows without compromising investigation security. 

Conclusion 

At the end of the day, a successful SOC needs three things: speed, clarity, and consistency. The recognition from G2 confirms that ANY.RUN empowers teams to achieve those goals.  

We help SOC professionals understand threats earlier and make confident decisions even under pressure. We are excited to keep building solutions that reduce risk and make security operations more efficient. 

About ANY.RUN 

ANY.RUN develops cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows. The company’s mission is to deliver fast threat understanding and confident incident response. 

Interactive Sandbox for enterprise-scale malware and phishing analysis and ANY.RUN Threat Intelligence solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.  

ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection. 

The post Leader in Malware Analysis: ANY.RUN Named Top Vendor in G2 Summer 2026 Awards appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More