<?xml version="1.0" encoding="UTF-8" standalone="no"?><rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" version="2.0">

<channel>
	<title>ANY.RUN RSS feed</title>
	<atom:link href="https://any.run/cybersecurity-blog/feed/" rel="self" type="application/rss+xml"/>
	<link/>
	<description>The latest posts and cybersecurity news</description>
	<lastBuildDate>Wed, 01 Jul 2026 11:46:49 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/cropped-Favicon_WebSite_Rounded-32x32.png</url>
	<title>ANY.RUN's Cybersecurity Blog</title>
	<link/>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates</title>
		<link>https://any.run/cybersecurity-blog/release-notes-june-2026/</link>
					<comments>https://any.run/cybersecurity-blog/release-notes-june-2026/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 11:31:25 +0000</pubDate>
				<category><![CDATA[Service Updates]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[release]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21857</guid>

					<description><![CDATA[<p>Phishing pages don&#8217;t sit still anymore. They redirect, load scripts, harvest credentials through dynamic forms, and rebuild their DOM after the initial load — and most URL analysis workflows still only see the finish line, not the race. This June, ANY.RUN closed that gap directly inside the Interactive Sandbox and extended its automation reach with [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/release-notes-june-2026/">Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">Phishing pages don&#8217;t sit still anymore. They redirect, load scripts, harvest credentials through dynamic forms, and rebuild their DOM after the initial load — and most URL analysis workflows still only see the finish line, not the race. This June, ANY.RUN closed that gap directly inside the Interactive Sandbox and extended its automation reach with a new integration built for scale. </p>



<p class="wp-block-paragraph">Here&#8217;s what your team can put to work this month: full browser-level visibility for every URL analysis, a no-code path to embed ANY.RUN in Torq playbooks, and over 1,100 new detections across behavior signatures, Suricata rules, and YARA rules.&nbsp;</p>



<h2 class="wp-block-heading">Product Updates&nbsp;</h2>



<p class="wp-block-paragraph">June&#8217;s releases focus on closing the visibility gap in phishing investigations and giving SOC and MSSP teams a faster route from alert to automated response. The headline update is in-browser data inspection, a new investigation layer in the Interactive Sandbox, alongside a new integration with the Torq AI SOC Platform.&nbsp;</p>



<h3 class="wp-block-heading">Closing the Phishing Blind Spot with In-Browser Data Inspection</h3>



<p class="wp-block-paragraph">Modern phishing campaigns rarely stop at a malicious URL. They rely on dynamic content, JavaScript, multi-stage redirects, credential harvesting forms, and browser-based tricks that often remain invisible to traditional analysis methods.&nbsp;</p>



<p class="wp-block-paragraph">This month, ANY.RUN <a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/">introduced In-Browser Data Inspection</a>, a new capability that captures browser-rendered content during URL analysis, revealing exactly what users would experience when interacting with a suspicious website. </p>



<p class="wp-block-paragraph">Instead of relying solely on page source or network data, analysts can now inspect:&nbsp;</p>



<ul class="wp-block-list">
<li>Fully rendered web pages and dynamic content; </li>



<li>Phishing forms and credential collection attempts; </li>



<li>Client-side JavaScript execution; </li>



<li>Redirect chains and browser behavior; </li>



<li>Hidden elements designed to evade detection.</li>
</ul>



<figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="831" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-831x1024.png" alt="" class="wp-image-21895" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-831x1024.png 831w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-243x300.png 243w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-768x946.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-1247x1536.png 1247w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-370x456.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-270x333.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1-740x912.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/unfo1-1662x2048-1.png 1662w" sizes="(max-width: 831px) 100vw, 831px" /><figcaption class="wp-element-caption"><em>See all URL details, DOM changes, network requests, and IOCs in one place</em> <br></figcaption></figure>



<p class="wp-block-paragraph">For SOC analysts, this means fewer blind spots during phishing investigations and faster validation of suspicious URLs.&nbsp;</p>



<p class="wp-block-paragraph">For security managers and CISOs, it means higher confidence in phishing detection, quicker incident triage, and better protection against increasingly sophisticated browser-based attacks.&nbsp;</p>



<h3 class="wp-block-heading">Scaling Triage and Response with the ANY.RUN &amp; Torq Integration</h3>



<p class="wp-block-paragraph">Alert volume keeps growing faster than SOC headcount, and every alert that lands without context costs an analyst time they don&#8217;t have. ANY.RUN&#8217;s <a href="https://any.run/cybersecurity-blog/torq-integration/">new integration with the Torq AI SOC Platform</a> puts conclusive malware and phishing verdicts directly into the automated workflows teams already build in Torq: no custom code, no months-long rollout. </p>



<p class="wp-block-paragraph">The integration ships with five ready-to-use <a href="https://torq.io/hyperagents/">Torq HyperAgents</a><img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em; max-height: 1em;" /> covering two workflow types: case-based templates that pull observables straight from an open Torq case for enrichment, and standalone sandbox workflows that accept a URL or file as input and return a full verdict, IOC list, and report link anywhere in a custom automation chain. Results — reputation data, threat names, tags, and structured JSON — land directly in Torq Case Management, ready to branch on. </p>



<p class="wp-block-paragraph"><strong>Teams integrating ANY.RUN into Torq gain:</strong> </p>



<ul class="wp-block-list">
<li>Faster incident resolution, with an average MTTR reduction of 21 minutes per case. </li>



<li>Operational scaling without added headcount, as HyperAgents absorb routine Tier 1 enrichment work. </li>



<li>Zero development overhead, with a no-code setup that&#8217;s live in minutes rather than months. </li>



<li>Standardized investigation logic, so every alert is checked against the same high-fidelity criteria regardless of analyst experience. </li>



<li>Higher ROI on existing tools, as ANY.RUN enriches the SIEM, EDR, and XDR data already flowing into Torq. </li>
</ul>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="427" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-1024x427.png" alt="" class="wp-image-21898" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-1024x427.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-300x125.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-768x320.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-370x154.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-270x112.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2-740x308.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/07/image7-2.png 1318w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">ANY.RUN’s Sandbox provides fast case enrichment in Torq</figcaption></figure>



<p class="wp-block-paragraph">The integration is available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, giving SOC and MSSP teams a direct path to scale triage and response without scaling the team itself.&nbsp;</p>



<p class="wp-block-paragraph"></p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Experience the latest ANY.RUN capabilities.<br>
<span class="highlight">Gain deeper browser visibility and accelerate investigations <br></span>with Torq-powered automation.

</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Integrate in your SOC</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Threat Coverage Updates</h2>



<p class="wp-block-paragraph">Keeping pace with evolving malware remains a core priority for our detection team. During June, we significantly expanded threat coverage with:</p>



<ul class="wp-block-list">
<li>1,055 new Suricata rules,</li>



<li>65 new behavior signatures,</li>



<li>14 new YARA rules.</li>
</ul>



<p class="wp-block-paragraph">These additions improve detection across network traffic, behavioral activity, and malware samples, helping analysts identify emerging threats faster while increasing investigation accuracy. The continuous expansion of detection logic also strengthens the quality of intelligence powering ANY.RUN&#8217;s Interactive Sandbox and Threat Intelligence solutions.</p>



<h2 class="wp-block-heading">New Behavior Signatures</h2>



<p class="wp-block-paragraph">The 65 new behavior signatures added this month target malware-specific activity helping analysts confirm what a sample actually does inside the sandbox, rather than inferring it from static traits alone. Coverage this month spans commodity stealers and loaders, RATs, and ransomware families active across recent phishing and malvertising campaigns.</p>



<p class="wp-block-paragraph">Highlighted&nbsp;detections&nbsp;include:&nbsp;</p>



<div class="wp-block-group is-layout-grid wp-container-core-group-is-layout-9d260ee2 wp-block-group-is-layout-grid">
<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/24a03e00-b8f1-4557-b1c3-6b473d0990b9/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>SOLARIS</strong></a> (mutex) </li>
</ul>



<ul class="wp-block-list">
<li><strong><a href="https://app.any.run/tasks/0134f484-cf7b-4446-8375-feca3a52dca8/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">SILENTNET</a> </strong></li>
</ul>



<ul class="wp-block-list">
<li><strong><a href="https://app.any.run/tasks/56d64e4d-7797-4122-8d5c-ae313e4d2a09/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">ORACLESPY (YARA rule)</a> </strong></li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/839c2d61-4169-416a-953e-93f01bc62654?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>KONG</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/0024567d-04f2-4265-bddf-73f5a1c3755c/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>HIDDENTEARS</strong></a> (mutex)</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/000eb0da-4208-4e07-85a5-d93f906b60c4/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>GLAMOUR (mutex)</strong></a><strong> </strong></li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/a9d8ecff-7c7d-4a3c-80da-76e70ca8cc26/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>STEALC</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/60773dd2-262f-45f5-8a4e-38f7102bfbb2/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>BLANKGRABBER</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/692b9855-e96e-4d5b-be41-c3e34cbe0c15/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>JUNKLOCKER</strong></a> (mutex)</li>
</ul>



<ul class="wp-block-list">
<li><strong><a href="https://app.any.run/tasks/56d64e4d-7797-4122-8d5c-ae313e4d2a09/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">ORACLESPY</a> </strong></li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/16f14270-37fe-4f87-85a6-235dd47020ad?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>PCLOCKER</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/706a4e50-1970-4e7a-bcb4-f417f2a5026b?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>EXITIUM</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/de9e1fed-538d-4dbc-8bbc-07423f1d81ef/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>ONYXC2</strong></a> (mutex)</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/a30ccad6-7ad8-47f6-a3eb-6e4270c7834a/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>SHAT</strong></a> </li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/f1bc8ea8-78e1-462e-989b-2391f0e1490d?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>MAKOP</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/1c13178d-d97a-4150-bd7a-1eb93a476e0d?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>1BYTE</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/55514ae6-150d-4cde-90ed-60a26e5d25e9/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>APEXTRADER</strong></a> </li>
</ul>



<ul class="wp-block-list">
<li><strong><a href="https://app.any.run/tasks/2bba5094-7ee2-4bd1-98f3-f3a9b5af3e91/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">GLAMOUR (YARA rule)</a> </strong></li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/807bf35a-2912-4541-ae11-6bdf901c9ef9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>MORPH</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/b65c1bd1-1983-4b20-8ea5-3ffabe58437e/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener"><strong>SMUKX</strong></a>&nbsp;</li>
</ul>
</div>



<p class="wp-block-paragraph"></p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Cut response delays before threats become costly incidents.<br>
<span class="highlight">Give your SOC faster, evidence-backed decisions</span>

</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&#038;utm_term=010726&#038;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Integrate in your SOC</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">New Suricata Rules</h2>



<p class="wp-block-paragraph">A total of 1,055 new Suricata rules were implemented in June to improve visibility into malicious network activity, including:</p>



<ul class="wp-block-list">
<li><a href="https://app.any.run/tasks/446d373f-2cc3-4455-97d5-64797934f6f1/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice"><strong>Phishing Redirect Engine related URL</strong></a> (sid: 89003883) &#8211; Identifies various PhaaS operators&#8217; infrastructure used as routing layer, delivering victim to specific phishkit landing pages.</li>



<li><strong><a href="https://app.any.run/tasks/529a64bf-3465-4e8e-8983-564558ea2915/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice">Adobe-themed RMM phishing</a></strong> (sid: 84003399) &#8211; Tracks attempts to lure user into installing remote management tool, disguised as shared secure documents.</li>



<li><strong><a href="https://app.any.run/tasks/8ca6e2fc-b4bb-4691-b295-8a971590c852/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoservice">SilentNet CnC HTTP activity</a></strong> (sid: 84003444) &#8211; Detects SilentNet attempts to communicate with its C2-server.</li>
</ul>



<h2 class="wp-block-heading">About&nbsp;ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.</p>



<p class="wp-block-paragraph">Its solutions include the <a href="https://any.run/features//?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> for enterprise-scale malware and phishing analysis, as well as <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.</p>



<p class="wp-block-paragraph">ANY.RUN is <a href="https://any.run/compliance/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-may-2026&amp;utm_term=030626&amp;utm_content=linktocompliance" target="_blank" rel="noreferrer noopener">SOC 2 Type II attested</a>, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.</p>



<p class="wp-block-paragraph"><a href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-june-2026&amp;utm_term=010726&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noreferrer noopener"><strong>Integrate ANY.RUN into your SOC workflow →</strong></a> </p>
<p>The post <a href="https://any.run/cybersecurity-blog/release-notes-june-2026/">Release Notes: In-Browser Data Inspection, Torq Integration, and 1,100+ Threat Coverage Updates</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/release-notes-june-2026/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed</title>
		<link>https://any.run/cybersecurity-blog/us-manufacturer-security-risk/</link>
					<comments>https://any.run/cybersecurity-blog/us-manufacturer-security-risk/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Tue, 30 Jun 2026 10:11:20 +0000</pubDate>
				<category><![CDATA[Customer Success Story]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21828</guid>

					<description><![CDATA[<p>For a US automotive manufacturer working with more than 200 active vendors, supplier file intake had become a growing security and cost challenge. That pressure is especially high in manufacturing, where SOC teams carry an average workload 18% higher than teams in other industries. By introducing behavioral sandboxing and threat intelligence, the company made triage [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/us-manufacturer-security-risk/">Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">For a US automotive manufacturer working with more than 200 active vendors, supplier file intake had become a growing security and cost challenge. That pressure is especially high in manufacturing, where SOC teams carry an <strong>average workload 18% higher</strong> than teams in other industries.</p>



<p class="wp-block-paragraph">By introducing <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">behavioral sandboxing</a> and <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">threat intelligence</a>, the company made triage <strong>2x faster</strong>, achieved an <strong>MTTD of 20 seconds</strong>, <strong>improved MTTR</strong> and detection, and analyzed hundreds of supplier files every week without adding headcount.</p>



<h2 class="wp-block-heading">A US Automotive Manufacturer Built Around a Large Supplier Ecosystem&nbsp;</h2>



<p class="wp-block-paragraph">The company is a US-based automotive manufacturer&nbsp;operating&nbsp;within a highly interconnected supply chain. Its daily operations depend on&nbsp;continuous collaboration with more than 200 active vendors and third-party&nbsp;contractors.&nbsp;</p>



<p class="wp-block-paragraph">These external partners regularly exchange files with the organization to support ongoing manufacturing, technical, and business processes. This makes supplier communication essential to keeping operations moving, but it also creates a large and&nbsp;constantly changing entry point for risk.&nbsp;</p>



<p class="wp-block-paragraph">The SOC&nbsp;is responsible for&nbsp;protecting the company’s environment while ensuring legitimate supplier activity is not delayed. As the volume of incoming files grew, the team needed a way to&nbsp;analyzesubmissions&nbsp;consistently, improve detection and response speed, and reduce third-party exposure without increasing staffing costs.&nbsp;</p>



<h2 class="wp-block-heading">The Challenge: Supplier Files Were Entering Without a&nbsp;Consistent Analysis Process&nbsp;</h2>



<p class="wp-block-paragraph">Before ANY.RUN, the company had&nbsp;no systematic process for&nbsp;analyzing&nbsp;files&nbsp;received from vendors and third-party&nbsp;contractors.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img decoding="async" width="1024" height="470" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-1024x470.png" alt="US Manufacturer’s security challenges " class="wp-image-21829" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-1024x470.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-300x138.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-768x353.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-1536x706.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-2048x941.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-370x170.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-270x124.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/A-US-Manufacturers-Supplier-Security-Challenge-2-740x340.png 740w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>US Manufacturer’s security challenges&nbsp;</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">Existing security controls could flag a submission as suspicious, but they did not always show what the file would actually do after execution. Without behavioral evidence, analysts were left with incomplete indicators and uncertain verdicts.</p>



<figure class="wp-block-pullquote has-text-align-center"><blockquote><p>“The volume itself was not the only challenge. The bigger issue was that analysts did not have enough&nbsp;context&nbsp;to quickly decide which supplier files were safe and which&nbsp;required&nbsp;further action.”&nbsp;</p><cite><strong><em>Head of SOC, US automotive manufacturer</em></strong>&nbsp;</cite></blockquote></figure>



<p class="wp-block-paragraph">This created several problems for the SOC:</p>



<h3 class="wp-block-heading">A Security Gap in Supplier File Intake&nbsp;</h3>



<p class="wp-block-paragraph">Files could enter the environment without passing through a dedicated behavioral analysis layer.</p>



<p class="wp-block-paragraph">This limited the company’s ability to identify threats that appeared harmless during static inspection but revealed malicious activity only after execution.</p>



<p class="wp-block-paragraph">The risk was especially significant in a large supplier ecosystem. A compromised vendor account or mailbox could turn a trusted communication channel into an indirect route into the organization. With <strong>more than 47%</strong> of attacks on manufacturing companies originating from email, supplier messages and attachments represented a critical part of the company’s third-party attack surface.</p>



<h3 class="wp-block-heading">High Escalation Rates&nbsp;</h3>



<p class="wp-block-paragraph">Tier 1 analysts often lacked enough&nbsp;context&nbsp;to&nbsp;confidently close suspicious submissions.&nbsp;</p>



<p class="wp-block-paragraph">As a result,&nbsp;the majority of&nbsp;these files were escalated to more experienced analysts. Senior team members had to spend time reviewing cases that could have been resolved earlier with clearer evidence.&nbsp;</p>



<h3 class="wp-block-heading">Rising Investigation Costs&nbsp;</h3>



<p class="wp-block-paragraph">The supplier network&nbsp;continued to generate a high volume of files. Handling that growth&nbsp;through manual investigation would have&nbsp;required&nbsp;more analyst hours and, eventually,&nbsp;additional&nbsp;headcount.&nbsp;</p>



<p class="wp-block-paragraph">Without a more scalable process, the company risked paying more just to maintain the same level of protection.</p>



<p class="wp-block-paragraph">This pressure is especially high in manufacturing, where SOC teams carry an average workload <strong>18% higher</strong> than security teams in other industries. For companies managing large supplier ecosystems, that makes manual investigation increasingly difficult to sustain.</p>



<h3 class="wp-block-heading">Longer Exposure to Potential&nbsp;Threats&nbsp;</h3>



<p class="wp-block-paragraph">Every delay in&nbsp;validating&nbsp;a suspicious file extended the period during which the organization could not&nbsp;confidently allow, block, or&nbsp;contain&nbsp;it.&nbsp;</p>



<p class="wp-block-paragraph">In a manufacturing environment, a missed&nbsp;threat&nbsp;can affect more than an individual endpoint. It can disrupt operations, expose sensitive data, and weaken trust across the supplier network.&nbsp;</p>



<h2 class="wp-block-heading">Building a Scalable Supplier File Triage and Analysis Process with ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">The manufacturer introduced a&nbsp;consistent process for&nbsp;analyzing&nbsp;files received from vendors and third-party&nbsp;contractors.&nbsp;</p>



<p class="wp-block-paragraph">By combining&nbsp;behavioral&nbsp;analysis with&nbsp;threat&nbsp;intelligence, the SOC gained both the evidence needed to understand what a file&nbsp;does&nbsp;and the&nbsp;context&nbsp;required&nbsp;to assess the wider&nbsp;threat&nbsp;behind it.&nbsp;</p>



<figure class="wp-block-pullquote"><blockquote><p>“We have over 200 active vendors sending files into the environment. ANY.RUN gave us a scalable way to analyze that volume and make triage much faster without adding headcount”</p><cite>Head of SOC, automotive manufacturer</cite></blockquote></figure>



<p class="wp-block-paragraph">Instead of relying on isolated alerts or incomplete indicators, analysts could detect malicious submissions more accurately, reach verdicts faster, resolve more cases at Tier 1, and reduce the amount of senior analyst time spent on routine reviews.&nbsp;</p>



<p class="wp-block-paragraph">This improved detection quality while&nbsp;contributing to lower MTTD and MTTR across supplier-related investigations.&nbsp;</p>



<h3 class="wp-block-heading">Reaching Faster Verdicts with&nbsp;Behavioral&nbsp;Evidence&nbsp;</h3>



<p class="wp-block-paragraph">The SOC reduced triage time by giving analysts direct visibility into what suspicious supplier files did after execution.&nbsp;</p>



<p class="wp-block-paragraph">Files were safely&nbsp;analyzed&nbsp;in ANY.RUN’s cloud-based&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox</a>, where the team could review process activity, network&nbsp;connections, system changes, commands, and other&nbsp;behavior&nbsp;without exposing the production environment.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="570" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-1024x570.webp" alt="" class="wp-image-21830" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-1024x570.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-300x167.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-768x427.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-1536x854.webp 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-370x206.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-270x150.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png-740x412.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png.webp 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Full chain of a complicated&nbsp;EvilTokens&nbsp;attack on US companies&nbsp;analyzed&nbsp;in&nbsp;just 1 minute</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This&nbsp;replaced incomplete indicators with&nbsp;clear evidence&nbsp;of whether a submission was malicious and how it could affect the business.&nbsp;</p>



<figure class="wp-block-pullquote"><blockquote><p><em>“We no longer&nbsp;have to&nbsp;spend time piecing together what a supplier file might do. The&nbsp;behavior&nbsp;is visible in one place, which makes decisions faster and easier to defend.”</em>&nbsp;</p><cite><strong><em>Head of SOC, US automotive manufacturer</em></strong>&nbsp;</cite></blockquote></figure>



<p class="wp-block-paragraph">Structured and visual results also helped Tier 1 analysts move from alert to verdict with fewer manual checks. Instead of reconstructing file&nbsp;behavior&nbsp;across disconnected tools, they could&nbsp;validatesuspicious submissions faster and make more&nbsp;confident decisions.&nbsp;</p>



<p class="wp-block-paragraph">The faster path from alert to&nbsp;confirmed verdict&nbsp;contributed to improved MTTD, while clearer evidence and fewer&nbsp;repeated checks helped reduce MTTR.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight">Cut investigation time</span> with clear behavioral evidence<br>Help analysts reach <span class="highlight">faster decisions. </span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=us-manufacturer-security-risk&#038;utm_term=300626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Accelerate triage now &nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h3 class="wp-block-heading">Connecting Supplier Files to Wider&nbsp;Threat&nbsp;Activity&nbsp;</h3>



<p class="wp-block-paragraph">Behavioral analysis showed the team what each suspicious file did. <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat intelligence</a> helped reveal whether the submission was connected to a larger risk.</p>



<p class="wp-block-paragraph">Indicators uncovered during analysis could be linked to malicious infrastructure, related samples, known campaigns, and attacker activity. This gave analysts a clearer view of whether they were dealing with an isolated file or broader activity involving the company’s supplier ecosystem.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="383" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-1024x383.webp" alt="" class="wp-image-21831" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-1024x383.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-300x112.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-768x287.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-370x138.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-270x101.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg-740x277.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg.webp 1252w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>ANY.RUN’s Threat Intelligence used to explore broader threat context</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">The SOC also used this context to uncover additional indicators and behavioral patterns, strengthening internal detection controls beyond the original submission.</p>



<p class="wp-block-paragraph">As a result, each investigation&nbsp;contributed to wider&nbsp;threat&nbsp;visibility. The team could resolve the immediate case while also&nbsp;identifying&nbsp;related activity that might otherwise remain hidden across the supply chain.&nbsp;</p>



<h3 class="wp-block-heading">Resolving More Supplier Files at Tier 1&nbsp;</h3>



<p class="wp-block-paragraph">Before ANY.RUN, suspicious supplier files often moved up the escalation chain because Tier 1 analysts lacked enough evidence to&nbsp;confidently&nbsp;determine&nbsp;whether they were safe or malicious.&nbsp;</p>



<p class="wp-block-paragraph">With&nbsp;behavioral&nbsp;analysis,&nbsp;threat&nbsp;intelligence, and structured Tier 1 Reports available in the same workflow, first-line analysts received clearer summaries of each case, along with practical recommendations for the next step.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="685" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-1024x685.webp" alt="" class="wp-image-21832" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-1024x685.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-300x201.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-768x514.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-1536x1027.webp 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-370x247.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-270x181.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png-740x495.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-05-12-at-13.53.31.png.webp 1890w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>AI Summary generated inside ANY.RUN’s&nbsp;sandbox&nbsp;for deeper analysis and faster handoff</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This reduced the need to interpret every technical detail manually and helped analysts reach decisions faster. The company recorded a significant reduction in Tier 1 escalations, while Tier 2 received fewer low-context cases.&nbsp;</p>



<figure class="wp-block-pullquote"><blockquote><p><em>“Cases that can be resolved at the first level no longer&nbsp;consume Tier 2 time. When escalation is necessary, senior analysts receive the relevant evidence instead of having to restart the investigation.”</em>&nbsp;</p><cite><strong><em>Head of SOC, US automotive manufacturer</em></strong>&nbsp;</cite></blockquote></figure>



<p class="wp-block-paragraph">The change reduced duplicated work and made better use of specialist&nbsp;expertise. Senior analysts spent less time&nbsp;repeating initial validation and more time investigating complex or high-impact&nbsp;threats.&nbsp;</p>



<p class="wp-block-paragraph">More supplier files were resolved at the right level the first time, helping investigation queues move faster and lowering the cost of each case.&nbsp;</p>



<h3 class="wp-block-heading">Analyzing&nbsp;Hundreds of Files Without Adding Headcount&nbsp;</h3>



<p class="wp-block-paragraph">The company now analyzes hundreds of supplier files every week without hiring additional analysts.</p>



<p class="wp-block-paragraph">For the business, this is one of the clearest returns from the new process. The manufacturer increased its triage and analysis capacity while keeping staffing costs stable.&nbsp;</p>



<p class="wp-block-paragraph">Instead of treating headcount growth as the only solution to rising file volumes, the company gave its existing team a faster and more&nbsp;consistent way to detect malicious activity and reach verdicts.&nbsp;</p>



<p class="wp-block-paragraph">The SOC now absorbs more supplier activity without creating the same increase in&nbsp;labor&nbsp;costs or investigation backlogs.&nbsp;</p>



<p class="wp-block-paragraph">This also gives the company a more sustainable foundation for growth. As the vendor network expands or file volume rises, the security team has a triage process that can scale with it.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight">Reduce</span> third-party exposure before it affects operations.<br>Increase security capacity  <span class="highlight"> without increasing headcount. </span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/by-industry/manufacturing/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=us-manufacturer-security-risk&#038;utm_term=300626&#038;utm_content=linktomanufacturing#contact-sales" target="_blank" rel="noopener">
Reduce risk now  &nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Improving MTTD and MTTR with 2x Faster Triage&nbsp;</h2>



<p class="wp-block-paragraph">The manufacturer achieved a&nbsp;<strong>2x improvement in alert processing and&nbsp;threat&nbsp;analysis speed</strong>,&nbsp;contributing to lower mean time to detect and mean time to respond.&nbsp;</p>



<p class="wp-block-paragraph">Suspicious supplier files moved through triage twice as fast. Analysts identified malicious behavior sooner, reached confirmed verdicts with less delay, and passed high-risk cases into response with clearer evidence already collected.</p>



<p class="wp-block-paragraph">Legitimate submissions were also cleared faster, reducing the time business teams spent waiting for a security decision.&nbsp;</p>



<figure class="wp-block-pullquote"><blockquote><p><em>“We cut the time it takes to move from a suspicious supplier file to a clear decision in half. That gave the business faster answers and reduced the time potential&nbsp;threats remained unresolved.”</em>&nbsp;</p><cite><strong><em>Head of SOC, US automotive manufacturer</em></strong>&nbsp;</cite></blockquote></figure>



<p class="wp-block-paragraph">This faster process also reduced the company’s exposure window. Analysts reached evidence-backed verdicts sooner without sacrificing investigation depth, helping the SOC protect operations while keeping supplier workflows moving.&nbsp;</p>



<div class="wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper
"
    >
        <table id="wpdtSimpleTable-336"
           style="border-collapse:collapse;
                   border-spacing:0px;"
           class="wpdtSimpleTable wpDataTable"
           data-column="3"
           data-rows="5"
           data-wpID="336"
           data-responsive="0"
           data-has-header="1">

                    <thead>        <tr class="wpdt-cell-row " >
                                <th class="wpdt-cell wpdt-bold"
                                            data-cell-id="A1"
                    data-col-index="0"
                    data-row-index="0"
                    style=" width:33.333333333333%;                    padding:10px;
                    "
                    >
                                        Before ANY.RUN                     </th>
                                                <th class="wpdt-cell wpdt-bold"
                                            data-cell-id="B1"
                    data-col-index="1"
                    data-row-index="0"
                    style=" width:33.333333333333%;                    padding:10px;
                    "
                    >
                                        Result with ANY.RUN                     </th>
                                                <th class="wpdt-cell wpdt-bold"
                                            data-cell-id="C1"
                    data-col-index="2"
                    data-row-index="0"
                    style=" width:33.333333333333%;                    padding:10px;
                    "
                    >
                                        Business Impact                     </th>
                                        </tr>
                    <tbody>        <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A2"
                    data-col-index="0"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        No systematic process for analyzing vendor files                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B2"
                    data-col-index="1"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Hundreds of supplier files analyzed weekly                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C2"
                    data-col-index="2"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Greater triage capacity without additional hiring                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A3"
                    data-col-index="0"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        No behavioral analysis layer in supplier file intake                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B3"
                    data-col-index="1"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Malicious behaviordetected through direct execution evidence                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C3"
                    data-col-index="2"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Higher detection rate and lower third-party exposure                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A4"
                    data-col-index="0"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Most suspicious submissions escalated by Tier 1                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B4"
                    data-col-index="1"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Significant reduction in Tier 1 escalations                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C4"
                    data-col-index="2"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        More senior analyst capacity for critical incidents                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A5"
                    data-col-index="0"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Slow, context-limited investigations                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B5"
                    data-col-index="1"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        2x faster alert processing and threat analysis                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C5"
                    data-col-index="2"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Improved MTTD and MTTR with a shorter exposure window                     </td>
                                        </tr>
                    </table>
</div><style id='wpdt-custom-style-336'>
table#wpdtSimpleTable-336{ table-layout: fixed !important; }
table#wpdtSimpleTable-336 td, table.wpdtSimpleTable336 th { white-space: normal !important; }
</style>




<h2 class="wp-block-heading">A Practical Model for Manufacturing Leaders Managing Third-Party Risk&nbsp;</h2>



<p class="wp-block-paragraph">For manufacturing leaders, supplier security is not only a SOC issue. It affects operational&nbsp;continuity, staffing costs, executive accountability, and the company’s ability to grow without increasing exposure.&nbsp;</p>



<p class="wp-block-paragraph">A scalable approach should combine&nbsp;consistent file validation, broader&nbsp;threat&nbsp;context, and measurable outcomes.&nbsp;</p>



<h3 class="wp-block-heading">Turn Supplier File Intake into a Defined Risk&nbsp;Control&nbsp;</h3>



<p class="wp-block-paragraph">A&nbsp;consistent&nbsp;triage&nbsp;helps the SOC apply the same standard to files received from vendors and&nbsp;contractors.&nbsp;</p>



<p class="wp-block-paragraph">With behavioral evidence from the <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> and additional context from <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a>, teams can replace inconsistent manual checks with a repeatable validation workflow.</p>



<p class="wp-block-paragraph">For leadership, this creates clearer oversight of one of the company’s most exposed third-party risk channels.&nbsp;</p>



<h3 class="wp-block-heading">Increase Capacity Without Matching Growth with Headcount&nbsp;</h3>



<p class="wp-block-paragraph">Faster verdicts and fewer unnecessary escalations allow the existing team to handle more supplier submissions.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN reduces duplicated work, protects senior analyst capacity, and helps the SOC process higher file volumes without expanding at the same rate.&nbsp;</p>



<p class="wp-block-paragraph">The result is lower investigation cost and greater value from existing security resources.&nbsp;</p>



<h3 class="wp-block-heading">Protect Operations Without Slowing Supplier Activity&nbsp;</h3>



<p class="wp-block-paragraph">Suspicious files can be&nbsp;analyzed&nbsp;in a&nbsp;controlled environment before they reach internal systems, while legitimate submissions move&nbsp;through review faster.&nbsp;</p>



<p class="wp-block-paragraph">This helps reduce the risk of supplier-borne&nbsp;threats without creating unnecessary delays for manufacturing, procurement, engineering, or other teams that depend on third-party collaboration.&nbsp;</p>



<h3 class="wp-block-heading">Connect Individual Submissions to Wider Exposure&nbsp;</h3>



<p class="wp-block-paragraph">A suspicious file may be only one part of a larger campaign.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat&nbsp;Intelligence</a>&nbsp;solutions help teams&nbsp;connect indicators to known infrastructure, related samples, active campaigns, and broader attacker activity.&nbsp;</p>



<p class="wp-block-paragraph">This gives leadership a clearer view of whether the company is dealing with an isolated submission or wider exposure involving suppliers and other external partners.&nbsp;</p>



<h3 class="wp-block-heading">Demonstrate Measurable Business Value&nbsp;</h3>



<p class="wp-block-paragraph">The strongest supplier security programs are measured by outcomes, not by the number of files processed.&nbsp;</p>



<p class="wp-block-paragraph">With ANY.RUN, organizations can track improvements such as lower MTTD and MTTR, higher detection rates, fewer Tier 1 escalations, greater analysis capacity, and shorter exposure windows.&nbsp;</p>



<p class="wp-block-paragraph">These results make it easier to show how supplier security investments reduce risk, avoid&nbsp;additional&nbsp;staffing costs, and support business growth.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">Reach a<span class="highlight"> 20-second MTTD</span> and shorten the exposure window.
<br><span class="highlight">Reduce supplier-driven risk </span> before it affects operations.  
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/by-industry/manufacturing/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktomanufacturing#contact-sales" target="_blank" rel="noopener">
Strengthen supplier security  &nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Conclusion&nbsp;</h2>



<p class="wp-block-paragraph">For this US automotive manufacturer, supplier file intake had become both a security risk and a growing cost center. More than 200 vendors were sending files into the environment, while analysts lacked a consistent way to validate behavior, add threat context, and reach fast decisions.</p>



<p class="wp-block-paragraph">With ANY.RUN, the company built a scalable triage process that now supports hundreds of supplier files every week without&nbsp;additional&nbsp;headcount.&nbsp;Threat&nbsp;analysis became 2x faster, MTTD and MTTR improved, detection increased, and fewer cases required Tier 2 escalation.&nbsp;</p>



<p class="wp-block-paragraph">The result is a stronger security model for a complex supplier ecosystem: lower third-party exposure, better use of analyst time, and faster decisions that keep business operations moving.&nbsp;</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate cyber&nbsp;threats faster and make evidence-based security decisions.&nbsp;</p>



<p class="wp-block-paragraph">Its cloud-based <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> enables teams to safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior as it unfolds, and collect clear evidence for triage and response.</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=us-manufacturer-security-risk&amp;utm_term=300626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat&nbsp;Intelligence</a>&nbsp;solutions provide&nbsp;additional&nbsp;context&nbsp;around indicators, malicious infrastructure, emerging campaigns, and attacker activity. Together, these capabilities help organizations improve&nbsp;threat&nbsp;detection, reduce investigation time, and manage growing security demands without adding unnecessary operational costs.&nbsp;</p>
<p>The post <a href="https://any.run/cybersecurity-blog/us-manufacturer-security-risk/">Closing the Supplier Security Gap: How a US Manufacturer Cut Third-Party Risk and Doubled SOC Triage Speed</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/us-manufacturer-security-risk/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>ANY.RUN &amp; Torq Integration: Scale Triage &amp; Respond with Confidence</title>
		<link>https://any.run/cybersecurity-blog/torq-integration/</link>
					<comments>https://any.run/cybersecurity-blog/torq-integration/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Thu, 25 Jun 2026 11:56:11 +0000</pubDate>
				<category><![CDATA[Integrations & connectors]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[release]]></category>
		<category><![CDATA[update]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21801</guid>

					<description><![CDATA[<p>Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with the Torq AI SOC Platform bridges this gap by delivering conclusive malware &#38; phishing verdicts and actionable intelligence.   The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection.&#160; ANY.RUN &#38; Torq [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/torq-integration/">ANY.RUN &amp; Torq Integration: Scale Triage &amp; Respond with Confidence</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><strong>Lack of alert context</strong> makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. <a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener"><strong>ANY.RUN</strong></a>’s integration with the <a href="https://torq.io/ai-soc-platform/" target="_blank" rel="noreferrer noopener"><strong>Torq AI SOC Platform</strong></a> bridges this gap by delivering conclusive malware &amp; phishing verdicts and actionable intelligence.  </p>



<p class="wp-block-paragraph"><strong>The result for your team is faster incident resolution</strong>, reduced alert fatigue, and proactive threat detection.&nbsp;</p>



<h2 class="wp-block-heading">ANY.RUN &amp; Torq Integration&nbsp;</h2>



<p class="wp-block-paragraph">Unlike legacy SOAR approaches that often require custom code and months of implementation, <strong>Torq</strong> allows <a href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktoenterprise" target="_blank" rel="noreferrer noopener">SOC</a> and <a href="https://any.run/mssp/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktomssp" target="_blank" rel="noreferrer noopener">MSSP teams</a> to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows. </p>



<p class="wp-block-paragraph"><strong>ANY.RUN</strong> users have access to <strong>five ready-to-use </strong><a href="https://torq.io/hyperagents/" target="_blank" rel="noreferrer noopener"><strong>Torq HyperAgents<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em; max-height: 1em;" /></strong></a> designed to accelerate time-to-verdict:</p>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/articles/15027756-workflow-template-enrich-case-with-threat-intelligence-data-any-run-ti-lookup" target="_blank" rel="noreferrer noopener"><strong>Threat Intelligence Enrichment with TI Lookup</strong></a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/?q=any.run" target="_blank" rel="noreferrer noopener"><strong>File &amp; URL Analysis with Interactive&nbsp;Sandbox</strong></a>&nbsp;</li>
</ul>



<p class="wp-block-paragraph">Results, including reputation data, threat names, tags, and structured JSON responses, are delivered directly into <a href="https://torq.io/case-management/" target="_blank" rel="noreferrer noopener"><strong>Torq Case Management.</strong></a> Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation. </p>



<p class="wp-block-paragraph">Available on&nbsp;<a href="https://any.run/plans-ti/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktotipricing" target="_blank" rel="noreferrer noopener">ANY.RUN Threat&nbsp;Intelligence</a>&nbsp;and&nbsp;<a href="https://any.run/plans/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktosbpricing" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox&nbsp;plans</a>&nbsp;<strong>with API access</strong>, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.&nbsp;&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Speed up triage &#038; response inside Torq with ANY.RUN<br>Scale your SOC capability <span class="highlight">without adding headcount</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=torq-integration&#038;utm_term=250626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Contact us&nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Interactive&nbsp;Sandbox&nbsp;Templates in Torq&nbsp;</h2>



<p class="wp-block-paragraph">The&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktosblanding" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox</a>&nbsp;workflows allow analysts to detonate suspicious objects in real-time environments (<a href="https://any.run/cybersecurity-blog/windows-11-malware-sandbox/" target="_blank" rel="noreferrer noopener">Windows</a>,&nbsp;<a href="https://any.run/cybersecurity-blog/linux-malware-analysis-sandbox/" target="_blank" rel="noreferrer noopener">Linux</a>,&nbsp;<a href="https://any.run/cybersecurity-blog/anyrun-macos-sandbox/" target="_blank" rel="noreferrer noopener">macOS</a>&nbsp;or&nbsp;<a href="https://any.run/cybersecurity-blog/android-malware-analysis/" target="_blank" rel="noreferrer noopener">Android</a>) to uncover evasive behaviors. There are&nbsp;<strong>two types of templates</strong>&nbsp;available for&nbsp;sandbox&nbsp;analysis:&nbsp;</p>



<h3 class="wp-block-heading">1. Case-Based Workflows&nbsp;</h3>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="427" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-1024x427.png" alt="" class="wp-image-21810" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-1024x427.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-300x125.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-768x320.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-370x154.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-270x112.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2-740x308.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-2.png 1318w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">ANY.RUN&#8217;s Sandbox provides fast case enrichment in Torq </figcaption></figure>
</div>


<p class="wp-block-paragraph">These are triggered directly from a&nbsp;<strong>Torq Case</strong>, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools.&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Process:</strong>&nbsp;The analyst opens a case and launches the workflow. The system automatically retrieves observables or attachments, filtering for supported objects such as&nbsp;<strong>URLs or files</strong>. Analysts can then select specific objects for detonation.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Result:</strong>&nbsp;Analysis data is added to the case notes in real-time. This includes a brief context, reputation,&nbsp;threat&nbsp;names or tags, and a structured JSON response. Additionally, a direct link is provided, allowing the analyst to jump into the ANY.RUN session to continue a manual, interactive analysis.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">The list of case-based templates:&nbsp;</p>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/articles/15027776-workflow-template-enrich-case-with-url-analysis-in-any-run-sandbox" target="_blank" rel="noreferrer noopener">Enrich Case with URL Analysis in ANY.RUN&nbsp;Sandbox</a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/articles/15027772-workflow-template-enrich-case-with-file-analysis-in-any-run-sandbox" target="_blank" rel="noreferrer noopener">Enrich Case with File Analysis in ANY.RUN&nbsp;Sandbox</a>&nbsp;</li>
</ul>



<h3 class="wp-block-heading">2.&nbsp;Sandbox&nbsp;Analysis Workflows&nbsp;</h3>



<p class="wp-block-paragraph">These templates are designed to be embedded as a specific step within a larger, custom&nbsp;<strong>incident response flow</strong>.&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Process:</strong>&nbsp;Unlike case-based templates, these function independently of a specific case. They accept a&nbsp;<strong>URL or File</strong>&nbsp;as an input parameter and&nbsp;initiate&nbsp;the ANY.RUN&nbsp;Sandbox&nbsp;analysis.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Result:</strong>&nbsp;The workflow waits for the analysis to complete and returns a structured JSON object&nbsp;containing&nbsp;the final verdict,&nbsp;analysis&nbsp;metadata, a list of IOCs, and a link to the full report. This data can then be passed further down the custom automation chain.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">The list of&nbsp;sandbox&nbsp;analysis templates:&nbsp;</p>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/articles/15027767-workflow-template-analyze-urls-with-any-run-sandbox" target="_blank" rel="noreferrer noopener">Analyze URLs with ANY.RUN&nbsp;Sandbox</a>&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><a href="https://kb.torq.io/en/articles/15027760-workflow-template-analyze-files-with-any-run-sandbox" target="_blank" rel="noreferrer noopener">Analyze Files with ANY.RUN&nbsp;Sandbox</a>&nbsp;</li>
</ul>



<h2 class="wp-block-heading">Threat Intelligence Lookup Templates in Torq&nbsp;</h2>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="636" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-1024x636.png" alt="" class="wp-image-21812" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-1024x636.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-300x186.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-768x477.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-1536x953.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-370x230.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-270x168.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1-740x459.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image11-1.png 1661w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">TI Lookup adds context to isolated indicators, giving SOC teams the clarity for correct decisions</figcaption></figure>
</div>


<p class="wp-block-paragraph">The&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktolookuplanding" target="_blank" rel="noreferrer noopener"><strong>Threat Intelligence (TI) Lookup</strong></a>&nbsp;integration focuses on rapid enrichment of &#8220;raw&#8221; observables found in alerts, such as IPs, domains, hashes, and URLs.&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Automation at Scale:</strong>&nbsp;When a case&nbsp;contains&nbsp;suspicious indicators, the TI Lookup workflow queries ANY.RUN’s vast database of threat data—continuously updated from millions of&nbsp;sandbox&nbsp;sessions.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Instant Context:</strong>&nbsp;The workflow returns high-fidelity data including the&nbsp;<strong>reputation</strong>&nbsp;of the indicator,&nbsp;<strong>threat names</strong>, and specific&nbsp;<strong>tags</strong>. This allows analysts to&nbsp;immediately&nbsp;understand the nature of a threat and decide whether to block the indicator or escalate the incident.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Enrichment Integration:</strong>&nbsp;Much like the&nbsp;sandbox&nbsp;workflows, TI Lookup results are delivered directly into the Torq interface as JSON data or case notes, ensuring that the analyst never has to leave their primary workspace to gather intelligence.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">Explore&nbsp;<a href="https://kb.torq.io/en/articles/15027756-workflow-template-enrich-case-with-threat-intelligence-data-any-run-ti-lookup" target="_blank" rel="noreferrer noopener">the TI Lookup template</a>.&nbsp;</p>



<h2 class="wp-block-heading">How to Integrate ANY.RUN in Torq&nbsp;</h2>



<p class="wp-block-paragraph">Setting up the integration is straightforward and requires no custom coding:&nbsp;</p>



<ol start="1" class="wp-block-list">
<li>Navigate to&nbsp;<strong>Integrations</strong>&nbsp;within Torq and&nbsp;locate&nbsp;<strong>ANY.RUN</strong>.&nbsp;</li>
</ol>



<ol start="2" class="wp-block-list">
<li>Click&nbsp;<strong>Add</strong>, create a new instance, and enter your&nbsp;<strong>API key</strong>.&nbsp;</li>
</ol>



<ol start="3" class="wp-block-list">
<li>Go to the&nbsp;<strong>Templates</strong>&nbsp;tab and search for ANY.RUN templates.&nbsp;</li>
</ol>



<ol start="4" class="wp-block-list">
<li>Select your previously configured ANY.RUN integration to begin using the workflows.&nbsp;</li>
</ol>



<p class="wp-block-paragraph">By default, these playbooks are configured to be&nbsp;<strong>launched manually</strong>. This is a deliberate design choice to ensure that only&nbsp;appropriate objects&nbsp;are sent for analysis.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">However, for high-volume environments, these templates can be easily integrated into broader,&nbsp;<strong>fully automated playbooks</strong>.&nbsp;</p>



<h2 class="wp-block-heading">Key SOC &amp; MSSP Benefits of Integrating ANY.RUN in Torq&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI.&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Faster incident resolution (MTTR)</strong>: Automating&nbsp;sandbox&nbsp;analysis and threat intelligence correlation allows you to&nbsp;<strong>cut incident resolution time by tens of percent</strong>.&nbsp;Analysts get clear verdicts in seconds, enabling them to block threats before they spread.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Operational Scaling:</strong> Teams can handle a growing volume of alerts with <strong>Torq HyperAgents<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em; max-height: 1em;" /> &amp; handling</strong><strong> routine Tier 1 tasks</strong>, allowing analysts to focus on complex threats without increasing headcount.</li>
</ul>



<ul class="wp-block-list">
<li><strong>Zero development overhead</strong>: Unlike custom integrations that require months of engineering, this no-code setup is ready in minutes. You get a functional automation foundation without the cost of writing or&nbsp;maintaining&nbsp;scripts.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Standardized investigation logic</strong>: Every alert is checked using the same high-fidelity criteria. This ensures consistent results and reduces the risk of human error, regardless of an analyst&#8217;s experience level.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Higher ROI on existing tools</strong>: ANY.RUN works as an enrichment layer inside Torq, making your SIEM, EDR, and other security investments more effective by providing them with immediate, actionable context.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Reduced analyst burnout</strong>: By&nbsp;eliminating&nbsp;manual data entry and constant switching between tools, you allow your team to focus on meaningful security work, which improves overall SOC productivity.&nbsp;</li>
</ul>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Integrate ANY.RUN&#8217;s solutions in Torq<br><span class="highlight">Close security gaps</span> and reduce MTTR with confidence
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Contact us&nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide,&nbsp;<a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a>&nbsp;helps security teams investigate threats faster and with greater accuracy.&nbsp;</p>



<p class="wp-block-paragraph">Our&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktosblanding" target="_blank" rel="noreferrer noopener"><strong>Interactive&nbsp;Sandbox</strong></a>&nbsp;accelerates incident response by allowing you to analyze suspicious files in real time, while our&nbsp;<strong>Threat Intelligence solutions&nbsp;(</strong><a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktolookuplanding" target="_blank" rel="noreferrer noopener"><strong>TI Lookup</strong></a><strong>&nbsp;and&nbsp;</strong><a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=torq-integration&amp;utm_term=250626&amp;utm_content=linktofeedslanding" target="_blank" rel="noreferrer noopener"><strong>TI Feeds</strong></a><strong>)&nbsp;</strong>provide the necessary context to&nbsp;anticipate&nbsp;and stop today’s most advanced attacks.&nbsp;</p>



<p class="wp-block-paragraph">The integration of&nbsp;<strong>ANY.RUN with Torq</strong>&nbsp;adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By&nbsp;utilizing&nbsp;these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows.&nbsp;</p>
<p>The post <a href="https://any.run/cybersecurity-blog/torq-integration/">ANY.RUN &amp; Torq Integration: Scale Triage &amp; Respond with Confidence</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/torq-integration/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>From Alert Enrichment to Confident Response: How ANY.RUN Powers Every SOC Workflow</title>
		<link>https://any.run/cybersecurity-blog/streamline-your-soc/</link>
					<comments>https://any.run/cybersecurity-blog/streamline-your-soc/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Thu, 25 Jun 2026 08:46:11 +0000</pubDate>
				<category><![CDATA[Cybersecurity Lifehacks]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware analysis]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">/cybersecurity-blog/?p=15688</guid>

					<description><![CDATA[<p>A Security Operations Center rarely struggles because it lacks alerts. It struggles because every alert creates work: validate the indicator, understand the behavior, check whether the threat is known, determine its scope, decide whether to escalate, contain the incident, and make sure the same attack is easier to detect next time. When these steps depend [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/streamline-your-soc/">From Alert Enrichment to Confident Response: How ANY.RUN Powers Every SOC Workflow</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">A Security Operations Center rarely struggles because it lacks alerts.</p>



<p class="wp-block-paragraph">It struggles because every alert creates work: validate the indicator, understand the behavior, check whether the threat is known, determine its scope, decide whether to escalate, contain the incident, and make sure the same attack is easier to detect next time.</p>



<p class="wp-block-paragraph">When these steps depend on disconnected tools, analysts lose time moving between dashboards, manually enriching IOCs, recreating investigations for senior analysts, and searching for context that should already be available. The SOC becomes a relay race in which every handoff drops a few pieces of evidence.</p>



<p class="wp-block-paragraph">This is the hidden cost of fragmented security operations. It increases alert fatigue, slows response, creates unnecessary escalations, and leaves experienced analysts handling routine investigations that could have been resolved earlier.</p>



<h2 class="wp-block-heading">Key Takeaways</h2>



<ul class="wp-block-list">
<li><strong>A SOC needs connected intelligence, not just more alerts.</strong> Fragmented tools force analysts to manually collect context, repeat investigations, and lose evidence during handoffs.</li>



<li><strong><a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotifeedslanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Feeds</a> strengthen monitoring from the start.</strong> Fresh indicators and malicious infrastructure context help teams prioritize alerts and identify active threats faster.</li>



<li><strong><a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> analysis provides behavioral proof. </strong>Analysts can safely investigate suspicious files, URLs, scripts, and archives instead of relying only on static verdicts.</li>



<li><strong>In-browser data inspection helps expose evasive phishing.</strong> SOC teams can observe dynamically loaded content, injected forms, redirects, scripts, and credential collection behavior that static URL scans may miss.</li>



<li><strong><a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Lookup</a> turns isolated artifacts into investigation pivots.</strong> Analysts can enrich IOCs, IOBs, and IOAs, connect them to related samples and infrastructure, and access the full sandbox analysis behind an indicator.</li>



<li><strong>Structured reporting speeds up response and escalation.</strong> Tier 1 Reports preserve investigation evidence and give Tier 2, Tier 3, and incident response teams a clearer starting point.</li>



<li><strong>Threat hunting and detection engineering improve the entire SOC loop. </strong>Behavioral searches, Threat Intelligence Reports, and YARA Search help teams find activity that alerts miss and convert investigation findings into stronger detections.</li>
</ul>



<h2 class="wp-block-heading">What Changes When Intelligence Is Connected</h2>



<p class="wp-block-paragraph">When detection, triage, response, and hunting instead run as one continuous, intelligence-fed process, every stage strengthens the next:</p>



<ul class="wp-block-list">
<li><strong>Noise gets filtered early.</strong> Live feeds rule out known threats before they consume analyst time.</li>



<li>Investigations move faster. Interactive analysis reveals hidden behavior in real time instead of waiting on static reports.</li>



<li><strong>Decisions are backed by context.</strong> A single indicator connects to millions of past analyses, turning isolated alerts into recognizable patterns.</li>



<li><strong>Escalations carry evidence, not guesswork.</strong> Findings move between tiers as structured, decision-ready intelligence rather than raw technical data.</li>
</ul>



<p class="wp-block-paragraph">This is what it looks like to operationalize threat intelligence across the full SOC workflow — not as a bolt-on lookup tool, but as the connective layer underneath monitoring, triage, response, and detection engineering. Below is how ANY.RUN&#8217;s Threat Intelligence suite — Threat Intelligence Feeds, Threat Intelligence Lookup, and Interactive Sandbox — fuels each stage.</p>



<h2 class="wp-block-heading">1. Monitoring: Prioritize What Matters with Threat Intelligence Feeds&nbsp;</h2>



<p class="wp-block-paragraph">The first challenge in any SOC is deciding which alerts deserve attention at all. With live IOC streams collected from a global analyst community, ANY.RUN&#8217;s <a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotifeedslanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Feeds</a> work as that early filter. Analysts and automated systems see instantly whether an IP, domain, or an URL has already been confirmed malicious, ruling out duplicates before they ever reach a human queue.&nbsp;</p>



<p class="wp-block-paragraph">Every indicator in the feed is actionable and connected back to a sandbox analysis, so monitoring systems aren&#8217;t just receiving a red flag. They&#8217;re inheriting the behavioral evidence behind it. That context is what separates a feed analysts trust from one they learn to ignore.&nbsp;</p>



<p class="wp-block-paragraph">TI Feeds are delivered in multiple formats with straightforward integration paths into SIEM, TIP, and SOAR platforms. The filtering happens automatically, at the point of ingestion — not after an analyst has already spent time on a case that should have been ruled out in milliseconds.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1002" height="540" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds.png" alt="" class="wp-image-21765" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds.png 1002w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds-300x162.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds-768x414.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds-370x199.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds-270x146.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/ti_feeds-740x399.png 740w" sizes="auto, (max-width: 1002px) 100vw, 1002px" /><figcaption class="wp-element-caption"><em>ANY.RUN’s TI Feed providing actionable IOCs to SOC teams</em>&nbsp;</figcaption></figure>
</div>


<p class="wp-block-paragraph"><strong>For monitoring specifically, this means:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>Continuously updated indicators feeding directly into existing detection stacks;&nbsp;</li>



<li>Fewer duplicate or already-confirmed alerts reaching the human queue; &nbsp;</li>



<li>A baseline of global telemetry that flags infrastructure before it&#8217;s used against your organization.&nbsp;</li>
</ul>



<p class="wp-block-paragraph"><strong>Threat Intelligence Feeds help teams:&nbsp;</strong></p>



<ul class="wp-block-list">
<li><strong>identify</strong> known malicious infrastructure earlier;&nbsp;</li>



<li><strong>enrich</strong> alerts automatically;&nbsp;</li>



<li><strong>prioritize</strong> events connected to active malware or phishing campaigns;&nbsp;</li>



<li><strong>update</strong> blocklists and detection logic with fresh data;&nbsp;</li>



<li><strong>reduce</strong> time spent manually checking external threat intelligence sources;&nbsp;</li>



<li><strong>improve</strong> correlation between internal telemetry and current attacker activity.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">This gives analysts a better starting point. Instead of beginning every investigation with &#8220;What is this indicator?&#8221;, they can begin with &#8220;How urgent is this, and what attack activity is it connected to?&#8221;&nbsp;</p>



<h2 class="wp-block-heading">2. Triage: Validate Alerts with Behavioral and Historical Context&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/cybersecurity-blog/triage-analyst-guide/" target="_blank" rel="noreferrer noopener">Triage</a> is the decision point that determines whether an alert becomes a closed ticket, an escalation, or a full incident. For Tier 1 analysts, the goal is not to perform a complete forensic investigation for every event. It is to quickly determine whether the object is malicious, understand enough of its behavior to assess risk, and provide evidence for the next action.&nbsp;</p>



<p class="wp-block-paragraph"><strong>ANY.RUN supports this process through two connected capabilities:</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Interactive analysis of suspicious files and URLs in the Sandbox;&nbsp;</li>



<li>Context enrichment through Threat Intelligence Lookup.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">ANY.RUN&#8217;s <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> allows analysts to detonate suspicious files, scripts, archives, and URLs in an isolated environment and observe their behavior in real time. The Sandbox gives analysts the proof behind the alert. It transforms a suspicious file or URL from an unknown object into an observable attack chain.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight">Build a faster, more connected SOC </span>with ANY.RUN &nbsp;<br>
Give your team the threat data, malware analysis, and context it needs to move from alert to action with less manual work.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=unified_threat_detection&amp;utm_term=24062026&amp;utm_content=linktoenterprise" target="_blank" rel="noopener">
Start Here
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<p class="wp-block-paragraph">ANY.RUN’s Threat Intelligence Feeds come in multiple formats with simple integration options, making it easy to plug into your existing SIEM, TIP, or SOAR setup.&nbsp;</p>



<h3 class="wp-block-heading">Detect evasive phishing with in-browser data inspection</h3>



<p class="wp-block-paragraph">Phishing analysis creates specific challenge. A suspicious page may look harmless to an automated scanner but reveal credential theft behavior only after a user interacts with it.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/" target="_blank" rel="noreferrer noopener">ANY.RUN’s in-browser data inspection</a> helps analysts examine phishing pages from inside the browser session. It provides visibility into dynamically loaded content, injected forms, script execution, redirect chains, and network activity.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This makes it easier to investigate phishing pages that:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>imitate trusted login portals;&nbsp;</li>



<li>load malicious content only after interaction;&nbsp;</li>



<li>use hidden or dynamically injected credential forms;&nbsp;</li>



<li>redirect victims through multiple pages;&nbsp;</li>



<li>send submitted credentials to attacker-controlled infrastructure;&nbsp;</li>



<li>use browser-side scripts to evade static URL analysis.&nbsp;</li>
</ul>



<p class="wp-block-paragraph"><strong>In practice, this gives triage analysts:&nbsp;</strong></p>



<ul class="wp-block-list">
<li><strong>A complete execution tree</strong> from the initial URL to the final rendered page, with detection-triggering stages highlighted.&nbsp;</li>



<li><strong>HTTP request-level visibility </strong>into the full redirect chain, useful for both validation and later detection engineering.&nbsp;</li>



<li><strong>An HTML DOM Changes view</strong> showing exactly what code was injected after the page loaded — revealing what static analysis structurally cannot see.&nbsp;</li>



<li><strong>A dedicated Indicators tab</strong> collecting every URL, domain, IP, and content hash tied to the analyzed page, ready for pivoting.&nbsp;</li>
</ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="831" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-831x1024.png" alt="" class="wp-image-21788" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-831x1024.png 831w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-243x300.png 243w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-768x946.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-1247x1536.png 1247w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-370x456.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-270x333.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1-740x912.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/unfo1-1662x2048-1.png 1662w" sizes="auto, (max-width: 831px) 100vw, 831px" /><figcaption class="wp-element-caption"><em>See all URL details, DOM changes, network requests, and IOCs in one place</em> </figcaption></figure>



<p class="wp-block-paragraph">Because this evidence is collected and correlated within a single workflow, junior analysts can validate suspicious URLs with far more confidence — and far less escalation by default — while still capturing everything a senior analyst or detection engineer would need later.&nbsp;</p>



<h3 class="wp-block-heading">Enrich Indicators with Behavior and Context</h3>



<p class="wp-block-paragraph">A sandbox session explains what one suspicious object does. Threat Intelligence Lookup helps analysts understand whether it is part of something larger.&nbsp;</p>



<p class="wp-block-paragraph">Threat Intelligence Lookup is designed as a searchable repository of indicators and event data extracted from interactive sandbox sessions, with direct access to the related analysis when an indicator is found.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This includes:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>IOCs: hashes, IP addresses, domains, URLs, file names, and registry artifacts;&nbsp;</li>



<li><a href="https://any.run/cybersecurity-blog/iocs-iobs-ioas-explained/" target="_blank" rel="noreferrer noopener">IOBs</a>: mutexes, command lines, process behavior, dropped files, loaded modules, and network patterns;&nbsp;</li>



<li><a href="https://any.run/cybersecurity-blog/iocs-iobs-ioas-explained/" target="_blank" rel="noreferrer noopener">IOAs</a>: attacker techniques and attack chains, including persistence, credential theft, lateral movement-related behavior, and command-and-control activity.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">The distinction matters because attackers can rotate static IOCs quickly. A hash may change after a minor rebuild. A domain may disappear after a few hours. But behavioral patterns, execution logic, mutexes, registry modifications, and process chains can provide more durable clues for investigation.&nbsp;</p>



<p class="wp-block-paragraph">With Threat Intelligence Lookup, an analyst can start with one artifact from an alert and pivot into related activity:&nbsp;</p>



<ul class="wp-block-list">
<li>Search a suspicious <strong>domain</strong> and find associated phishing pages;&nbsp;</li>



<li>Search a <strong>hash</strong> and identify related malware families;&nbsp;</li>



<li>Search a <a href="https://any.run/cybersecurity-blog/mutex-search-in-ti-lookup/" target="_blank" rel="noreferrer noopener"><strong>mutex</strong></a> or command line and discover additional samples using the same behavior;&nbsp;</li>



<li>Search a destination <strong>IP</strong> and identify connected command-and-control infrastructure;&nbsp;</li>



<li>Search <a href="https://any.run/cybersecurity-blog/mitre-ciso-risk-reduction/" target="_blank" rel="noreferrer noopener">MITRE ATT&amp;CK</a> <strong>techniques</strong> to investigate samples exhibiting a particular behavior;&nbsp;</li>



<li>Open linked sandbox sessions to review the full <strong>attack chain</strong> behind an indicator.&nbsp;</li>
</ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="493" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-1024x493.png" alt="" class="wp-image-21791" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-1024x493.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-300x145.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-768x370.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-1536x740.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-370x178.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-270x130.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup-740x357.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/lookup.png 1623w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Sandbox analyses with the malicious domain found via TI Lookup</figcaption></figure>



<h2 class="wp-block-heading">3. Response: Turn Investigation Evidence into Faster Action</h2>



<p class="wp-block-paragraph">Once an alert is confirmed, the SOC needs to decide what to do next.</p>



<p class="wp-block-paragraph">Containment may involve blocking infrastructure, isolating an endpoint, resetting credentials, removing malicious files, investigating related hosts, or escalating to incident response. These actions depend on understanding more than a single IOC.</p>



<p class="wp-block-paragraph">A domain may be one part of a phishing kit. A file hash may be one stage of a multi-step infection chain. A suspicious process may have created persistence, downloaded another payload, or contacted infrastructure that should also be blocked.</p>



<h3 class="wp-block-heading">Connect Threat Intelligence Lookup to Full Sandbox Analysis</h3>



<p class="wp-block-paragraph">The combination of Threat Intelligence Lookup and Interactive Sandbox creates a direct path from an indicator to the evidence behind it.&nbsp;</p>



<p class="wp-block-paragraph">An analyst can begin with a suspicious hash, URL, domain, IP address, mutex, process name, registry key, or command line in Threat Intelligence Lookup. From there, they can access linked sandbox sessions and inspect the complete behavioral analysis.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This lets response teams determine:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>how the threat <strong>entered</strong> the environment;&nbsp;</li>



<li>what processes and scripts it <strong>launched</strong>;&nbsp;</li>



<li>what <strong>files</strong> it <strong>created</strong> or <strong>modified</strong>;&nbsp;</li>



<li>whether it <strong>established persistence</strong>;&nbsp;</li>



<li>which <strong>infrastructure</strong> it contacted;&nbsp;</li>



<li>whether it attempted <strong>credential theft or data exfiltration</strong>;&nbsp;</li>



<li>what additional <strong>indicators</strong> should be blocked or investigated;&nbsp;</li>



<li>which MITRE ATT&amp;CK techniques are relevant to <strong>containment and remediation</strong>.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">This connection reduces the risk of narrow response actions, such as blocking one visible domain while missing related infrastructure, secondary payloads, or persistence mechanisms.&nbsp;</p>



<h3 class="wp-block-heading">Use Tier 1 Reports for Escalation and Case Handoffs</h3>



<p class="wp-block-paragraph">A SOC investigation often loses momentum at the escalation stage.&nbsp;</p>



<p class="wp-block-paragraph">Tier 1 analysts may identify suspicious behavior, but Tier 2, Tier 3, or incident response teams frequently receive a mixture of screenshots, raw logs, copied IOCs, and incomplete notes. The receiving analyst then has to reconstruct the investigation before taking action.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://any.run/cybersecurity-blog/soc-ready-reporting/" target="_blank" rel="noreferrer noopener">Tier 1 Reports</a> help standardize this handoff.&nbsp;They package the findings of a sandbox analysis into a structured, decision-ready report that can support triage, escalation, incident response, and communication with stakeholders.&nbsp;</p>



<p class="wp-block-paragraph"><strong>A Tier 1 Report can include:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>a verdict and threat classification;&nbsp;</li>



<li>an executive-friendly summary;&nbsp;</li>



<li>key IOCs;&nbsp;</li>



<li>observed behavior;&nbsp;</li>



<li>MITRE ATT&amp;CK mapping;&nbsp;</li>



<li>process and network evidence;&nbsp;</li>



<li>recommended next steps for the investigation.&nbsp;</li>
</ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="817" height="847" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report.png" alt="" class="wp-image-21795" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report.png 817w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report-289x300.png 289w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report-768x796.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report-370x384.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report-270x280.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/report-740x767.png 740w" sizes="auto, (max-width: 817px) 100vw, 817px" /><figcaption class="wp-element-caption">Tier 1 report example</figcaption></figure>



<p class="wp-block-paragraph">This helps Tier 1 analysts explain why a case should be escalated. It also helps senior analysts begin from the evidence already collected instead of repeating routine validation work.&nbsp;</p>



<h2 class="wp-block-heading">4. Threat Hunting &amp; Detection Engineering: Getting Ahead of the Next Alert</h2>



<p class="wp-block-paragraph">Monitoring, triage, and response all start with something that already happened — an alert, a submitted sample, an indicator. Threat hunting and detection engineering exist to get ahead of that: finding what alerts miss, and building detections that hold up against attackers who rotate infrastructure and rename their tools faster than static IOC lists can track.&nbsp;</p>



<p class="wp-block-paragraph">Threat hunters use hypotheses to search for suspicious behavior. Detection engineers turn those findings into rules, queries, signatures, and automated controls that strengthen future monitoring.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN supports both workflows by giving analysts access to behavioral intelligence, campaign context, and a large corpus of real-world malware samples.</p>



<h3 class="wp-block-heading">Hunt With Threat Intelligence Lookup&nbsp;</h3>



<p class="wp-block-paragraph"><a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Lookup</a> supports hunting by allowing analysts to search for behavioral artifacts, not only static indicators.&nbsp;</p>



<p class="wp-block-paragraph">A threat hunter can begin with a suspicious mutex, file path, registry key, command line, destination IP, HTTP response pattern, or MITRE ATT&amp;CK technique. From there, they can identify related malware samples, campaigns, and infrastructure.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This supports key hunting challenges, such as:&nbsp;</strong></p>



<ul class="wp-block-list">
<li><strong>tracking a malware family</strong> through stable behavioral artifacts;&nbsp;</li>



<li><strong>investigating suspicious infrastructure</strong> observed in internal telemetry;&nbsp;</li>



<li><strong>validating whether an alert pattern</strong> is connected to known malicious activity;&nbsp;</li>



<li><strong>expanding one IOC </strong>into a campaign-level investigation;&nbsp;</li>



<li><strong>identifying related indicators</strong> for retrospective searches;&nbsp;</li>



<li><strong>reducing false positives</strong> by comparing an internal event with observed malware behavior.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">We cover this in depth — including hands-on examples of hypothesis validation against live phishing techniques, tracking entire malware families from a single mutex, and turning one alert into a full threat actor profile — in <a href="https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/" target="_blank" rel="noreferrer noopener">Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss</a>.&nbsp;</p>



<h3 class="wp-block-heading">Use Threat Intelligence Reports for Campaign-Level Awareness</h3>



<p class="wp-block-paragraph">Threat Intelligence Reports support a broader layer of SOC operations.&nbsp;</p>



<p class="wp-block-paragraph">While Tier 1 Reports focus on one specific suspicious object or incident, <a href="https://any.run/cybersecurity-blog/threat-intelligence-reports/" target="_blank" rel="noreferrer noopener">Threat Intelligence Reports</a> provide analyst-led research into active threats, malware families, phishing campaigns, ransomware operations, threat actors, and emerging techniques.&nbsp;</p>



<p class="wp-block-paragraph"><strong>They can help teams:&nbsp;</strong></p>



<ul class="wp-block-list">
<li>prioritize threats relevant to their industry;&nbsp;</li>



<li>understand malware delivery methods and victimology;&nbsp;</li>



<li>identify likely attacker behaviors;&nbsp;</li>



<li>prepare response playbooks;&nbsp;</li>



<li>improve awareness among security and IT teams;&nbsp;</li>



<li>inform executive risk discussions;&nbsp;</li>



<li>guide detection and hunting priorities.&nbsp;</li>
</ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="563" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-1024x563.png" alt="" class="wp-image-21798" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-1024x563.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-300x165.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-768x422.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-370x204.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-270x149.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport-740x407.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/09/tireport.png 1338w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Threat Intelligence Report examples</figcaption></figure>



<p class="wp-block-paragraph">For example, if a SOC sees a rise in suspicious activity associated with a particular malware family, a Threat Intelligence Report can help analysts understand the family’s common infection chain, persistence techniques, infrastructure patterns, and business impact.&nbsp;</p>



<h3 class="wp-block-heading">Validate Detections with YARA Search</h3>



<p class="wp-block-paragraph">Detection engineering is where investigation findings become long-term defensive value.&nbsp;</p>



<p class="wp-block-paragraph">Detection engineering lives or dies on whether a rule generalizes — whether it catches a malware family&#8217;s future builds, or breaks the moment the author changes a hardcoded string. <a href="https://intelligence.any.run/analysis/yara?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotilookup" target="_blank" rel="noreferrer noopener">TI Lookup&#8217;s YARA Search</a> is where rules get validated before they ever reach production, run against an enormous corpus of real-world samples rather than a small internal test set.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This implies a practical rule-development cycle:&nbsp;</strong></p>



<ul class="wp-block-list">
<li><strong>Analyze</strong> a suspicious sample in the Sandbox;&nbsp;</li>



<li><strong>Identify</strong> stable strings, code patterns, or structural characteristics;&nbsp;</li>



<li><strong>Create</strong> an initial YARA rule;&nbsp;</li>



<li><strong>Test</strong> the rule against real samples;&nbsp;</li>



<li><strong>Review</strong> matches for accuracy and false positives;&nbsp;</li>



<li><strong>Refine</strong> the rule;&nbsp;</li>



<li><strong>Validate</strong> it again before deployment.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">This makes detection engineering less speculative. Instead of assuming a rule will work in production, teams can test it against real malware samples and identify where it is too narrow, too broad, or vulnerable to superficial attacker changes.&nbsp;</p>



<h2 class="wp-block-heading">Business Impact: A Connected SOC Instead of a Tool Collection</h2>



<p class="wp-block-paragraph">The business value of ANY.RUN is not simply access to more threat data. It is the ability to reduce friction between the workflows that determine whether a SOC can operate efficiently at scale.</p>



<div class="wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper
"
    >
        <table id="wpdtSimpleTable-335"
           style="border-collapse:collapse;
                   border-spacing:0px;"
           class="wpdtSimpleTable wpDataTable"
           data-column="3"
           data-rows="11"
           data-wpID="335"
           data-responsive="0"
           data-has-header="1">

                    <thead>        <tr class="wpdt-cell-row " >
                                <th class="wpdt-cell wpdt-bold wpdt-fs-000015 wpdt-bc-03A9F4"
                                            data-cell-id="A1"
                    data-col-index="0"
                    data-row-index="0"
                    style=" width:20.10101010101%;                    padding:10px;
                    "
                    >
                                        SOC challenge                      </th>
                                                <th class="wpdt-cell wpdt-bold wpdt-fs-000015 wpdt-bc-03A9F4"
                                            data-cell-id="B1"
                    data-col-index="1"
                    data-row-index="0"
                    style=" width:45.050505050505%;                    padding:10px;
                    "
                    >
                                        How ANY.RUN supports the workflow                      </th>
                                                <th class="wpdt-cell wpdt-bold wpdt-fs-000015 wpdt-bc-03A9F4"
                                            data-cell-id="C1"
                    data-col-index="2"
                    data-row-index="0"
                    style=" width:34.848484848485%;                    padding:10px;
                    "
                    >
                                        Business impact                      </th>
                                        </tr>
                    <tbody>        <tr class="wpdt-cell-row odd" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A2"
                    data-col-index="0"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Alert overload                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B2"
                    data-col-index="1"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        TI Feeds enrich and prioritize suspicious activity                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C2"
                    data-col-index="2"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Analysts focus on higher-risk events                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row even" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A3"
                    data-col-index="0"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Slow validation                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B3"
                    data-col-index="1"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Interactive Sandbox reveals file, URL, and phishing behavior                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C3"
                    data-col-index="2"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Faster triage and lower response time                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row odd" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A4"
                    data-col-index="0"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Evasive phishing                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B4"
                    data-col-index="1"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        In-browser data inspection exposes browser-side behavior and data flows                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C4"
                    data-col-index="2"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Better detection of credential theft attempts                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row even" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A5"
                    data-col-index="0"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Missing context                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B5"
                    data-col-index="1"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        TI Lookup connects IOCs, IOBs, and IOAs to related analyses                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C5"
                    data-col-index="2"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        More confident decisions and broader investigations                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row odd" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A6"
                    data-col-index="0"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        Repeated investigation work                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B6"
                    data-col-index="1"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        Linked Lookup and Sandbox data preserve behavioral evidence                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C6"
                    data-col-index="2"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        Less manual enrichment and duplication                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row even" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A7"
                    data-col-index="0"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Slow escalation                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B7"
                    data-col-index="1"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Tier 1 Reports standardize investigation findings                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C7"
                    data-col-index="2"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Faster handoffs to senior analysts and incident response                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row odd" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A8"
                    data-col-index="0"
                    data-row-index="7"
                    style="                    padding:10px;
                    "
                    >
                                        Reactive security posture                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B8"
                    data-col-index="1"
                    data-row-index="7"
                    style="                    padding:10px;
                    "
                    >
                                        Threat hunting capabilities support proactive searches                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C8"
                    data-col-index="2"
                    data-row-index="7"
                    style="                    padding:10px;
                    "
                    >
                                        Earlier discovery of threats that alerts miss                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row even" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A9"
                    data-col-index="0"
                    data-row-index="8"
                    style="                    padding:10px;
                    "
                    >
                                        Weak or noisy detections                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B9"
                    data-col-index="1"
                    data-row-index="8"
                    style="                    padding:10px;
                    "
                    >
                                        YARA Search validates rules against real samples                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C9"
                    data-col-index="2"
                    data-row-index="8"
                    style="                    padding:10px;
                    "
                    >
                                        Better detection quality and fewer false positives                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row odd" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A10"
                    data-col-index="0"
                    data-row-index="9"
                    style="                    padding:10px;
                    "
                    >
                                        Limited strategic visibility                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B10"
                    data-col-index="1"
                    data-row-index="9"
                    style="                    padding:10px;
                    "
                    >
                                        Threat Intelligence Reports explain campaigns and threat trends                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C10"
                    data-col-index="2"
                    data-row-index="9"
                    style="                    padding:10px;
                    "
                    >
                                        Better prioritization and risk communication                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row even" >
                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012 wpdt-bold"
                                            data-cell-id="A11"
                    data-col-index="0"
                    data-row-index="10"
                    style="                    padding:10px;
                    "
                    >
                                        Analyst skill gaps                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="B11"
                    data-col-index="1"
                    data-row-index="10"
                    style="                    padding:10px;
                    "
                    >
                                        Real analysis sessions and structured reports support learning                     </td>
                                                <td class="wpdt-cell wpdt-align-left wpdt-fs-000012"
                                            data-cell-id="C11"
                    data-col-index="2"
                    data-row-index="10"
                    style="                    padding:10px;
                    "
                    >
                                        Faster onboarding and stronger analyst capability                     </td>
                                        </tr>
                    </table>
</div><style id='wpdt-custom-style-335'>
table#wpdtSimpleTable-335{ table-layout: fixed !important; }
table#wpdtSimpleTable-335 td, table.wpdtSimpleTable335 th { white-space: normal !important; }
.wpdt-fs-000015 { font-size: 15px !important;}
.wpdt-bc-03A9F4 { background-color: #03A9F4 !important;}
.wpdt-fs-000012 { font-size: 12px !important;}
</style>




<p class="wp-block-paragraph">The pattern across all four stages is the same: intelligence that&#8217;s connected to behavioral evidence, available at the moment a decision needs to be made, in a form the next person in the chain can use without redoing the work. That&#8217;s what turns threat intelligence from a reference lookup into infrastructure the entire SOC — and MSSPs running multiple environments — can scale on without proportionally scaling headcount.</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight">Make every investigation improve the next one</span>&nbsp;<br>
Use ANY.RUN to turn malware analysis and threat intelligence into stronger monitoring, hunting, and detections.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=streamline-your-soc&#038;utm_term=250626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Request Access
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">A SOC doesn&#8217;t fail because analysts lack skill or because tools lack data. It strains under fragmentation — context lost between monitoring and triage, between triage and response, between a single finding and the durable detection it should have become.</p>



<p class="wp-block-paragraph">ANY.RUN&#8217;s Threat Intelligence — TI Feeds, TI Lookup, and Interactive Sandbox, including in-browser data inspection, Tier 1 Reports, Threat Intelligence Reports, and YARA Search — closes the gaps by fueling every stage of the SOC workflow from the same connected source of evidence. Monitoring filters noise before it reaches a human. Triage turns alerts into verified, contextualized decisions. Response carries that evidence intact through every handoff. Hunting and detection engineering convert what was learned into coverage that holds before the next campaign even starts.</p>



<p class="wp-block-paragraph">Finally, the strongest SOC workflows do not end when a ticket is closed. Every investigation should improve the next one.</p>



<p class="wp-block-paragraph"><a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotifeedslanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Feeds</a> strengthen monitoring. The <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> provides behavioral proof. In-browser data inspection helps expose evasive phishing. <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Lookup</a> adds historical and campaign context. Tier 1 Reports improve escalation and response. Threat Intelligence Reports guide broader prioritization. YARA Search turns analysis into stronger detections.</p>



<p class="wp-block-paragraph">Together, these capabilities create a continuous intelligence loop:</p>



<p class="wp-block-paragraph"><strong>Monitor → prioritize → analyze → enrich → respond → hunt → improve detections → monitor better.</strong></p>



<p class="wp-block-paragraph">The result isn&#8217;t just faster individual investigations — it&#8217;s a SOC that compounds what it learns, case after case, instead of relearning the same threats from scratch every time they reappear under a new IP.</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate&nbsp;threats faster and make more confident security decisions.&nbsp;</p>



<p class="wp-block-paragraph">Its cloud-based&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox</a>&nbsp;lets teams safely analyze suspicious files, URLs, and emails in real time,&nbsp;observe&nbsp;malicious behavior as it unfolds, and collect&nbsp;clear evidence&nbsp;for faster response.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=streamline-your-soc&amp;utm_term=250626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat&nbsp;Intelligence</a>&nbsp;solutions add broader context around&nbsp;threats, infrastructure, and attacker activity. Together, these capabilities support faster triage, stronger detection, better-informed response decisions, and more efficient security operations at scale.&nbsp;</p>



<div class="schema-faq wp-block-yoast-faq-block"><div class="schema-faq-section" id="faq-question-1782309388598"><strong class="schema-faq-question"></strong> <p class="schema-faq-answer"></p> </div> </div>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://any.run/cybersecurity-blog/streamline-your-soc/">From Alert Enrichment to Confident Response: How ANY.RUN Powers Every SOC Workflow</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/streamline-your-soc/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>EvilTokens: How “Ghost” Code Threatens US and European Businesses</title>
		<link>https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/</link>
					<comments>https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/#respond</comments>
		
		<dc:creator><![CDATA[GridGuardGhoul]]></dc:creator>
		<pubDate>Tue, 23 Jun 2026 11:46:56 +0000</pubDate>
				<category><![CDATA[Malware Analysis]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware analysis]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21730</guid>

					<description><![CDATA[<p>EvilTokens&#160;can hide serious account takeover risk from your SOC&#160;through “ghost” code that appears only after browser-side decryption.&#160; As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise.&#160; Full browser-level inspection&#160;closes this gap by revealing [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/">EvilTokens: How “Ghost” Code Threatens US and European Businesses</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><a href="https://any.run/malware-trends/eviltokens/" target="_blank" rel="noreferrer noopener">EvilTokens</a>&nbsp;can hide serious account takeover risk from your SOC&nbsp;through “ghost” code that appears only after browser-side decryption.&nbsp;</p>



<p class="wp-block-paragraph">As a result, static URL analysis may miss the most important part of the attack, leaving teams with incomplete evidence, slower triage, and longer exposure to a potential Microsoft 365 compromise.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/" target="_blank" rel="noreferrer noopener">Full browser-level inspection</a>&nbsp;closes this gap by revealing how the page behaves after execution in a dynamic environment. This gives teams the evidence they need to&nbsp;validate&nbsp;the&nbsp;threat&nbsp;and respond faster.&nbsp;</p>



<h2 class="wp-block-heading">Key Takeaways&nbsp;</h2>



<ul class="wp-block-list">
<li>EvilTokens hides key parts of its phishing flow behind browser-side decryption, creating a visibility gap for static URL analysis. </li>



<li>The kit abuses Microsoft’s legitimate device login flow to gain account access without directly stealing the victim’s password. </li>



<li>Browser-level evidence helps SOC teams reduce manual checks, avoid unnecessary escalations, and make faster containment decisions. </li>



<li><a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> pivots connect one EvilTokens session to related phishing kits, infrastructure, indicators, and wider device-code <a href="https://any.run/phishing/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktophishing" target="_blank" rel="noreferrer noopener">phishing activity</a>. </li>



<li>Decrypted code and behavioral patterns can also support stronger phishing signatures, threat hunting, and custom detection rules. </li>
</ul>



<h2 class="wp-block-heading">EvilTokens&nbsp;Targeting: Regions and Industries at Risk&nbsp;</h2>



<p class="wp-block-paragraph">According to ANY.RUN&nbsp;Threat&nbsp;Intelligence data, recent&nbsp;EvilTokens&nbsp;activity is concentrated&nbsp;mainly in&nbsp;the United States and Europe.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22eviltokens%5C%22%22,%22dateRange%22:7}" target="_blank" rel="noreferrer noopener">View recent EvilTokens activity in ANY.RUN&nbsp;Threat&nbsp;Intelligence</a>&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="576" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-1024x576.png" alt="" class="wp-image-21755" style="width:762px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-1024x576.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-300x169.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-768x432.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-1536x864.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-2048x1152.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-370x208.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-270x152.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/EvilTokens-1-740x416.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>EvilTokens targeting specific industries</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">The kit has been&nbsp;observed&nbsp;targeting organizations in:&nbsp;</p>



<ul class="wp-block-list">
<li>Managed security services </li>



<li>Technology </li>



<li>Manufacturing </li>



<li>Education</li>



<li>Banking</li>



<li>Consulting and financial services </li>
</ul>



<p class="wp-block-paragraph">These findings show that&nbsp;EvilTokens&nbsp;is aimed&nbsp;largely at&nbsp;organizations where access to a single Microsoft 365 account can expose sensitive data, internal communications, and connected business services.&nbsp;</p>



<h2 class="wp-block-heading">Why&nbsp;EvilTokens&nbsp;Creates a Blind Spot for SOC Teams&nbsp;</h2>



<p class="wp-block-paragraph">EvilTokens&nbsp;continues to rank among the most&nbsp;frequently&nbsp;observed&nbsp;phishing&nbsp;kits in ANY.RUN’s weekly&nbsp;threat&nbsp;reports.&nbsp;</p>



<p class="wp-block-paragraph">A recent analysis session showed how the kit uses Microsoft Device Code&nbsp;Phishing&nbsp;to compromise accounts without stealing credentials directly. Instead, it convinces the victim to complete Microsoft’s legitimate device login flow and unknowingly authorize access to their account.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://app.any.run/tasks/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoservice](https://app.any.run/tasks/55d3ead7-c07a-4fb1-aa42-8c397d1a0f8a?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">Check analysis session with recent EvilTokens attack</a>&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="570" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-1024x570.png" alt="Recent EvilTokens attack analyzed inside ANY.RUN sandbox " class="wp-image-21731" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-1024x570.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-300x167.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-768x427.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-1536x854.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-2048x1139.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-370x206.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-270x150.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-23-at-11.08.07-740x412.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Recent EvilTokens attack analyzed inside ANY.RUN sandbox</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">What makes the attack difficult to investigate is the way it hides its&nbsp;phishing&nbsp;content. The landing page HTML is encrypted with AES-GCM and becomes visible only after the browser decrypts it and&nbsp;renders&nbsp;it in the DOM.&nbsp;</p>



<p class="wp-block-paragraph">Static URL checks and network-level detection may therefore capture the initial response without showing what the victim actually sees in the browser. This can leave SOC teams with an incomplete verdict, force additional manual checks, trigger unnecessary escalations, and delay containment.</p>



<p class="wp-block-paragraph"><strong>This visibility gap becomes a business risk</strong>. When SOC teams cannot see what a suspicious page does after browser execution, the impact goes beyond a slower investigation. It can lead to:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Longer exposure</strong> to potential Microsoft 365 account takeover </li>



<li><strong>Delayed containment</strong> and response decisions </li>



<li><strong>More alerts escalated</strong> to senior security staff </li>



<li><strong>Higher investigation workload</strong> and operational costs </li>



<li><strong>Incomplete evidence</strong> for blocking related infrastructure </li>



<li><strong>Greater risk of unauthorized access </strong>to corporate data and services </li>
</ul>



<p class="wp-block-paragraph">To&nbsp;validate&nbsp;the&nbsp;threat&nbsp;quickly, teams need visibility into what happens after the page begins running. In the following walkthrough, we use ANY.RUN’s in-browser data inspection to uncover the decrypted page, trace the requests behind the device-code flow, and collect evidence for response and further detection.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Uncover phishing activity hidden inside the browser. &nbsp;
<br>
<span class="highlight">Give your SOC the evidence to validate and respond faster.</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=eviltokens-ghost-code-analysis&#038;utm_term=230626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Contact us
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<p class="wp-block-paragraph">With in<strong>-browser data inspection inside ANY.RUN’s </strong><a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener"><strong>Interactive Sandbox</strong></a>, investigators can examine cases like this across several layers:</p>



<p class="wp-block-paragraph"><strong>HTML DOM Changes:</strong>&nbsp;Tracks changes to the DOM over time and allows investigators to compare different snapshots of the same page. It highlights byte-level differences from the&nbsp;previous&nbsp;DOM state, making it easier to&nbsp;identify&nbsp;the exact moment when the decrypted&nbsp;phishing&nbsp;page appears.&nbsp;</p>



<p class="wp-block-paragraph"><strong>HTTP Requests:</strong>&nbsp;Provides visibility into browser-level network activity, including requests involving HTML, JavaScript, Fetch/XHR, scripts, static assets, binary files, archives, and other request categories.&nbsp;</p>



<p class="wp-block-paragraph"><strong>URL Details:</strong>&nbsp;Displays the final URL and domain, SSL certificate information, DNS A records, request statistics, and triggered detection signatures.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Indicators:</strong>&nbsp;Collects indicators of compromise associated with the page, including top-level domains, subdomains, URL endpoints, file hashes, IP addresses, and ASN information.&nbsp;</p>



<h2 class="wp-block-heading">Triage Walkthrough Using Browser Data&nbsp;</h2>



<p class="wp-block-paragraph">The network traffic shows that&nbsp;EvilTokens&nbsp;delivers the landing page in an HTTP response encrypted with AES-GCM:&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="635" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-1024x635.jpg" alt="" class="wp-image-21732" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-1024x635.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-300x186.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-768x476.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-1536x952.jpg 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-370x229.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-270x167.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27-740x459.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img27.jpg 1716w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>EvilTokens HTTP response body containing the AES-GCM-encrypted landing page</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">The decrypted HTML DOM of the page can be viewed in the Browser Data panel: </p>


<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="882" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-1024x882.png" alt="" class="wp-image-21733" style="aspect-ratio:1.1610319236659206;width:506px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-1024x882.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-300x259.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-768x662.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-1536x1324.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-2048x1765.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-370x319.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-270x233.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1-740x638.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>In-browser data investigation panel inside the interactive sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Here, you can view snapshots of the DOM structure after the AES-GCM-encrypted code has been decrypted:</p>


<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="423" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-1024x423.jpg" alt="DOM snapshots displayed with decrypted code " class="wp-image-21734" style="aspect-ratio:2.42085828792723;width:656px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-1024x423.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-300x124.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-768x317.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-370x153.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-270x111.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38-740x305.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img38.jpg 1352w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>DOM snapshots displayed with decrypted code</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">The&nbsp;<strong>HTML DOM Changes</strong>&nbsp;fields&nbsp;contain&nbsp;the following information:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Timeshift: </strong>The time elapsed from the start of the analysis when the DOM snapshot was captured. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Score: </strong>The risk level assigned to that particular state of the page. As shown in the screenshot, the score is 100, which corresponds to the signatures triggered by that DOM state. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Size diff: </strong>The change in DOM size compared with the previous snapshot. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Size: </strong>The size of the current DOM snapshot. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Page: </strong>The domain associated with the snapshot. </li>
</ul>



<p class="wp-block-paragraph">The value that should draw&nbsp;your&nbsp;attention most is the green&nbsp;<strong>+48-byte size diff</strong>. By selecting the fourth snapshot,&nbsp;you&nbsp;can see which line was removed and which line was added compared with the&nbsp;previous&nbsp;snapshot:&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="607" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-1024x607.jpg" alt="" class="wp-image-21735" style="aspect-ratio:1.6870116421376344;width:772px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-1024x607.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-300x178.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-768x455.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-370x219.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-270x160.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41-740x439.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img41.jpg 1110w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Check line changes to see the codes added and removed</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Looking at the <strong>Render</strong> panel on the left, we can confirm that a user code has appeared on the page. The attackers will later use this code to take over the victim’s Microsoft 365 account: </p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="630" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-1024x630.jpg" alt="" class="wp-image-21736" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-1024x630.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-300x185.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-768x472.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-370x228.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-270x166.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44-740x455.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img44.jpg 1408w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Render of the page</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This suggests that the landing page dynamically requested the user code from the backend through a Fetch/XHR request. The request can be examined in the <strong>HTTP Requests</strong> tab: </p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="160" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-1024x160.jpg" alt="" class="wp-image-21737" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-1024x160.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-300x47.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-768x120.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-1536x240.jpg 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-370x58.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-270x42.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45-740x116.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img45.jpg 1550w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>HTTP Requests panel inside the Browser Data </em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">By comparing the <strong>Timeshift</strong> values of the HTTP request and the DOM snapshot, we can conclude that the user code was obtained through a request to the /api/device/start endpoint. Clicking the URL confirms this:</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="227" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-1024x227.png" alt="" class="wp-image-21738" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-1024x227.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-300x67.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-768x170.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-1536x340.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-2048x454.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-370x82.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-270x60.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2-1-740x164.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>HTTP response from EvilTokens</em></figcaption></figure>
</div>


<h2 class="wp-block-heading">Pivoting from One EvilTokens Session to Broader Threat Activity</h2>



<p class="wp-block-paragraph">The findings from a single analysis session can be used to uncover related phishing infrastructure and activity.</p>



<p class="wp-block-paragraph">Start with&nbsp;<strong>URL Details</strong>, where the code exposed in the DOM triggered the&nbsp;<strong>Microsoft OAuth device-code&nbsp;phishing&nbsp;</strong>signature.&nbsp;&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="585" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-1024x585.png" alt="" class="wp-image-21739" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-1024x585.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-300x172.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-768x439.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-1536x878.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-2048x1171.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-370x212.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-270x154.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1-740x423.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>URL details displayed inside ANY.RUN sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Searching for this signature in ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a>&nbsp;reveals other phishing resources that use similar code patterns:&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">TI Query:&nbsp;<a href="https://intelligence.any.run/analysis/lookup#{%22query%22:%22ruleName:%5C%22^Microsoft%20OAuth%20device-code%20phishing%20has%20been%20detected$%5C%22%22,%22dateRange%22:7}" target="_blank" rel="noreferrer noopener">ruleName:&#8221;^Microsoft OAuth device-code phishing has been detected$&#8221;</a></p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="416" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-1024x416.png" alt="" class="wp-image-21740" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-1024x416.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-300x122.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-768x312.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-1536x623.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-2048x831.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-370x150.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-270x110.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/4-740x300.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Search for analysis sessions that triggered the “Microsoft OAuth device-code phishing has been detected” signature</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">The results show that this behavior is not unique to EvilTokens. Other phishing kits use similar code and techniques, allowing teams to move beyond one isolated case and identify a broader set of related threats.</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Expand one investigation into broader threat context. 
 &nbsp;
<br>
<span class="highlight">Strengthen detection and stop related attacks before they spread.</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Improve threat detection 
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<p class="wp-block-paragraph"> To narrow the search specifically to EvilTokens, use the following query: <a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22eviltokens%5C%22%22,%22dateRange%22:7%7D" target="_blank" rel="noreferrer noopener">threatName:&#8221;eviltokens&#8221;</a> </p>



<p class="wp-block-paragraph">Threat&nbsp;Intelligence data shows that recent&nbsp;EvilTokens&nbsp;activity is concentrated&nbsp;mainly in&nbsp;the United States and Europe:&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="717" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-1024x717.png" alt="" class="wp-image-21741" style="aspect-ratio:1.428191913288348;width:632px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-1024x717.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-300x210.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-768x538.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-1536x1075.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-2048x1434.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-370x259.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-270x189.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/5-740x518.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Threat activity targeting specific regions</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">Teams can also track device code phishing activity more&nbsp;broadly using&nbsp;the&nbsp;oauth-ms-phish&nbsp;threat tag:&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">TI Query:&nbsp;<a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:7}" target="_blank" rel="noreferrer noopener">threatName:&#8221;oauth-ms-phish&#8221;</a>&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="573" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-1024x573.jpg" alt="" class="wp-image-21742" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-1024x573.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-300x168.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-768x430.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-370x207.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-270x151.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67-740x414.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img67.jpg 1094w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Indicators displayed for broader analysis</figcaption></figure>
</div>


<p class="wp-block-paragraph">This wider search helps teams identify related campaigns even when they are associated with a different phishing kit or infrastructure.</p>



<p class="wp-block-paragraph">Next, return to&nbsp;<strong>Browser Data</strong>&nbsp;and open the&nbsp;<strong>Indicators</strong>&nbsp;tab:&nbsp;</p>



<p class="wp-block-paragraph">Not every artifact collected during the analysis should be added to detection rules. For example, the observed IP address belongs to the&nbsp;CloudflareNet&nbsp;autonomous system. Blocking or&nbsp;detecting&nbsp;this shared infrastructure could produce false positives and affect legitimate services.&nbsp;</p>



<p class="wp-block-paragraph">More specific indicators from the session, including the domain, URI, and hash, are stronger candidates for further validation and detection:&nbsp;</p>



<p class="wp-block-paragraph">TI Query:&nbsp;<a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookup#{%22query%22:%22url:%5C%22/api/device/start%5C%22%20or%20%20domainName:%5C%22emp01825.workers.dev$%5C%22%20or%20md5:%5C%22fcd1b654a0b3e8f85ca7cfdafe494d4b%5C%22%22,%22dateRange%22:7}" target="_blank" rel="noreferrer noopener">url:&#8221;/api/device/start&#8221;&nbsp;or&nbsp; domainName:&#8221;emp01825.workers.dev$&#8221; or md5:&#8221;fcd1b654a0b3e8f85ca7cfdafe494d4b&#8221;</a>&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="383" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-1024x383.jpg" alt="" class="wp-image-21743" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-1024x383.jpg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-300x112.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-768x287.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-370x138.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-270x101.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68-740x277.jpg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img68.jpg 1252w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>ANY.RUN Threat Intelligence query using indicators extracted from in-browser data</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">By&nbsp;pivoting on&nbsp;signatures,&nbsp;threat&nbsp;names, tags, and carefully selected&nbsp;IOCs, teams can connect an individual alert to wider&nbsp;phishing&nbsp;activity, improve detection coverage, and respond proactively to related attacks.&nbsp;</p>



<h2 class="wp-block-heading">Breaking Down the&nbsp;EvilTokens&nbsp;Attack Logic&nbsp;</h2>



<p class="wp-block-paragraph">The&nbsp;<strong>HTML DOM Changes</strong>&nbsp;view is useful not only for triage but also for deeper code analysis. By examining the decrypted page logic, teams can&nbsp;identify&nbsp;recurring patterns that may support low-level&nbsp;phishing&nbsp;detection rules.&nbsp;</p>



<p class="wp-block-paragraph">The following code&nbsp;shows the&nbsp;<strong>Device Code Flow Configuration</strong>:&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="910" height="756" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71.jpg" alt="" class="wp-image-21744" style="aspect-ratio:1.2037078500738883;width:648px;height:auto" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71.jpg 910w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71-300x249.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71-768x638.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71-370x307.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71-270x224.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img71-740x615.jpg 740w" sizes="auto, (max-width: 910px) 100vw, 910px" /><figcaption class="wp-element-caption">Device code flow configuration</figcaption></figure>
</div>


<h3 class="wp-block-heading">Gate Check and Decoy Delivery&nbsp;</h3>



<p class="wp-block-paragraph">The first fragment shows the client sending a gate check request to:&nbsp;</p>



<p class="wp-block-paragraph">/api/device/gate/&lt;PAGE_ID&gt;&nbsp;</p>



<p class="wp-block-paragraph">The backend returns a&nbsp;killed&nbsp;flag that&nbsp;determines&nbsp;what happens next. If the&nbsp;phishing&nbsp;flow&nbsp;remains&nbsp;active, the attack continues. Otherwise, the victim is&nbsp;shown&nbsp;a decoy page designed to resemble a Microsoft error or expired-link message.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="724" height="502" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img74.jpg" alt="" class="wp-image-21745" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img74.jpg 724w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img74-300x208.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img74-370x257.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/img74-270x187.jpg 270w" sizes="auto, (max-width: 724px) 100vw, 724px" /><figcaption class="wp-element-caption"><em>EvilTokens gate check logic</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">This mechanism allows operators to disable the&nbsp;phishing&nbsp;page or hide its true behavior when certain visitors or conditions are detected.&nbsp;</p>



<h3 class="wp-block-heading">Requesting and Displaying the User Code&nbsp;</h3>



<p class="wp-block-paragraph">The next fragment sends a POST request to&nbsp;_startUrl:&nbsp;</p>



<p class="wp-block-paragraph">/api/device/start&nbsp;</p>



<p class="wp-block-paragraph">The backend returns the&nbsp;userCode,&nbsp;sessionId, and verification URI. The script then stores the session, constructs&nbsp;_verificationUrl, and writes the user code into the DOM for the victim.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-1024x1024.png" alt="" class="wp-image-21746" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-1024x1024.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-300x300.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-150x150.png 150w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-768x769.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-1536x1536.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-2046x2048.png 2046w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-70x70.png 70w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-370x370.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-270x270.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/6-740x741.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Code used to request the user code</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This is the same activity&nbsp;observed&nbsp;earlier in the&nbsp;<strong>HTTP Requests</strong>&nbsp;view, connecting the browser-side code directly to the network request and the user code displayed on the page.&nbsp;</p>



<h3 class="wp-block-heading">Monitoring the Device-Code Session&nbsp;</h3>



<p class="wp-block-paragraph">The frontend then checks the status of the device-code session&nbsp;through:&nbsp;</p>



<p class="wp-block-paragraph">/api/device/status/{sessionId}&nbsp;</p>



<p class="wp-block-paragraph">It repeatedly sends GET requests&nbsp;containing&nbsp;the current&nbsp;sessionId&nbsp;and receives the latest status from the backend.&nbsp;</p>



<p class="wp-block-paragraph">Once the status changes to&nbsp;completed, the script stops polling, displays a success screen, and redirects the victim to the legitimate OneDrive website.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="637" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-637x1024.png" alt="" class="wp-image-21747" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-637x1024.png 637w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-187x300.png 187w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-768x1234.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-956x1536.png 956w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-1275x2048.png 1275w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-370x594.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-270x434.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-740x1189.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/7-2-scaled.png 1593w" sizes="auto, (max-width: 637px) 100vw, 637px" /><figcaption class="wp-element-caption"><em>Authorization status polling</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This final redirect helps the attack appear successful and legitimate, while the attackers&nbsp;retain&nbsp;the access authorized&nbsp;through the completed Microsoft device login flow.&nbsp;</p>



<p class="wp-block-paragraph">By connecting the decrypted DOM code with browser requests and visible page changes, teams can reconstruct the full&nbsp;phishing&nbsp;logic and&nbsp;identify&nbsp;code patterns, endpoints, and behaviors that may strengthen future detection.&nbsp;</p>



<h2 class="wp-block-heading">Turning Hidden Browser Activity into Faster SOC Decisions&nbsp;</h2>



<p class="wp-block-paragraph">The&nbsp;EvilTokens&nbsp;investigation shows the practical value of browser-level evidence. Instead of stopping at the encrypted HTTP response, teams can see the decrypted DOM,&nbsp;identify&nbsp;the request that generated the user code, trace the device-code session, and extract artifacts for detection and&nbsp;threat&nbsp;hunting.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="425" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-1024x425.png" alt="" class="wp-image-21748" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-1024x425.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-300x125.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-768x319.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-1536x637.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-370x154.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-270x112.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2-740x307.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/soc_decisions_infographic-2.png 1600w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Benefits of browser-level evidence</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This improves the investigation workflow in several ways:&nbsp;</p>



<p class="wp-block-paragraph"><strong>Faster triage and fewer unnecessary escalations:</strong> Tier 1 analysts can validate suspicious URLs using direct browser-level evidence rather than relying on incomplete indicators. This reduces uncertainty, speeds up verdicts, and keeps more benign cases from reaching senior teams.</p>



<p class="wp-block-paragraph"><strong>Smoother handoff and faster response:</strong>&nbsp;When escalation is necessary, Tier 2 receives the full attack context, including DOM changes, HTTP requests, triggered signatures, rendered content, and relevant indicators. This reduces repeated work and supports faster containment decisions.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Stronger detection engineering:</strong>&nbsp;Decrypted page code, browser requests, endpoints, and behavioral patterns provide useful material for custom&nbsp;phishing&nbsp;signatures, hunting hypotheses, and detection rules based on observed attacker behavior.&nbsp;</p>



<p class="wp-block-paragraph"><strong>More focused threat hunting:</strong>&nbsp;Teams can pivot from one&nbsp;EvilTokens&nbsp;session to related domains, code patterns,&nbsp;phishing&nbsp;kits, and device-code attacks in ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a>, expanding the investigation beyond a single URL.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Clearer reporting:</strong> Structured investigation results turn complex browser activity into evidence that is easier to use during triage, escalation, incident response, and stakeholder communication.</p>



<p class="wp-block-paragraph">For SOC and MSSP teams, this means less time spent reconstructing browser activity manually, better use of senior resources, and a faster path from a suspicious URL to a confident response decision.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Turn hidden browser activity into clear response evidence. 
 &nbsp;
<br>
<span class="highlight">Reduce investigation delays and help your SOC act faster.</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Accelerate response now  
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN, a leading provider of interactive malware analysis and&nbsp;threat&nbsp;intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate&nbsp;threats faster and make more confident security decisions.&nbsp;</p>



<p class="wp-block-paragraph">Its cloud-based&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox</a>&nbsp;lets teams safely analyze suspicious files, URLs, and emails in real time,&nbsp;observe&nbsp;malicious behavior as it unfolds, and collect&nbsp;clear evidence&nbsp;for faster response.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=eviltokens-ghost-code-analysis&amp;utm_term=230626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat&nbsp;Intelligence</a>&nbsp;solutions add broader context around&nbsp;threats, infrastructure, and attacker activity. Together, these capabilities support faster triage, stronger detection, better-informed response decisions, and more efficient security operations at scale.&nbsp;</p>
<p>The post <a href="https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/">EvilTokens: How “Ghost” Code Threatens US and European Businesses</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026 </title>
		<link>https://any.run/cybersecurity-blog/best-security-platform/</link>
					<comments>https://any.run/cybersecurity-blog/best-security-platform/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Fri, 19 Jun 2026 09:28:53 +0000</pubDate>
				<category><![CDATA[News]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware analysis]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21722</guid>

					<description><![CDATA[<p>ANY.RUN&#160;has been recognized as the&#160;Best Security Investigation Platform 2026&#160;at the&#160;Cybersecurity Stars Awards&#160;by The Hacker News.&#160; This award reflects our dedication to building solutions that make a real impact on daily security operations.&#160; At&#160;ANY.RUN, we&#160;help&#160;SOC and&#160;MSSP&#160;teams&#160;worldwide&#160;streamline&#160;threat investigation&#160;workflows&#160;through confident decision-making,&#160;full&#160;malware and phishing&#160;visibility,&#160;and actionable insights&#160;thataccelerate&#160;incident&#160;investigations and response.&#160; We&#160;thank&#160;our&#160;global community&#160;of&#160;security professionals&#160;for&#160;continuously&#160;trusting&#160;our solutions&#160;and supporting&#160;our growth!&#160; Reinforcing Our Position as&#160;a Market [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/best-security-platform/">The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026 </a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a>&nbsp;has been recognized as the&nbsp;<a href="https://awards.thehackernews.com/winners/2026/anyrun-interactive-malware-sandbox/" target="_blank" rel="noreferrer noopener">Best Security Investigation Platform 2026</a>&nbsp;at the&nbsp;<strong>Cybersecurity Stars Awards&nbsp;</strong>by The Hacker News.&nbsp;</p>



<p class="wp-block-paragraph">This award reflects our dedication to building solutions that make a real impact on daily security operations.&nbsp;</p>



<p class="wp-block-paragraph">At&nbsp;ANY.RUN, we&nbsp;help&nbsp;SOC and&nbsp;<a href="https://any.run/mssp/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktomssp" target="_blank" rel="noreferrer noopener">MSSP</a>&nbsp;teams&nbsp;worldwide&nbsp;streamline&nbsp;threat investigation&nbsp;workflows&nbsp;through confident decision-making,&nbsp;full&nbsp;malware and phishing&nbsp;visibility,&nbsp;and actionable insights&nbsp;thataccelerate&nbsp;incident&nbsp;investigations and response.&nbsp;</p>



<p class="wp-block-paragraph">We&nbsp;thank&nbsp;our&nbsp;global community&nbsp;of&nbsp;<a href="https://any.run/cybersecurity-blog/soc-business-success-cases-anyrun/" target="_blank" rel="noreferrer noopener">security professionals</a>&nbsp;for&nbsp;continuously&nbsp;trusting&nbsp;our solutions&nbsp;and supporting&nbsp;our growth!&nbsp;</p>



<h2 class="wp-block-heading">Reinforcing Our Position as&nbsp;a Market Leader&nbsp;</h2>



<p class="wp-block-paragraph">The Cybersecurity Stars Awards are organized by&nbsp;The Hacker News, one of the industry&#8217;s leading cybersecurity publications, delivering&nbsp;industry&nbsp;news, threat intelligence insights, and practical security guidance to more than 50 million security professionals annually.&nbsp;</p>



<p class="wp-block-paragraph">The award recognizes companies and individuals who have&nbsp;demonstrated&nbsp;excellence in cybersecurity through innovation, impact, and technical achievement.&nbsp;</p>



<p class="wp-block-paragraph">As the organizers&nbsp;noted:&nbsp;</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">&#8220;[ANY.RUN’s] work helps SOC and MSSP teams move faster in&nbsp;the&nbsp;critical moments when every second counts in threat investigation.&#8221;&nbsp;</p>
</blockquote>



<p class="wp-block-paragraph">This recognition reflects our mission to simplify complex investigations and help security teams&nbsp;in&nbsp;companies&nbsp;and organizations&nbsp;accelerate detection, analysis, and response at scale.&nbsp;</p>



<h2 class="wp-block-heading">Delivering Innovation for Measurable Impact&nbsp;</h2>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1024x576.webp" alt="boost soc performance" class="wp-image-21509" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1024x576.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-300x169.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-768x432.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-1536x864.webp 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-370x208.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-270x152.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png-740x416.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Boost-SOC-Performance-and-Business-Security-1-2048x1152.png.webp 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Insights from ANY.RUN users on their improved metrics </figcaption></figure>



<p class="wp-block-paragraph">Winners were selected by an independent panel of cybersecurity experts based on criteria including innovation, industry impact, and technical excellence. At ANY.RUN,&nbsp;we translate&nbsp;these principles into tangible business outcomes for security teams:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Faster investigations</strong> through <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">interactive, real-time analysis</a> and <a href="https://any.run/threat-intelligence-lookup//?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">threat hunting workflows</a>. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Greater operational efficiency&nbsp;</strong>with automated enrichment and streamlined investigation processes.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Confident&nbsp;incident response&nbsp;</strong>backed by actionable intelligence&nbsp;from investigations by 15,000+&nbsp;security teams.&nbsp;</li>
</ul>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Looking to boost your SOC&#8217;s efficiency? 
<br>
Build <span class="highlight">fast, consistent security operations</span> with ANY.RUN.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=best-security-platform&#038;utm_term=190626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Contact us
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Recent Releases&nbsp;Driving SOC Investigations Forward&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;enterprise-ready&nbsp;solutions&nbsp;are designed&nbsp;to meet&nbsp;the needs of modern SOC and MSSP environments. Our recent releases reinforce&nbsp;this mission by&nbsp;delivering:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Fast, evidence-based decision-making</strong>&nbsp;through&nbsp;<a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/" target="_blank" rel="noreferrer noopener">in-browser data inspection</a>, enabling analysts to perform URL analysis without switching between multiple tools or workflows.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Consistent and efficient investigations&nbsp;</strong>with&nbsp;<a href="https://any.run/cybersecurity-blog/soc-ready-reporting/" target="_blank" rel="noreferrer noopener">SOC-ready reporting</a>&nbsp;that&nbsp;converts&nbsp;analysis outputs into structured, operationally ready documents.&nbsp;</li>
</ul>



<ul class="wp-block-list">
<li><strong>Simplified security operations and faster response&nbsp;</strong>through&nbsp;<a href="https://any.run/cybersecurity-blog/anyrun-macos-sandbox/" target="_blank" rel="noreferrer noopener">cross-platform analysis</a>&nbsp;across&nbsp;<a href="https://any.run/cybersecurity-blog/release-notes-march-2026/" target="_blank" rel="noreferrer noopener">Windows</a>,&nbsp;<a href="https://any.run/cybersecurity-blog/network-traffic-analysis-in-linux/" target="_blank" rel="noreferrer noopener">Linux</a>,&nbsp;<a href="https://any.run/cybersecurity-blog/how-android-malware-targets-businesses/" target="_blank" rel="noreferrer noopener">Android</a>, and&nbsp;<a href="https://any.run/platforms/macOS/" target="_blank" rel="noreferrer noopener">macOS</a>&nbsp;VMs, allowing teams to investigate diverse threats within a single environment and workflow.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a>&nbsp;provides cybersecurity solutions for SOC and MSSP teams that enable stronger operations across threat investigation workflows.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://any.run/features//?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> for enterprise-scale malware and phishing analysis and <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">ANY.RUN Threat Intelligence</a> solutions aggregate investigation data from more than 15,000 SOCs worldwide to support instant enrichment and early threat detection.   </p>



<p class="wp-block-paragraph">The company’s mission is to&nbsp;deliver&nbsp;fast threat understanding and confident incident&nbsp;response.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN is&nbsp;<a href="https://any.run/compliance/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=best-security-platform&amp;utm_term=190626&amp;utm_content=linktocompliance" target="_blank" rel="noreferrer noopener">SOC 2 Type II attested</a>&nbsp;and committed to strong security control and customer data protection.&nbsp;</p>
<p>The post <a href="https://any.run/cybersecurity-blog/best-security-platform/">The Hacker News Recognizes ANY.RUN as the Best Security Investigation Platform 2026 </a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/best-security-platform/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Faster Triage, Clearer Evidence, Lower Risk: A SOC Guide to Better Alert Handling</title>
		<link>https://any.run/cybersecurity-blog/triage-analyst-guide/</link>
					<comments>https://any.run/cybersecurity-blog/triage-analyst-guide/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Wed, 17 Jun 2026 11:30:47 +0000</pubDate>
				<category><![CDATA[Cybersecurity Lifehacks]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware analysis]]></category>
		<guid isPermaLink="false">/cybersecurity-blog/?p=16431</guid>

					<description><![CDATA[<p>&#160;A SOC is where every second counts. Amidst a flood of alerts, false positives, and ever-short time, analysts face the daily challenge of identifying what truly matters — before attackers gain ground.&#160; That’s where alert triage comes in: the essential first step in detecting, prioritizing, and responding to threats efficiently. Done right, it defines the [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/triage-analyst-guide/">Faster Triage, Clearer Evidence, Lower Risk: A SOC Guide to Better Alert Handling</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph"><br>&nbsp;A SOC is where every second counts. Amidst a flood of alerts, false positives, and ever-short time, analysts face the daily challenge of identifying what truly matters — before attackers gain ground.&nbsp;</p>



<p class="wp-block-paragraph">That’s where alert triage comes in: the essential first step in detecting, prioritizing, and responding to threats efficiently. Done right, it defines the overall effectiveness of a SOC or MSSP and determines how well an organization can defend itself.</p>



<h2 class="wp-block-heading">Spoiler Alert About Alerts&nbsp;</h2>



<p class="wp-block-paragraph">Here’s your spoiler for today: good triage is not just about checking whether an IOC is malicious. It is about understanding what happened, how serious the threat is, and what action should come next.&nbsp;</p>



<p class="wp-block-paragraph">That becomes much easier when analysts have the right environment to safely analyze suspicious files, URLs, and emails, plus the threat intelligence needed to connect each finding to a wider campaign or infrastructure.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a> supports this process from the first alert to the final decision. Analysts can observe real behavior in the interactive sandbox, enrich findings with live threat context, inspect browser-level activity during phishing investigations, and turn the results into clear Tier 1 Reports for faster escalation or closure.&nbsp;</p>



<p class="wp-block-paragraph">The result is a stronger triage workflow where teams do not rely on scattered indicators or guesswork. They can validate threats, understand the bigger picture, and make faster, more confident decisions.&nbsp;</p>



<h2 class="wp-block-heading">Why Triage Is the Heartbeat of the SOC&nbsp;</h2>



<p class="wp-block-paragraph">Behind every <a href="https://any.run/cybersecurity-blog/streamline-your-soc/" target="_blank" rel="noreferrer noopener">successful SOC</a>, there’s a smooth triage flow that keeps chaos under control. It’s not just about filtering alerts. It’s about shaping the SOC’s rhythm and resilience.&nbsp;</p>



<p class="wp-block-paragraph">When analysts perform triage effectively:&nbsp;</p>



<ul class="wp-block-list">
<li>They build the first and strongest defense layer against real attacks.&nbsp;</li>



<li>They ensure human attention is spent where it matters most.&nbsp;</li>



<li>They create a foundation for accurate detection and response metrics like MTTD and MTTR.&nbsp;</li>



<li>They make security predictable and measurable, not reactive and random.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">Why Triage Quality Matters to SOC Leaders&nbsp;</h2>



<p class="wp-block-paragraph">For analysts, poor triage means more manual checks, more uncertainty, and more alerts waiting in the queue. For SOC managers, Heads of SOC, CISOs, and MSSP leaders, the impact is bigger.&nbsp;</p>



<p class="wp-block-paragraph">Slow or inconsistent triage creates higher escalation pressure, longer response times, missed SLA targets, and less visibility into which threats require urgent action. It also makes it harder to measure SOC performance because every investigation depends too much on individual experience and manual interpretation.&nbsp;</p>



<p class="wp-block-paragraph">That is why mature SOCs need more than raw alerts or isolated indicators. They need a repeatable process that helps Tier 1 teams validate threats faster, gives Tier 2 and IR teams cleaner context, and gives leadership a clearer view of incident severity, business risk, and response priorities.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Make triage faster, clearer, and easier to scale 
&nbsp;<br> <span class="highlight">Help your SOC  reduce delays and improve response quality</span> 
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=triage-analyst-guide&#038;utm_term=170626&#038;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Improve Alert Triage&nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">The Daily Puzzle: Making Sense of a Thousand Pings&nbsp;</h2>



<p class="wp-block-paragraph">The challenge is not a lack of data — it’s too much of it. The toughest barriers to effective triage include:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Alert overload</strong>: When every ping demands attention, focus becomes the first casualty.&nbsp;</li>



<li><strong>False positives</strong>: Automation can cry wolf more often than it should.&nbsp;</li>



<li><strong>Threat complexity</strong>: Today&#8217;s attackers employ sophisticated techniques designed to evade detection.&nbsp;</li>



<li><strong>Context gaps</strong>: An IP is just an IP until you know its story.&nbsp;</li>



<li><strong>Time compression</strong>: Analysts often have seconds, not minutes, to make judgment calls.&nbsp;</li>



<li><strong>Data silos</strong>: TI feeds, SIEMs, and sandboxes don’t always talk to each other.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">The result? Valuable threats risk getting buried under a pile of meaningless noise.</p>



<h2 class="wp-block-heading">Speed, Precision, and the Numbers That Matter&nbsp;</h2>



<p class="wp-block-paragraph">In triage, speed without accuracy is chaos, and accuracy without speed is luxury. That’s why SOCs track their efficiency through key metrics. KPIs aren&#8217;t just for bosses—they&#8217;re your triage compass. Track these to benchmark progress and spot bottlenecks:&nbsp;</p>



<div class="wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper
"
    >
        <table id="wpdtSimpleTable-255"
           style="border-collapse:collapse;
                   border-spacing:0px;"
           class="wpdtSimpleTable wpDataTable"
           data-column="4"
           data-rows="7"
           data-wpID="255"
           data-responsive="0"
           data-has-header="1">

                    <thead>        <tr class="wpdt-cell-row " >
                                <th class="wpdt-cell "
                                            data-cell-id="A1"
                    data-col-index="0"
                    data-row-index="0"
                    style=" width:25%;                    padding:10px;
                    "
                    >
                                        KPI                     </th>
                                                <th class="wpdt-cell "
                                            data-cell-id="B1"
                    data-col-index="1"
                    data-row-index="0"
                    style=" width:25%;                    padding:10px;
                    "
                    >
                                        Description                     </th>
                                                <th class="wpdt-cell "
                                            data-cell-id="C1"
                    data-col-index="2"
                    data-row-index="0"
                    style=" width:25%;                    padding:10px;
                    "
                    >
                                        Target Benchmark                     </th>
                                                <th class="wpdt-cell "
                                            data-cell-id="D1"
                    data-col-index="3"
                    data-row-index="0"
                    style=" width:25%;                    padding:10px;
                    "
                    >
                                        Why It Matters for Triage                     </th>
                                        </tr>
                    <tbody>        <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A2"
                    data-col-index="0"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Mean Time to Detect (MTTD)                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B2"
                    data-col-index="1"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Average time from threat emergence to alert generation.                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C2"
                    data-col-index="2"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        <1 hour                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D2"
                    data-col-index="3"
                    data-row-index="1"
                    style="                    padding:10px;
                    "
                    >
                                        Measures triage speed in spotting signals amid noise.                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A3"
                    data-col-index="0"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Mean Time to Respond (MTTR)                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B3"
                    data-col-index="1"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Time from alert to containment/remediation.                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C3"
                    data-col-index="2"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        <4 hours                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D3"
                    data-col-index="3"
                    data-row-index="2"
                    style="                    padding:10px;
                    "
                    >
                                        Highlights routing efficiency—faster triage feeds faster responses.                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A4"
                    data-col-index="0"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        False Positive Rate                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B4"
                    data-col-index="1"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Percentage of alerts dismissed as non-threats.                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C4"
                    data-col-index="2"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        <20%                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D4"
                    data-col-index="3"
                    data-row-index="3"
                    style="                    padding:10px;
                    "
                    >
                                        Low rates mean better prioritization; high ones signal fatigue.                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A5"
                    data-col-index="0"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Alert Closure Rate                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B5"
                    data-col-index="1"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Alerts triaged per analyst per shift.                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C5"
                    data-col-index="2"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        50-100                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D5"
                    data-col-index="3"
                    data-row-index="4"
                    style="                    padding:10px;
                    "
                    >
                                        Gauges productivity without burnout.                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A6"
                    data-col-index="0"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        Escalation Rate                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B6"
                    data-col-index="1"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        % of alerts bumped to higher tiers.                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C6"
                    data-col-index="2"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        <30%                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D6"
                    data-col-index="3"
                    data-row-index="5"
                    style="                    padding:10px;
                    "
                    >
                                        Reflects triage accuracy—fewer escalations mean empowered Tier 1.                     </td>
                                        </tr>
                            <tr class="wpdt-cell-row " >
                                <td class="wpdt-cell "
                                            data-cell-id="A7"
                    data-col-index="0"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Wrong Verdict Rate                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="B7"
                    data-col-index="1"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Misclassified alerts (internal audit).                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="C7"
                    data-col-index="2"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        <10%                     </td>
                                                <td class="wpdt-cell "
                                            data-cell-id="D7"
                    data-col-index="3"
                    data-row-index="6"
                    style="                    padding:10px;
                    "
                    >
                                        Tracks skill gaps; aim for continuous improvement via training.                     </td>
                                        </tr>
                    </table>
</div><style id='wpdt-custom-style-255'>
table#wpdtSimpleTable-255{ table-layout: fixed !important; }
table#wpdtSimpleTable-255 td, table.wpdtSimpleTable255 th { white-space: normal !important; }
</style>




<p class="wp-block-paragraph">&nbsp;<br>High-performing SOCs balance speed and certainty by using intelligence enrichment to cut decision time without cutting quality. Those KPIs are not just numbers; they’re the story of how well your triage works.&nbsp;</p>



<h2 class="wp-block-heading">From Metrics to Meaning: Why Triage Drives Business Outcomes&nbsp;</h2>



<p class="wp-block-paragraph">Triage KPIs are not just operational numbers. They show how well the SOC turns alerts into decisions, decisions into action, and action into measurable risk reduction.&nbsp;</p>



<p class="wp-block-paragraph">When MTTD goes down, teams identify suspicious activity earlier. When MTTR improves, incidents move toward containment faster. When false positives and unnecessary escalations decrease, analysts have more time for threats that actually matter.&nbsp;</p>



<p class="wp-block-paragraph">For SOCs and MSSPs, stronger triage creates value in several ways:&nbsp;</p>



<ul class="wp-block-list">
<li>Fewer false positives protect analyst focus and reduce wasted investigation time.&nbsp;</li>



<li>Faster validation helps teams meet response expectations and maintain client trust.&nbsp;</li>



<li>Better prioritization keeps high-risk incidents from being delayed by low-value alerts.&nbsp;</li>



<li>Lower escalation volume gives senior specialists more time for complex investigations.&nbsp;</li>



<li>Cleaner triage data makes SOC performance easier to track and improve over time.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">In short, triage is where daily alert handling becomes visible business value. A faster, more structured process helps teams reduce operational waste, improve response quality, and prove that security work is moving risk in the right direction.&nbsp;</p>



<h2 class="wp-block-heading">From Alert to Decision: How ANY.RUN Strengthens the Triage Process&nbsp;</h2>



<p class="wp-block-paragraph">Effective triage is not a single action. It is a sequence of decisions: Is this alert worth attention? What happened? How serious is it? Should the case be closed, escalated, or moved toward response?&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN helps SOC teams move through this process faster by giving analysts one connected workflow for threat validation, context gathering, and evidence collection.&nbsp;</p>



<h3 class="wp-block-heading">Step 1: Understand What Triggered the Alert&nbsp;</h3>



<p class="wp-block-paragraph">Triage usually starts with an indicator: a suspicious IP, domain, file hash, URL, process, or network connection. On its own, that indicator rarely tells the full story.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="597" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-1024x597.png" alt="ANY.RUN’s Threat Intelligence providing data from 15k organizations worldwide " class="wp-image-21693" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-1024x597.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-300x175.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-768x448.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-1536x895.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-370x216.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-270x157.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02-740x431.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-from-2026-06-17-13-20-02.png 1836w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>ANY.RUN’s Threat Intelligence&nbsp;providing data from 15k organizations worldwide</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">With ANY.RUN’s <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a>, analysts can quickly check whether the IOC has appeared in&nbsp;previous&nbsp;analyses, what malware families or campaigns it may be connected to, and what&nbsp;behavior&nbsp;was&nbsp;observed&nbsp;around it. This gives teams an immediate starting point instead of forcing them to investigate from zero.&nbsp;</p>



<p class="wp-block-paragraph">At this stage, the goal is not to make a final verdict yet. The goal is to understand whether the alert has enough risk signals to deserve deeper analysis.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Reduce triage guesswork and escalation delays 
 
&nbsp;<br> <span class="highlight">Give your SOC the context to act faster </span> 
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Power Your SOC Triage&nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h3 class="wp-block-heading">Step 2:&nbsp;Validate&nbsp;the Threat in a Safe Environment&nbsp;</h3>



<p class="wp-block-paragraph">If the alert looks suspicious, the next step is&nbsp;behavior&nbsp;validation. At this stage, analysts need to understand what the threat&nbsp;actually does, not just what one IOC or static scan suggests.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> gives teams a safe environment to open suspicious files, URLs, and emails,&nbsp;observe&nbsp;execution in real time, and collect&nbsp;behavioral&nbsp;evidence without risking internal systems. Instead of relying on partial indicators, analysts can see network connections, dropped files, process activity, persistence attempts, phishing flows, redirects, and other signals that confirm whether the alert is real.&nbsp;</p>



<h4 class="wp-block-heading"><em>Get&nbsp;Behavior&nbsp;Visibility in Seconds</em>&nbsp;</h4>



<p class="wp-block-paragraph">In triage, speed matters. ANY.RUN helps analysts reach meaningful evidence quickly, with most malicious&nbsp;behavior&nbsp;becoming visible within the first 60 seconds of analysis.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://app.any.run/tasks/a1b85a4f-6985-4b16-b8b4-d802012524af?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">View real-world threat analyzed in 60 seconds</a></p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="569" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-1024x569.png" alt="Full phishing attack analyzed inside ANY.RUN Interactive Sandbox in a min " class="wp-image-21694" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-1024x569.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-300x167.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-768x427.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-1536x853.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-2048x1138.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-370x206.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-270x150.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-12.44.18-740x411.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Full&nbsp;phishing&nbsp;attack&nbsp;analyzed&nbsp;inside&nbsp;ANY.RUN Interactive Sandbox&nbsp;in a min</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This allows Tier 1 teams to&nbsp;validate&nbsp;suspicious activity earlier and avoid spending several minutes manually checking every file, link, or redirect path.&nbsp;</p>



<p class="wp-block-paragraph">For SOCs and MSSPs, this means faster verdicts, shorter queues, and less time lost on alerts that do not need deep investigation.&nbsp;</p>



<h4 class="wp-block-heading"><em>See What Happens Inside the Browser</em>&nbsp;</h4>



<p class="wp-block-paragraph">For phishing and web-based threats, the most important evidence often appears inside the browser. Static analysis may show a URL or HTML code, but it can miss what happens after the page loads.&nbsp;</p>



<p class="wp-block-paragraph">With&nbsp;<a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/" target="_blank" rel="noreferrer noopener">in-browser data inspection</a>, analysts get deeper visibility into browser-level activity during URL analysis. They can review redirects, scripts, DOM changes, forms, screenshots, requests, and other page&nbsp;behavior&nbsp;in one place. This helps teams understand how the phishing flow works, what data the page tries to collect, and which artifacts can support detection or response.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="570" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-1024x570.png" alt="" class="wp-image-21695" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-1024x570.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-300x167.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-768x427.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-1536x854.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-2048x1139.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-370x206.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-270x150.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-15-at-05.40.53-740x412.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>In-browser data giving analysts full visibility into phishing URL attacks</em>&nbsp;</figcaption></figure>
</div>


<h4 class="wp-block-heading"><em>Let Automation Handle Routine Actions</em>&nbsp;</h4>



<p class="wp-block-paragraph">Many modern threats are built to wait for user&nbsp;behavior. They may&nbsp;require&nbsp;clicks, archive opening, button presses, CAPTCHA solving, QR code extraction, or other actions before the malicious part appears.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/cybersecurity-blog/automated-interactivity-stage-two/" target="_blank" rel="noreferrer noopener">Automated Interactivity</a>&nbsp;helps reveal these threats by mimicking real user actions inside the sandbox. It can click, type, open files, follow links, extract URLs, and solve CAPTCHA challenges, helping the analysis reach the final payload or phishing page faster.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-1024x576.webp" alt="ANY.RUN solving CAPTCHA automatically" class="wp-image-21696" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-1024x576.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-300x169.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-768x432.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-370x208.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-270x152.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg-740x416.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image4.jpg.webp 1280w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>ANY.RUN solving CAPTCHA automatically</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This saves time for analysts because they do not need to manually repeat every routine step. It also reduces the chance that an evasive threat stays hidden simply because no one interacted with it.&nbsp;</p>



<h4 class="wp-block-heading"><em>Keep Analysts in Control When Needed</em>&nbsp;</h4>



<p class="wp-block-paragraph">Automation speeds up the routine work, but triage still needs human judgment. ANY.RUN&nbsp;remains&nbsp;fully interactive, so analysts can step in at any moment, click through the sample, change the path of execution, test suspicious&nbsp;behavior, or inspect details more closely.&nbsp;</p>



<p class="wp-block-paragraph">That combination of automation and manual control is what makes the sandbox valuable for real SOC workflows. Teams can move quickly when the case is simple, but still dig deeper when the alert looks complex, evasive, or business-critical.&nbsp;</p>



<p class="wp-block-paragraph">This makes triage more&nbsp;accurate&nbsp;and less dependent on guesswork. Analysts can&nbsp;observe&nbsp;the threat, confirm&nbsp;behavior, collect evidence, and understand what the alert&nbsp;actually means&nbsp;before closing, escalating, or moving it toward response.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Reduce manual work during early triage 
 
&nbsp;<br> <span class="highlight">Give your team a faster way to confirm real threats </span> 
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Speed Up Threat Validation&nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h4 class="wp-block-heading"><em>Keep Triage Work Visible Across the Team</em>&nbsp;</h4>



<p class="wp-block-paragraph">In larger SOCs and MSSPs, triage is rarely handled by one person from start to finish. ANY.RUN’s Teamwork capabilities help managers keep sandbox activity organized by reviewing shared task history,&nbsp;monitoring&nbsp;analyst activity, supervising active analyses, and controlling task privacy settings.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="974" height="573" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png.jpg" alt="" class="wp-image-21713" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png.jpg 974w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png-300x176.jpg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png-768x452.jpg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png-370x218.jpg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png-270x159.jpg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Frame-213219284-1024x576.png-740x435.jpg 740w" sizes="auto, (max-width: 974px) 100vw, 974px" /><figcaption class="wp-element-caption"><em>Team management in ANY.RUN</em></figcaption></figure>



<p class="wp-block-paragraph">This gives teams better visibility into ongoing investigations, reduces duplicated work, and helps keep triage consistent across analysts, shifts, and client cases.&nbsp;</p>



<h3 class="wp-block-heading">Step 3: Connect&nbsp;Behavior&nbsp;to Threat Context&nbsp;</h3>



<p class="wp-block-paragraph">Once analysts&nbsp;validate&nbsp;suspicious&nbsp;behavior&nbsp;in the sandbox, the next question is context. Is this an isolated event, or part of a larger malware campaign, phishing operation, or active infrastructure?&nbsp;</p>



<p class="wp-block-paragraph">This is where threat intelligence becomes part of the triage decision. Instead of treating an IP, domain, hash, or URL as a separate data point, analysts need to understand how it behaves in real attacks, what infrastructure it connects to, which techniques are involved, and whether similar activity has already been observed in the wild.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN helps teams connect sandbox findings with live threat intelligence built from millions of real-world malware and phishing investigations. Analysts can move from “what is this indicator?” to “how does this threat operate?” within seconds.&nbsp;</p>



<h4 class="wp-block-heading"><em>Link IOCs to Real&nbsp;Behavior</em>&nbsp;</h4>



<p class="wp-block-paragraph">A single IOC rarely tells the full story. A suspicious domain may be connected to a payload, a C2 server, a phishing kit, or a known malware family.&nbsp;<br>&nbsp;<br><a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage_guide&amp;utm_term=221025&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%252223.ip.gl.ply.gg%255C%2522%2522,%2522dateRange%2522:60%7D" target="_blank" rel="noreferrer noopener">domainName:&#8221;23.ip.gl.ply.gg&#8221;</a>&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="391" src="/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-1024x391.png" alt="" class="wp-image-16438" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-1024x391.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-300x115.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-768x293.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-370x141.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-270x103.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5-740x283.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/image2-5.png 1495w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Domain check: get a verdict, the context, and additional IOCs</em>&nbsp;</figcaption></figure>
</div>


<p class="wp-block-paragraph">With ANY.RUN, analysts can enrich indicators with execution context, infrastructure relationships, related analyses, and associated TTPs. This helps Tier 1 teams understand not only whether an IOC is suspicious, but why it matters in the current investigation.&nbsp;</p>



<h4 class="wp-block-heading"><em>Understand Whether the Threat Is Active</em>&nbsp;</h4>



<p class="wp-block-paragraph">Triage decisions become stronger when teams know whether the threat is current. An indicator connected to recent malware activity or active phishing infrastructure should be prioritized differently from an old or isolated artifact.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> is based on live attack data from daily investigations across 15,000+ organizations and 600,000 analysts. This gives SOC teams fresh context on active threats and helps them prioritize alerts based on real-world activity, not just static severity.&nbsp;</p>



<h4 class="wp-block-heading"><em>Expand the Investigation Without Starting&nbsp;from&nbsp;Zero</em>&nbsp;</h4>



<p class="wp-block-paragraph">After the first suspicious finding, analysts often need to uncover related infrastructure,&nbsp;additional&nbsp;IOCs, connected samples, or similar&nbsp;behavior&nbsp;patterns.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN helps teams pivot from one finding to related files, URLs, domains, IPs, malware families, and attack techniques. This turns triage into a more complete investigation and gives teams more useful evidence for detection, hunting, and response.&nbsp;</p>



<h4 class="wp-block-heading"><em>Feed Better Context&nbsp;into&nbsp;SOC Workflows</em>&nbsp;</h4>



<p class="wp-block-paragraph">Threat context should not stay inside one investigation. It should support the rest of the SOC workflow.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN&#8217;s <a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktotifeedslanding" target="_blank" rel="noreferrer noopener">TI Feeds</a> can support triage, incident response, threat hunting, detection engineering, and SIEM/SOAR enrichment. Teams can use the context to reduce manual enrichment, improve alert quality, create better detection logic, and pass clearer information to the next stage of response.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="451" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-1024x451.png" alt="TI Feeds providing fresh, actionable IOCs from the data of 15k organizations worldwide" class="wp-image-21698" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-1024x451.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-300x132.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-768x338.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-1536x677.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-2048x902.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-370x163.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-270x119.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-06-17-at-13.39.44-740x326.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>TI Feeds&nbsp;providing fresh, actionable IOCs from the data of 15k organizations worldwide</em></figcaption></figure>
</div>


<h3 class="wp-block-heading">Step 4: Turn Findings into a Clear Triage Decision&nbsp;</h3>



<p class="wp-block-paragraph">After&nbsp;behavior&nbsp;validation and threat context enrichment, analysts need to make the final triage&nbsp;call:&nbsp;close the alert, continue monitoring, escalate the case, or move it toward response.&nbsp;</p>



<p class="wp-block-paragraph">At this stage, speed still matters, but clarity matters even more. A triage decision should explain what was&nbsp;observed, why it matters, how serious the threat is, and what the next team should do with the case.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN helps turn investigation results into clear, structured evidence. Instead of manually collecting screenshots, copying IOCs, and rewriting&nbsp;behavior&nbsp;notes, analysts can use Tier 1 Reports to summarize the key findings from the sandbox analysis.&nbsp;</p>



<h4 class="wp-block-heading"><em>Give Tier 1 Analysts a Clearer Decision Path</em>&nbsp;</h4>



<p class="wp-block-paragraph"><a href="https://any.run/cybersecurity-blog/soc-ready-reporting/" target="_blank" rel="noreferrer noopener">Tier 1 Reports</a>&nbsp;help analysts quickly understand the verdict, malicious activity, IOCs,&nbsp;behavioral&nbsp;indicators, MITRE ATT&amp;CK techniques, and recommended next steps.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="685" src="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-1024x685.webp" alt="AI Summary inside Tier 1 reports, giving a complete description of the attack" class="wp-image-21699" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-1024x685.webp 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-300x201.webp 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-768x514.webp 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-1536x1027.webp 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-370x247.webp 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-270x181.webp 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png-740x495.webp 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2025/10/Screenshot-2026-05-12-at-13.53.31.png.webp 1890w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>AI Summary inside Tier 1 reports, giving a complete description of&nbsp;the attack</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">This supports faster and more confident decisions during early triage. Analysts can see whether the alert should be closed as benign, escalated for deeper investigation, or treated as a confirmed threat that needs response.&nbsp;</p>



<h4 class="wp-block-heading"><em>Make Escalation Cleaner</em>&nbsp;</h4>



<p class="wp-block-paragraph">When escalation is needed, the next team should not receive a vague alert with limited context. They need evidence.&nbsp;</p>



<p class="wp-block-paragraph">With structured reporting, Tier 1 teams can pass a clearer case summary to Tier 2, incident response, or detection engineering. The report shows what happened during execution, which indicators were involved, and which&nbsp;behaviors&nbsp;made the case suspicious or malicious.&nbsp;</p>



<p class="wp-block-paragraph">This reduces back-and-forth, saves senior specialists time, and helps the investigation move forward faster.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Give Tier 1 teams clearer evidence from the first alert 
&nbsp;<br> <span class="highlight">Analyze, enrich, and report threats faster with ANY.RUN</span> 
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Improve SOC Triage &nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h4 class="wp-block-heading"><em>Help Leaders See the Risk Behind the Alert</em>&nbsp;</h4>



<p class="wp-block-paragraph">For SOC leaders and MSSP managers, structured triage output also improves visibility. Clear reports make it easier to understand which threats were&nbsp;validated, how severe they were, what actions were taken, and where the team may need more coverage or support.&nbsp;</p>



<p class="wp-block-paragraph">This turns triage from a fast technical check into a measurable security process. Teams can track outcomes, improve consistency, and show how daily alert handling contributes to risk reduction.&nbsp;</p>



<p class="wp-block-paragraph">In short, this step helps teams move from “we found the evidence” to “we know what decision to make and how to move the case forward.”&nbsp;</p>



<h2 class="wp-block-heading">Building a More Consistent Triage Practice&nbsp;</h2>



<p class="wp-block-paragraph">Expert triage is not only about one strong investigation. It is about making good decisions repeatable across analysts, shifts, and alert types.&nbsp;</p>



<p class="wp-block-paragraph">When every analyst follows a different path, triage becomes hard to measure and harder to improve. One person may escalate too early, another may spend too much time on low-risk alerts, and another may miss useful context before closing a case.&nbsp;</p>



<p class="wp-block-paragraph">A stronger approach is to standardize how alerts are reviewed,&nbsp;validated, documented, and escalated.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="801" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-1024x801.png" alt="" class="wp-image-21717" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-1024x801.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-300x235.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-768x601.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-1536x1202.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-2048x1603.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-370x290.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-270x211.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-385x300.png 385w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Key-Triage-Challenges-1-740x579.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Faster triage with ANY.RUN&#8217;s solutions</em></figcaption></figure>
</div>


<h3 class="wp-block-heading">Define What “Ready for Escalation” Means&nbsp;</h3>



<p class="wp-block-paragraph">Tier 2 and IR teams should not receive alerts with missing context. Before escalation, analysts should be able to show what triggered the alert, what behavior was confirmed, which indicators were involved, and why the case needs deeper investigation.</p>



<p class="wp-block-paragraph">This helps reduce back-and-forth and keeps senior specialists focused on cases that truly need their attention.&nbsp;</p>



<h3 class="wp-block-heading">Create Clear Rules for Closing Alerts&nbsp;</h3>



<p class="wp-block-paragraph">Closing an alert should be just as structured as escalating one. Teams need clear criteria for when an alert can be marked as benign, suspicious, or confirmed malicious.</p>



<p class="wp-block-paragraph">This protects the SOC from two common problems: wasting time on weak signals and closing risky cases too early.&nbsp;</p>



<h3 class="wp-block-heading">Make Triage Knowledge Reusable&nbsp;</h3>



<p class="wp-block-paragraph">Every completed investigation can help the next one. Useful IOCs,&nbsp;behavior&nbsp;patterns, screenshots, ATT&amp;CK techniques, and verdict reasoning should not stay inside one analyst’s notes.&nbsp;</p>



<p class="wp-block-paragraph">When findings are documented clearly, they can support future triage, detection engineering, threat hunting, and training for newer team members.&nbsp;</p>



<h3 class="wp-block-heading">Review the Process, Not Just the Alert&nbsp;</h3>



<p class="wp-block-paragraph">Improving triage means looking beyond individual cases. SOC leaders should review where analysts spend the most time, which alert types create unnecessary escalations, where false positives come from, and which steps slow the team down.&nbsp;</p>



<p class="wp-block-paragraph">This turns triage into a process that can be measured and improved over time.&nbsp;</p>



<h3 class="wp-block-heading">Keep the Workflow Practical&nbsp;</h3>



<p class="wp-block-paragraph">The best triage process is the one&nbsp;analysts&nbsp;can&nbsp;actually follow&nbsp;during a busy shift. It should reduce manual work, make evidence easier to collect, and help teams move from alert to decision without adding extra complexity.&nbsp;</p>



<p class="wp-block-paragraph">That is how triage becomes more than a daily task. It becomes a repeatable SOC capability that improves speed, accuracy, and confidence across the whole team.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Help your SOC move faster when risk is real 
&nbsp;<br> <span class="highlight">Validate suspicious alerts with stronger evidence and context</span> 
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noopener">
Accelerate Triage Now &nbsp;
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Conclusion: Turn Alert Triage into Measurable SOC Value&nbsp;</h2>



<p class="wp-block-paragraph">Alert triage is where SOC teams decide what to close, escalate, or move toward response. When that process is slow or inconsistent, teams waste time, senior specialists get overloaded, and real threats can stay unresolved longer.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN helps SOCs and MSSPs validate threats faster, reduce manual investigation work, improve escalation quality, and give teams clearer evidence for response.&nbsp;</p>



<p class="wp-block-paragraph">For security leaders, this means better use of analyst capacity, faster incident handling, stronger SLA performance, and clearer visibility into operational risk.&nbsp;</p>



<p class="wp-block-paragraph">With ANY.RUN, triage becomes more than alert handling. It becomes a faster, more consistent process for reducing risk and proving SOC impact.&nbsp;</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a> helps SOC teams, MSSPs, and enterprises investigate cyber threats faster through interactive malware analysis and threat intelligence.</p>



<p class="wp-block-paragraph">Its cloud-based <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> enables security teams to safely analyze suspicious files, URLs, and emails in real time, observe attack behavior as it unfolds, and collect actionable evidence for rapid response.</p>



<p class="wp-block-paragraph">ANY.RUN’s <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=triage-analyst-guide&amp;utm_term=170626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> solutions provide additional context around threats, infrastructure, and attacker activity, helping organizations enrich investigations, streamline security workflows, and improve threat detection. Together, these capabilities enable faster triage, more informed decision-making, and more efficient security operations at scale.</p>
<p>The post <a href="https://any.run/cybersecurity-blog/triage-analyst-guide/">Faster Triage, Clearer Evidence, Lower Risk: A SOC Guide to Better Alert Handling</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/triage-analyst-guide/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection </title>
		<link>https://any.run/cybersecurity-blog/in-browser-data-inspection/</link>
					<comments>https://any.run/cybersecurity-blog/in-browser-data-inspection/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Tue, 16 Jun 2026 10:11:34 +0000</pubDate>
				<category><![CDATA[Service Updates]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware analysis]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21658</guid>

					<description><![CDATA[<p>Modern URL phishing relies on dynamic pages, credential harvesting flows, client-side scripts, and layered redirect chains. But most SOC workflows are still built around static analysis, making them blind to most of these tactics.  ANY.RUN changes this forever with in-browser data inspection.  The&#160;new technology&#160;takes URL analysis to the next level by bringing static and dynamic analysis into one single workflow.&#160;Now, [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/">The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection </a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">Modern URL phishing relies on dynamic pages, credential harvesting flows, client-side scripts, and layered redirect chains. But most SOC workflows are still built around static analysis, making them blind to most of these tactics. </p>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a> changes this forever with in-browser data inspection. </p>



<p class="wp-block-paragraph">The&nbsp;new technology&nbsp;takes URL analysis to the next level by bringing static and dynamic analysis into one single workflow.&nbsp;Now, every phishing URL’s&nbsp;behavior&nbsp;like script&nbsp;execution&nbsp;and&nbsp;redirects&nbsp;is&nbsp;visible&nbsp;to the analyst&nbsp;in&nbsp;real time,&nbsp;leaving no blind spots for attackers to exploit.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><strong>Available to all ANY.RUN users</strong>, this new layer of URL <a href="https://any.run/cybersecurity-blog/phishing-detection-steps-for-cisos/" target="_blank" rel="noreferrer noopener">phishing visibility</a> provides a massive boost for the triage and response speed for SOC &amp; <a href="https://any.run/mssp/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktomssp" target="_blank" rel="noreferrer noopener">MSSP</a> teams, enabling them to see and contain critical attacks before they become incidents. </p>



<h2 class="wp-block-heading">Before vs. After:&nbsp;Fixing Slow and Painful URL Triage Process&nbsp;</h2>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="620" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-1024x620.png" alt="" class="wp-image-21661" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-1024x620.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-300x182.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-768x465.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-1536x929.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-2048x1239.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-370x224.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-270x163.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo2-740x448.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>ANY.RUN delivers complete URL phishing context within seconds</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Right now, the&nbsp;<strong>typical URL analysis process for most SOC&nbsp;and MSSP teams&nbsp;looks&nbsp;like this</strong>: A suspicious URL comes in, and the analyst starts assembling context.&nbsp;They scan the URL to get basic info, sandbox it to see what it does, trace redirects, inspect traffic, and still&nbsp;have to&nbsp;piece everything together manually to&nbsp;make&nbsp;a decision.&nbsp;</p>



<p class="wp-block-paragraph"><strong>This turns every alert into a time-consuming task.&nbsp;</strong>Analysts spend extra time validating signals,&nbsp;escalate&nbsp;cases by default, and still risk closing malicious URLs without fully understanding their behavior.&nbsp;&nbsp;</p>



<h3 class="wp-block-heading">URL Analysis with ANY.RUN: Full Static &amp; Dynamic URL Context within Seconds </h3>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="831" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-831x1024.png" alt="" class="wp-image-21662" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-831x1024.png 831w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-243x300.png 243w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-768x947.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-1246x1536.png 1246w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-1662x2048.png 1662w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-370x456.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-270x333.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/unfo1-740x912.png 740w" sizes="auto, (max-width: 831px) 100vw, 831px" /><figcaption class="wp-element-caption"><em>See all URL details, DOM changes, network requests, and IOCs in one place</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">In-browser data inspection solves this friction by giving&nbsp;<strong>you the full&nbsp;static and dynamic&nbsp;URL context&nbsp;in just one click</strong>. The page executes in a real browser, and everything that matters, redirects, scripts, DOM changes, user-facing content, is captured and presented to you in a single view.&nbsp;No tab switching.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The result is an instant view of the attack in one place</strong>: How the user is redirected, what scripts drive the interaction, where data is collected, and how the phishing flow is constructed end-to-end.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">The&nbsp;<strong>context</strong>&nbsp;that used to take up to an hour to collect is now<strong>&nbsp;delivered within seconds</strong>, complete with a verdict and ready for confident next-step decisions.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Analyze <span class="highlight">any suspicious URL</span> with ANY.RUN 
<br>
See how it compares to <span class="highlight">your usual analysis flow</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://app.any.run/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=in-browser-data-inspection&#038;utm_term=160626&#038;utm_content=linktoservice" rel="noopener" target="_blank">
Launch analysis
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Why Existing URL&nbsp;Investigation&nbsp;Approaches Fall Short&nbsp;</h2>



<p class="wp-block-paragraph">Many security solutions still lack the&nbsp;<strong>dynamic browser-level visibility&nbsp;</strong>needed to clearly understand how a phishing attack unfolds in real time, resulting in critical gaps:&nbsp;</p>



<ul class="wp-block-list">
<li>Analysts may see a screenshot of the final page, but not the full path that led to it: redirects, scripts, iframe activity, and intermediate page states </li>
</ul>



<ul class="wp-block-list">
<li>Limited visibility into the forms, content, and user-facing elements the victim actually saw and interacted with </li>
</ul>



<ul class="wp-block-list">
<li>Missing context around DOM changes, injected content, and dynamically loaded elements during page execution </li>
</ul>



<ul class="wp-block-list">
<li>Reliance on static page analysis instead of a dynamic, step-by-step view of real browser behavior </li>
</ul>



<ul class="wp-block-list">
<li>Lack of automatically collected DOM history that allows analysts to inspect page changes across different execution stages </li>
</ul>



<ul class="wp-block-list">
<li>No visibility into browser activity preceding WAF alerts or application logs </li>
</ul>



<p class="wp-block-paragraph">Without browser-level inspection, critical evidence can remain hidden from investigators.&nbsp;As a result, analysts often need to combine multiple tools and data sources to fully understand a single URL.&nbsp;</p>



<h2 class="wp-block-heading">The Operational Impact&nbsp;of Visibility Gaps&nbsp;for&nbsp;Security Teams&nbsp;</h2>



<p class="wp-block-paragraph">These visibility gaps create several operational challenges for SOC teams:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Fragmented Workflow: </strong>Reconstructing webpage behavior across multiple tools and data sources slows investigations, increases manual effort, and delays response. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Inefficient Resource Management:</strong> When analysts lack sufficient evidence to classify a URL confidently, potentially benign links are often escalated to senior team members, consuming valuable resources. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Phishing Analysis Gap: </strong>Solutions focused on file or <a href="https://any.run/cybersecurity-blog/how-to-analyze-malicious-network-traffic/" target="_blank" rel="noreferrer noopener">network activity</a> may miss critical phishing context, leaving analysts without sufficient browser-level evidence. </li>
</ul>



<p class="wp-block-paragraph">As phishing attacks continue to rise, security teams need faster and more reliable ways to investigate suspicious URLs.&nbsp;In-browser&nbsp;data&nbsp;inspection closes this visibility gap by introducing a new layer of&nbsp;webpage-level investigation&nbsp;evidence.&nbsp;</p>



<h2 class="wp-block-heading">Beyond URL Scanning: Full Browser Visibility for Phishing Investigations&nbsp;</h2>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-1024x576.png" alt="" class="wp-image-21674" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-1024x576.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-300x169.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-768x432.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-1536x864.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-2048x1152.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-370x208.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-270x152.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/In-Browser-Data-Inspection-2-740x416.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Functionality and impact delivered by ANY.RUN surpasses what most solutions offer</em>&nbsp;</figcaption></figure>
</div>


<p class="wp-block-paragraph">As phishing and browser-based threats continue to grow in both&nbsp;volume&nbsp;and sophistication,&nbsp;it’s&nbsp;time for&nbsp;SOC and MSSP&nbsp;teams to upgrade their&nbsp;operations to match&nbsp;the reality of modern attacks.&nbsp;</p>



<p class="wp-block-paragraph">Available to all ANY.RUN users, in-browser data inspection introduces an investigation layer missing from many security operations today.&nbsp;Unlike workflows that force analysts to piece together evidence across&nbsp;multiple&nbsp;tools, ANY.RUN provides dynamic, in-depth browser visibility, making URL investigations faster, clearer, and more reliable.&nbsp;</p>



<p class="wp-block-paragraph">This&nbsp;<strong>new investigation&nbsp;layer&nbsp;</strong>enables SOC analysts to:&nbsp;</p>



<ul class="wp-block-list">
<li>Instantly validate, enrich, and prioritize phishing threats using evidence that often remains hidden in conventional URL analysis workflows </li>
</ul>



<ul class="wp-block-list">
<li>Reduce uncertainty during investigations with direct visibility into what happens during execution </li>
</ul>



<ul class="wp-block-list">
<li>Reveal the complete attack chain, including redirects, executed scripts, iframes, and dynamically loaded content </li>
</ul>



<ul class="wp-block-list">
<li>Track browser and DOM changes across every stage of page execution </li>
</ul>



<ul class="wp-block-list">
<li>Gather the evidence required for fast triage, escalation, and response from a single investigation workflow </li>
</ul>



<ul class="wp-block-list">
<li>Access threat intelligence required for detection engineering, <a href="https://any.run/cybersecurity-blog/threat-hunting-for-soc-and-mssp/" target="_blank" rel="noreferrer noopener">hunting</a>, and campaign analysis </li>
</ul>



<p class="wp-block-paragraph">All without leaving the <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">sandboxing</a> interface. </p>



<p class="wp-block-paragraph">Instead of relying solely on network logs or file traces, the&nbsp;new inspection method&nbsp;allows you to&nbsp;see&nbsp;<strong>all&nbsp;browser activity</strong>&nbsp;observed&nbsp;on the webpage, including forms, content, DOM changes, scripts, and&nbsp;redirects.&nbsp;This provides direct access to behavioral insights and&nbsp;evidence&nbsp;that&nbsp;often&nbsp;remain&nbsp;unavailable in&nbsp;URL analysis and&nbsp;sandboxing workflows.&nbsp;</p>



<p class="wp-block-paragraph">Unlike workflows that require analysts to manually reconstruct browser activity from multiple data sources, in-browser data inspection&nbsp;consolidates&nbsp;browser telemetry, page content, behavioral evidence, and threat intelligence into a single investigation experience.&nbsp;</p>



<p class="wp-block-paragraph">This allows teams to move from <a href="https://any.run/cybersecurity-blog/safebrowsing-extension/" target="_blank" rel="noreferrer noopener">URL analysis </a>to confident decisions faster, with less effort and greater visibility. The result is <a href="https://any.run/cybersecurity-blog/triage-analyst-guide/" target="_blank" rel="noreferrer noopener">accelerated triage</a>, more validated escalations, stronger detections, and <a href="https://any.run/cybersecurity-blog/efficient-soc-for-fast-response/" target="_blank" rel="noreferrer noopener">more efficient </a>security operations. </p>



<h2 class="wp-block-heading">Change the Way You Investigate Phishing with In-Browser Data Inspection&nbsp;</h2>



<p class="wp-block-paragraph">In-browser data inspection changes how phishing investigations are performed.&nbsp;By delivering&nbsp;dynamic&nbsp;browser visibility within ANY.RUN&#8217;s Interactive Sandbox, it helps SOC and MSSP teams investigate threats faster, reduce uncertainty, and make more confident incident response&nbsp;decisions.&nbsp;</p>



<p class="wp-block-paragraph">Instead of piecing together screenshots, redirects, page content, browser artifacts, and external intelligence from multiple tools, analysts receive a complete browser-level investigation within a single workflow.&nbsp;</p>



<p class="wp-block-paragraph">To start&nbsp;your investigation<strong>,&nbsp;</strong>simply&nbsp;open the&nbsp;<strong>Browser Data&nbsp;</strong>tab to access a complete, dynamic&nbsp;view of the web&nbsp;page&nbsp;execution.&nbsp;It&#8217;s&nbsp;available within every URL analysis in ANY.RUN&#8217;s Interactive Sandbox.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://app.any.run/tasks/9ad891af-11b7-4e0d-a600-f3c8b594875b/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">View analysis</a> </p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="485" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-1024x485.png" alt="" class="wp-image-21665" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-1024x485.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-300x142.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-768x364.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-1536x727.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-2048x970.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-370x175.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-270x128.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-09-at-11.42.23-740x350.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Phishing analysis inside ANY.RUN’s Interactive Sandbox. Browser Data tab </em> </figcaption></figure>
</div>


<h2 class="wp-block-heading">Understand the Attack Flow&nbsp;</h2>



<p class="wp-block-paragraph">The<strong>&nbsp;Browser Data&nbsp;</strong>within&nbsp;ANY.RUN&#8217;s Interactive&nbsp;Sandbox&nbsp;provides&nbsp;the entire&nbsp;web page execution&nbsp;tree, from&nbsp;initial&nbsp;URL to the final&nbsp;page view,&nbsp;featuring all redirects and activated&nbsp;iframes.&nbsp;Color highlights and tags&nbsp;point to the pages responsible for triggering&nbsp;detections.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Investigation outcome:&nbsp;</strong>Accelerate triage and escalation decisions&nbsp;by gaining an immediate overview of the dynamic attack flow and&nbsp;identifying&nbsp;the most relevant stages for further analysis.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="366" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-1024x366.png" alt="" class="wp-image-21666" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-1024x366.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-300x107.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-768x274.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-1536x549.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-370x132.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-270x96.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6-740x264.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image6.png 1845w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>HTTP Requests tab within Browser Data section. ANY.RUN’s Interactive Sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Detailed&nbsp;<strong>HTTP&nbsp;Requests</strong>&nbsp;data&nbsp;provides complete visibility into redirects, requests, and responses generated during page execution.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><strong>Investigation outcome:&nbsp;</strong>Improve threat validation and detection engineering&nbsp;by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules.&nbsp;</p>



<h3 class="wp-block-heading">Analyze Browser-Level Behavior&nbsp;</h3>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="495" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-1024x495.png" alt="" class="wp-image-21667" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-1024x495.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-300x145.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-768x371.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-1536x742.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-370x179.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-270x130.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2-740x357.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image2.png 1849w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>URL Details displays related context and screenshots. ANY.RUN’s Interactive Sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Explore&nbsp;browser-level telemetry,&nbsp;including triggered signatures, domain, URL, and IP statistics, as well as&nbsp;rendered&nbsp;screenshots of the analyzed page.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Investigation outcome:&nbsp;</strong>Improve threat validation and detection engineering&nbsp;by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules.&nbsp;</p>



<p class="wp-block-paragraph">To see which code fragments were added to the DOM after the page loaded, go to the HTML DOM Changes tab for <a href="https://any.run/cybersecurity-blog/five-common-malware-evasion-techniques/" target="_blank" rel="noreferrer noopener">deobfuscation</a>. It will reveal what static analysis misses: </p>



<p class="wp-block-paragraph"><a href="https://app.any.run/tasks/586505b8-897f-4e2f-b520-e4eecf31d453/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">View analysis</a> </p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="413" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-1024x413.png" alt="" class="wp-image-21669" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-1024x413.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-300x121.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-768x310.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-1536x619.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-2048x826.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-370x149.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-270x109.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/Screenshot-2026-06-16-at-09.58.05-1-740x298.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>The green lines show the new code which was added to the DOM after the page loaded. ANY.RUN’s Interactive Sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">In-browser data inspection captures the <a href="https://app.any.run/tasks/586505b8-897f-4e2f-b520-e4eecf31d453?w=6a2b3e90017aef632e2c2b93&amp;t=dom/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">fully rendered and interactive state of the page</a>, allowing the analyst to see the actual behavior, including hidden forms, redirects, and user interaction logic that were impossible to understand statically. </p>



<p class="wp-block-paragraph"><strong>Investigation outcome:&nbsp;</strong>Strengthen threat hunting and detection engineering&nbsp;by&nbsp;identifying&nbsp;phishing elements, reconstructing the loading process, and extracting behavioral artifacts.&nbsp;</p>



<h3 class="wp-block-heading">Expand the Investigation Beyond the Initial Sample&nbsp;</h3>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="366" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-1024x366.png" alt="" class="wp-image-21670" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-1024x366.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-300x107.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-768x274.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-1536x549.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-370x132.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-270x96.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7-740x264.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/image7.png 1845w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Track all related indicators in a dedicated tab. ANY.RUN’s Interactive Sandbox</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">Collected&nbsp;<strong>Indicators&nbsp;</strong>include URLs, domains, IP addresses, and hashes of web content associated with the analyzed page.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Investigation outcome:&nbsp;</strong>Expand investigations&nbsp;beyond a single sample by developing pivoting hypotheses and uncovering attacker-controlled infrastructure.&nbsp;</p>



<p class="wp-block-paragraph">Content extracted from web page snapshots can&nbsp;also&nbsp;be used to create custom hunting and detection rules backed by ANY.RUN Threat Intelligence.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="863" height="389" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea.png" alt="" class="wp-image-21671" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea.png 863w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea-300x135.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea-768x346.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea-370x167.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea-270x122.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imagea-740x334.png 740w" sizes="auto, (max-width: 863px) 100vw, 863px" /><figcaption class="wp-element-caption"><em>YARA rule built based on Browser Data. ANY.RUN’s TI Lookup &amp; YARA Search</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph">In this example, a YARA rule created from a single phishing page identified 145 related samples within <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence Lookup &amp; YARA Search</a>: </p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="540" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-1024x540.png" alt="" class="wp-image-21672" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-1024x540.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-300x158.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-768x405.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-1536x810.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-370x195.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-270x142.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb-740x390.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/imageb.png 1572w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>YARA rule browsing results. ANY.RUN’s TI Lookup &amp; YARA Search</em> </figcaption></figure>
</div>


<p class="wp-block-paragraph"><strong>Investigation outcomes:</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Expand visibility beyond a single URL or alert </li>
</ul>



<ul class="wp-block-list">
<li>Validate threat hunting hypotheses with browser-level evidence </li>
</ul>



<ul class="wp-block-list">
<li>Assess the scale of an attack campaign </li>
</ul>



<ul class="wp-block-list">
<li>Develop resilient detections based on attacker tooling and page artifacts </li>
</ul>



<h2 class="wp-block-heading">Turning Powerful Visibility into Stronger Security Outcomes&nbsp;</h2>



<p class="wp-block-paragraph">By combining interactive sandboxing, full browser-level visibility, and threat intelligence sourced from over 15,000 security teams, ANY.RUN transforms URL investigations from fragmented, manual analysis into fast, evidence-based decision-making.&nbsp;</p>



<p class="wp-block-paragraph">Through&nbsp;eliminating&nbsp;visibility gaps and reducing the need for disconnected tools, security teams can improve outcomes across the entire investigation workflow:&nbsp;</p>



<ul class="wp-block-list">
<li><strong>Faster triage and fewer unnecessary escalations:</strong> With immediate access to browser-level evidence, Tier 1 analysts can validate suspicious URLs faster and escalate fewer benign cases, improving productivity and reducing pressure on senior teams. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Smoother handoff and incident response: </strong>When escalation is required, Tier 2 analysts receive a complete evidence package rather than disconnected indicators, accelerating validation and reducing MTTR. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Stronger detection engineering: </strong>Browser telemetry provides a new source of intelligence for building custom detections, hunting hypotheses, and phishing signatures based on real-world attack behavior. </li>
</ul>



<ul class="wp-block-list">
<li><strong>Structured reporting: </strong>Built-in <a href="https://any.run/cybersecurity-blog/soc-ready-reporting/" target="_blank" rel="noreferrer noopener">SOC-ready reports </a>transform complex investigations into decision-ready intelligence, simplifying triage, escalation, response, and stakeholder communication. </li>
</ul>



<p class="wp-block-paragraph">For enterprises and MSSPs, these operational improvements translate into faster investigations, more efficient use of analyst resources, stronger phishing defenses, and the ability to scale security operations without proportionally increasing workload.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
The new <span class="highlight">phishing detection standard</span> in your SOC
<br>
Eliminate phishing blind spots with <span class="highlight">full browser visibility</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=in-browser-data-inspection&#038;utm_term=160626&#038;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Contact us
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Conclusion&nbsp;</h2>



<p class="wp-block-paragraph">In-browser data inspection closes a critical visibility gap in modern phishing investigations.&nbsp;With it,&nbsp;SOC analysts and threat hunters can investigate phishing attacks directly inside ANY.RUN without manually extracting web content from traffic captures, reconstructing redirect chains, or comparing raw page source against the content&nbsp;rendered&nbsp;in the browser.&nbsp;</p>



<p class="wp-block-paragraph">Instead, all browser-level evidence is collected, correlated, and presented within a single investigation environment,&nbsp;helping enterprise security teams investigate threats faster and respond with greater confidence.&nbsp;</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a> helps SOC teams, MSSPs, and enterprises investigate cyber threats faster through interactive malware analysis and threat intelligence. </p>



<p class="wp-block-paragraph">Its cloud-based <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> enables security teams to safely analyze suspicious files, URLs, and emails in real time, observe attack behavior as it unfolds, and collect actionable evidence for rapid response. </p>



<p class="wp-block-paragraph">ANY.RUN&#8217;s <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-browser-data-inspection&amp;utm_term=160626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> solutions provide additional context around threats, infrastructure, and attacker activity, helping organizations enrich investigations, streamline security workflows, and improve threat detection. Together, these capabilities enable faster triage, more informed decision-making, and more efficient security operations at scale. </p>



<h2 class="wp-block-heading">FAQ&nbsp;</h2>



<div class="schema-faq wp-block-yoast-faq-block"><div class="schema-faq-section" id="faq-question-1781601200148"><strong class="schema-faq-question"><strong>What is in-browser data inspection?</strong> </strong> <p class="schema-faq-answer">In-browser data inspection is a new ANY.RUN capability that collects and displays browser-level activity during URL analysis, including page content, forms, scripts, redirects, screenshots, and DOM modifications. </p> </div> <div class="schema-faq-section" id="faq-question-1781601207221"><strong class="schema-faq-question"><strong>How does in-browser data inspection improve phishing analysis?</strong> </strong> <p class="schema-faq-answer">It provides visibility into what actually happens inside the browser, helping analysts identify phishing forms, deceptive content, redirect chains, and other browser-based attack techniques that may not be visible through network or file analysis alone. </p> </div> <div class="schema-faq-section" id="faq-question-1781601213356"><strong class="schema-faq-question"><strong>What browser data can analysts investigate in ANY.RUN?</strong> </strong> <p class="schema-faq-answer">Analysts can examine page content, rendered screenshots, forms, scripts, DOM changes, redirects, URLs, domains, IP addresses, and other browser-level artifacts collected during URL execution. </p> </div> <div class="schema-faq-section" id="faq-question-1781601219442"><strong class="schema-faq-question"><strong>How does in-browser data inspection help SOC teams?</strong> </strong> <p class="schema-faq-answer">By providing immediate access to browser-level evidence, it reduces manual investigation effort, improves triage accuracy, minimizes unnecessary escalations, and accelerates incident response. </p> </div> <div class="schema-faq-section" id="faq-question-1781601234880"><strong class="schema-faq-question"><strong>Can in-browser data inspection be used for threat hunting?</strong> </strong> <p class="schema-faq-answer">Yes. Analysts can use collected indicators, page artifacts, and browser telemetry to pivot across related infrastructure, investigate phishing campaigns, and develop threat hunting hypotheses. </p> </div> <div class="schema-faq-section" id="faq-question-1781601246590"><strong class="schema-faq-question"><strong>How can browser inspection data improve threat detection?</strong> </strong> <p class="schema-faq-answer">Security teams can use content extracted from analyzed web pages to create custom detection rules and hunting signatures, including YARA rules, to identify related threats and phishing campaigns. </p> </div> <div class="schema-faq-section" id="faq-question-1781601252624"><strong class="schema-faq-question"><strong>Is in-browser data inspection available in ANY.RUN Interactive Sandbox?</strong> </strong> <p class="schema-faq-answer">Yes. In-browser data inspection is available within URL analyses in ANY.RUN&#8217;s Interactive Sandbox through the Browser Data tab. </p> </div> </div>



<p class="wp-block-paragraph"></p>



<p class="wp-block-paragraph"></p>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://any.run/cybersecurity-blog/in-browser-data-inspection/">The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection </a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/in-browser-data-inspection/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>From Infosecurity Europe to CONFidence and C1b3rWall: What Security Teams Are Prioritizing in 2026</title>
		<link>https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/</link>
					<comments>https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Thu, 11 Jun 2026 08:31:24 +0000</pubDate>
				<category><![CDATA[News]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21616</guid>

					<description><![CDATA[<p>Three cities, three cybersecurity conferences, and plenty of conversations with security professionals across Europe.&#160; Over the past few weeks, the ANY.RUN team joined Infosecurity Europe in London, CONFidence Conference in Kraków, and C1b3rWall Congress in Ávila. While every event had its own focus, the discussions pointed in the same direction: security teams need faster investigations, [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/">From Infosecurity Europe to CONFidence and C1b3rWall: What Security Teams Are Prioritizing in 2026</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">Three cities, three cybersecurity conferences, and plenty of conversations with security professionals across Europe.&nbsp;</p>



<p class="wp-block-paragraph">Over the past few weeks, the <a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN team</a> joined Infosecurity Europe in London, CONFidence Conference in Kraków, and C1b3rWall Congress in Ávila. While every event had its own focus, the discussions pointed in the same direction: security teams need faster investigations, clearer evidence, and more confidence in every response decision.&nbsp;</p>



<h2 class="wp-block-heading">Infosecurity Europe 2026: From Alerts to Business Outcomes&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://www.infosecurityeurope.com/" target="_blank" rel="noreferrer noopener">Infosecurity Europe</a> was the biggest stop of our conference season. Over three days in London, the ANY.RUN team met with CISOs, SOC leaders, and MSSP teams to discuss the challenges shaping security operations today.&nbsp;</p>



<p class="wp-block-paragraph">One thing was hard to miss: the conversation has moved beyond alert volumes and technical metrics.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="696" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1024x696.jpeg" alt="" class="wp-image-21624" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-1024x696.jpeg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-300x204.jpeg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-768x522.jpeg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-370x251.jpeg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-270x184.jpeg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1-740x503.jpeg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.jpeg 1280w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Our team at Infosecurity Europe 2026</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">Security leaders are under growing pressure to show how SOC performance supports the wider business. Boards do not simply want to know how many alerts were reviewed or how quickly a case was closed. They want to understand whether threats are identified early, whether risks are clearly assessed, and whether the team can act before an incident affects operations.&nbsp;</p>



<p class="wp-block-paragraph">Three priorities came up repeatedly during our conversations:&nbsp;</p>



<h3 class="wp-block-heading">From Alerts to Outcomes&nbsp;</h3>



<p class="wp-block-paragraph">MTTR still matters, but the number alone does not tell the full story. Security teams need enough context to understand the impact of a threat, prioritize the right cases, and explain their decisions clearly.&nbsp;</p>



<p class="wp-block-paragraph">Behavioral analysis plays an important role here. By investigating suspicious files and URLs inside an interactive environment, teams can see how a threat behaves in real time and gather the evidence needed for a more confident response.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight">Give your SOC clearer visibility into every threat.</span><br> Make faster decisions with confidence.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=europe-cybersecurity-conferences-2026&#038;utm_term=110626&#038;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Contact us
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h3 class="wp-block-heading">Intelligence Where the Work Happens&nbsp;</h3>



<p class="wp-block-paragraph">Security teams are not looking for another disconnected platform that adds extra steps to an already complex process.&nbsp;</p>



<p class="wp-block-paragraph">They want fresh threat intelligence and investigation-backed insights inside the tools they already use, including SIEM, SOAR, and EDR platforms. This helps teams move from detection to investigation and response without losing time switching between separate systems.&nbsp;</p>



<h3 class="wp-block-heading">Resilience Over Headcount&nbsp;</h3>



<p class="wp-block-paragraph">Growing alert volumes cannot always be solved by growing the team.&nbsp;</p>



<p class="wp-block-paragraph">SOC leaders are looking for ways to make existing workflows more effective: reducing manual work, giving teams clearer evidence, and helping junior specialists handle routine investigations with greater confidence.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="682" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-1024x682.jpeg" alt="We introduced our enterprise-grade solutions for SOC teams " class="wp-image-21625" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-1024x682.jpeg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-300x200.jpeg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-768x512.jpeg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-370x247.jpeg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-270x180.jpeg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2-740x493.jpeg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/1.2.jpeg 1280w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>We introduced our enterprise-grade solutions for SOC teams</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">The goal is not simply to process more alerts. It is to build a more resilient SOC that can make consistent decisions even when the pressure rises.&nbsp;</p>



<p class="wp-block-paragraph">Infosecurity&nbsp;Europe was a valuable opportunity to discuss these priorities directly with the cybersecurity community and explore how&nbsp;behavioral&nbsp;visibility and live threat intelligence can support faster, clearer, and more reliable investigations.&nbsp;</p>



<h2 class="wp-block-heading">CONFidence&nbsp;Conference 2026: Practical Conversations with the Security Community&nbsp;</h2>



<p class="wp-block-paragraph">Our next stop was&nbsp;<a href="https://confidence-conference.org/" target="_blank" rel="noreferrer noopener">CONFidence&nbsp;Conference</a>&nbsp;in Kraków, where we joined cybersecurity professionals for two days of technical discussions, live demos, and conversations about the realities of modern threat investigation.&nbsp;</p>



<p class="wp-block-paragraph">Many of the challenges were familiar: rising alert volumes, increasingly sophisticated phishing campaigns, and the need to investigate threats faster without adding more pressure to already busy teams.&nbsp;</p>



<p class="wp-block-paragraph">At the ANY.RUN stand, visitors explored how&nbsp;behavioral&nbsp;visibility, investigation-backed threat intelligence, and cross-platform detection coverage can help SOCs and MSSPs&nbsp;analyze&nbsp;malware and phishing more consistently.&nbsp;</p>



<p class="wp-block-paragraph">But choosing the right security solution is not only about detection capabilities. Teams also need to know how they fit into their wider security environment: how sensitive data is handled, whether it supports controlled workflows, and whether the provider has the experience needed to support critical investigations.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-1024x576.jpeg" alt="" class="wp-image-21627" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-1024x576.jpeg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-300x169.jpeg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-768x432.jpeg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-370x208.jpeg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-270x152.jpeg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2-740x416.jpeg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/2.2.jpeg 1200w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>A little behind-the-scenes prep before the conversations began</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">These questions matter even more for organizations&nbsp;operating&nbsp;in regulated industries, where security tools need to support effective threat response while meeting strict internal compliance requirements.&nbsp;</p>



<p class="wp-block-paragraph">This is an area ANY.RUN has continued to strengthen throughout its 10 years in cybersecurity. Today, our&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">malware&nbsp;analysis</a>&nbsp;and&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">threat intelligence</a>&nbsp;solutions are used by more than 15,000 organizations worldwide, including 74 of the Fortune 100 companies. ANY.RUN is also&nbsp;<a href="https://any.run/compliance/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktocompliance" target="_blank" rel="noreferrer noopener">SOC 2 Type II attested</a>, reflecting our commitment to strong security controls and careful handling of customer data.&nbsp;</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Strengthen your SOC with <span class="highlight"> secure, controlled workflows.</span><br> Support faster response without compromising compliance.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Power up your SOC now
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">C1b3rWall Congress 2026: Exploring Ransomware&nbsp;Analysis&nbsp;in Action&nbsp;</h2>



<p class="wp-block-paragraph">Our final stop was&nbsp;<a href="https://c1b3rwall.policia.es/congreso" target="_blank" rel="noreferrer noopener">C1b3rWall Congress</a>&nbsp;in Ávila, where cybersecurity professionals from both the public and private sectors gathered at the National Police School to discuss the threats shaping today’s security landscape.&nbsp;</p>



<p class="wp-block-paragraph">The event gave us a chance to look more closely at one of the most pressing challenges for security teams: ransomware.&nbsp;</p>



<p class="wp-block-paragraph">During our session, we demonstrated how ransomware can be analyzed inside ANY.RUN’s <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a> and showed how interactive analysis helps teams move beyond a basic verdict.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1600" height="724" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1024x463.jpeg" alt="" class="wp-image-21628" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1024x463.jpeg 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-300x136.jpeg 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-768x348.jpeg 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-1536x695.jpeg 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-370x167.jpeg 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-270x122.jpeg 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3-740x335.jpeg 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/3.jpeg 1600w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /><figcaption class="wp-element-caption"><em>C1b3rWall Congress 2026 in Ávila, Spain</em></figcaption></figure>
</div>


<p class="wp-block-paragraph">Instead of simply confirming that a file is malicious, teams can&nbsp;observe&nbsp;how the attack unfolds in real time,&nbsp;identify&nbsp;suspicious processes, examine network activity, and understand the sequence of actions behind the threat.&nbsp;</p>



<p class="wp-block-paragraph">This kind of visibility is especially valuable when every decision matters. It gives security teams the context they need to assess risk faster, document their findings, and respond with greater confidence.&nbsp;</p>



<p class="wp-block-paragraph">C1b3rWall was also a valuable opportunity to connect with professionals working across different sectors and discuss how clearer&nbsp;behavioral&nbsp;evidence can support stronger, more reliable investigations.</p>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
<span class="highlight"> Join 74 of the Fortune 100 companies that trust ANY.RUN. 
</span><br> Build a more resilient SOC with stronger threat visibility.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktoenterprise#contact-sales" rel="noopener" target="_blank">
Empower your SOC
</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">&nbsp;What Comes Next&nbsp;</h2>



<p class="wp-block-paragraph">These events gave us the opportunity to connect with security professionals across Europe, exchange ideas, and discuss the challenges teams are facing today.&nbsp;</p>



<p class="wp-block-paragraph">The message was clear: faster investigations matter, but so do visibility, trust, and control. Security teams need solutions that help them act with confidence, even when the pressure is high.&nbsp;</p>



<p class="wp-block-paragraph">These conversations will continue to shape how we develop ANY.RUN and support SOCs and MSSPs worldwide.&nbsp;</p>



<p class="wp-block-paragraph">Thank you to everyone who stopped by, shared their experience, and joined the discussion. See you at the next events.&nbsp;</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a>, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions.&nbsp;</p>



<p class="wp-block-paragraph">With its cloud-based <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive Sandbox</a>, security teams can safely analyze suspicious files, URLs, and emails in real time, observe malicious behavior, and collect clear evidence for response without maintaining complex in-house infrastructure.</p>



<p class="wp-block-paragraph">ANY.RUN’s <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=europe-cybersecurity-conferences-2026&amp;utm_term=110626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> solutions also help organizations uncover deeper threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger threat response, and more efficient security operations at scale.</p>
<p>The post <a href="https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/">From Infosecurity Europe to CONFidence and C1b3rWall: What Security Teams Are Prioritizing in 2026</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/europe-cybersecurity-conferences-2026/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss</title>
		<link>https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/</link>
					<comments>https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/#respond</comments>
		
		<dc:creator><![CDATA[ANY.RUN]]></dc:creator>
		<pubDate>Wed, 10 Jun 2026 12:49:40 +0000</pubDate>
				<category><![CDATA[Cybersecurity Lifehacks]]></category>
		<category><![CDATA[ANYRUN]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[malware behavior]]></category>
		<category><![CDATA[Threat hunting]]></category>
		<category><![CDATA[YARA rules]]></category>
		<guid isPermaLink="false">https://any.run/cybersecurity-blog/?p=21543</guid>

					<description><![CDATA[<p>Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker&#160;behavior&#160;and writing detections against technique descriptions that [&#8230;]</p>
<p>The post <a href="https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/">Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">Talk to any threat hunter long enough, and beneath the polished case studies and conference talks, the same frustrations surface. Hunting is supposed to be proactive. In practice, it often feels reactive. You are chasing whispers of activity through log noise, querying SIEM fields that barely reflect real attacker&nbsp;behavior&nbsp;and writing detections against technique descriptions that were never meant to be operationalized directly.&nbsp;</p>



<p class="wp-block-paragraph">The challenge is not that analysts lack skill. Most hunting teams are sharp, methodical, and deeply familiar with attacker playbooks. The real friction is structural: the intelligence feeding&nbsp;hunts&nbsp;is often stale, decontextualized, or missing the behavioral granularity needed to write anything more than a broad, noisy detection.&nbsp;</p>



<figure class="wp-block-pullquote has-text-align-left"><blockquote><p><strong>The core tension</strong>&nbsp;</p><cite>Threat hunting is a high-skill, time-intensive activity that justifies itself by finding what automated systems miss. But when the intelligence inputs are&nbsp;low-fidelity, even the most skilled hunters spend&nbsp;the majority of&nbsp;their time generating work rather than reducing risk.&nbsp;</cite></blockquote></figure>



<p class="wp-block-paragraph">MITRE ATT&amp;CK tells you a technique exists. It does not tell you how it behaves in a real attack chain against a real target. That gap between abstract TTP and concrete execution behavior is where many hunts quietly die. IOCs arrive stripped of context: you block an IP, a rotated domain from the same campaign lands in your environment three days later, and sails straight through.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">And then there is&nbsp;the&nbsp;false-positive problem. Not a technical inconvenience but a morale and process killer. Every alert that turns out to be Outlook talking to a Microsoft licensing server erodes confidence in the detection pipeline.&nbsp;Over-tuned rules miss real threats; under-tuned rules train analysts to discount the queue.&nbsp;</p>



<p class="wp-block-paragraph">In this article,&nbsp;we&#8217;ll&nbsp;explore how threat intelligence supports core hunting workflows and how ANY.RUN&#8217;s Threat Intelligence solutions help analysts investigate threats with greater speed and confidence.&nbsp;</p>



<h2 class="wp-block-heading">Key Takeaways</h2>



<ul class="wp-block-list">
<li><strong>Threat hunting fails structurally, not skillfully.</strong> The bottleneck is intelligence quality. </li>



<li><strong>Behavioral context beats indicators.</strong> A single IOC blocked solves nothing if the campaign behind it isn&#8217;t understood. Pivoting from one artifact — a mutex, a file path, a Suricata tag — into a full attack chain is what separates hunting from blocklisting. </li>



<li><strong>Hypothesis validation requires real attack data.</strong> ATT&amp;CK describes techniques in the abstract. Effective hunting needs to know how a technique behaves in live, active campaigns — which tools operationalize it, what infrastructure it touches, what artifacts it leaves. </li>



<li><strong>False positives are a strategy problem, not just a noise problem.</strong> Every low-fidelity alert that consumes analyst attention is a detection that wasn&#8217;t built right. Validating rules against real samples before deployment is the difference between a detection pipeline and a distraction pipeline. </li>



<li><strong>Intelligence layers serve different operational needs.</strong> <a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">TI Lookup</a> drives active investigations; <a href="https://any.run/threat-intelligence-feeds/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotifeedslanding" target="_blank" rel="noreferrer noopener">TI Feeds</a> keep automated defenses current; TI Reports bridge the gap between raw campaign data and detection engineering or executive briefings. </li>



<li><strong>AI-assisted triage is a force multiplier, not a replacement.</strong> Tier 1 reports, AI summaries, and <a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">sandbox</a> recommendations don&#8217;t replace analyst judgment — they eliminate the translation work between analysis output and operational action, freeing analysts for work that actually requires them. </li>



<li><strong>Hunting ROI is measurable — if you instrument it correctly.</strong> Earlier detection, defense calibrated to active threats, and analyst time redirected to genuine risk: each is quantifiable. Programs that cannot demonstrate these outcomes don&#8217;t lack value — they lack the intelligence infrastructure to produce it consistently.</li>
</ul>



<h2 class="wp-block-heading">1. Hypothesis Validation: Device Code Phishing</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: A hunter develops a hypothesis: adversaries may be abusing Microsoft&#8217;s Device Code authentication flow to compromise organizational accounts without triggering MFA. The technique is real, but the team needs evidence it is active now and a way to&nbsp;identify&nbsp;the behavioral signatures that distinguish attacks from legitimate device authorization.&nbsp;<br>&nbsp;<br><strong>The struggle</strong>: Generic queries against authentication logs&nbsp;produce&nbsp;enormous volume. Without knowing what a malicious device code flow&nbsp;actually looks&nbsp;like in practice — which referrer domains&nbsp;initiate&nbsp;the redirect, which&nbsp;PhaaS&nbsp;kits are operationalizing the technique, what the email delivery chain looks like — the team is&nbsp;essentially querying&nbsp;blind.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The solution</strong>:&nbsp;TI Lookup allows the hunter to query the Microsoft device auth endpoint directly and&nbsp;immediately&nbsp;retrieve sandboxed sessions where the technique is&nbsp;observed&nbsp;in the wild.&nbsp;<br>&nbsp;<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522https://login.microsoftonline.com/common/oauth2/deviceauth?code=*%255C%2522%2522,%2522dateRange%2522:180%7D" target="_blank" rel="noreferrer noopener">url:&#8221;https://login.microsoftonline.com/common/oauth2/deviceauth?code=*&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="411" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-1024x411.png" alt="" class="wp-image-21551" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-1024x411.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-300x120.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-768x308.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-370x149.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-270x108.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1-740x297.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_1.png 1352w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Sandbox analyses found in TI Lookup</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Sessions are tagged automatically:&nbsp;<em>Phishing,&nbsp;oauth-ms-phish,&nbsp;</em>and kit-specific tags like<em>&nbsp;Kali365&nbsp;</em>(a&nbsp;PhaaS&nbsp;platform specializing in Device Code Phishing).&nbsp;</p>



<p class="wp-block-paragraph">We can view any of the&nbsp;analyses&nbsp;sessions, for example: <a href="https://app.any.run/tasks/fc973b26-7cc8-4253-a313-1b77ff27f04c/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">https://app.any.run/tasks/fc973b26-7cc8-4253-a313-1b77ff27f04c/&nbsp;</a>&nbsp;</p>



<p class="wp-block-paragraph">The hunter can inspect the full referrer chain:&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="204" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-1024x204.png" alt="" class="wp-image-21552" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-1024x204.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-300x60.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-768x153.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-370x74.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-270x54.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2-740x148.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_2.png 1108w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware’s HTTP requests</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">In live cases, the redirect to Microsoft&#8217;s legitimate device auth endpoint originates from external domains, including those with unusual TLDs.&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="887" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-887x1024.png" alt="" class="wp-image-21553" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-887x1024.png 887w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-260x300.png 260w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-768x886.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-370x427.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-270x312.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3-740x854.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_3.png 922w" sizes="auto, (max-width: 887px) 100vw, 887px" /><figcaption class="wp-element-caption"><em>Redirect from .de domain</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Subsequent&nbsp;queries can filter by TLD against the device code URL, giving the team a concrete list of suspicious referring domains to feed into SIEM monitoring or block lists.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522https://login.microsoftonline.com/common/oauth2/deviceauth%255C%2522%2520and%2520domainName:%255C%2522.de$%255C%2522%2522,%2522dateRange%2522:3%7D" target="_blank" rel="noreferrer noopener">url:&#8221;https://login.microsoftonline.com/common/oauth2/deviceauth&#8221; and domainName:&#8221;.de$&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="606" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-1024x606.png" alt="" class="wp-image-21555" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-1024x606.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-300x178.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-768x455.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-370x219.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-270x160.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4-740x438.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_4.png 1056w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Select domains for monitoring in TI Lookup</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">For more targeted investigation, the hunter can also query by threat name and file path to retrieve the actual phishing emails (.eml&nbsp;files) used to deliver the&nbsp;initial&nbsp;lure, exposing sender patterns, subject line templates, and infrastructure metadata.&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="813" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-1024x813.png" alt="" class="wp-image-21556" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-1024x813.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-300x238.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-768x610.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-370x294.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-270x214.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5-740x587.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_5.png 1318w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Email metadata example</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph"><strong>Impact:</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Hypothesis&nbsp;validated&nbsp;against real, live attack data rather than technique abstractions.&nbsp;</li>



<li>Concrete IOCs and behavioral signatures ready for SIEM query development.&nbsp;</li>



<li>Email metadata exposed for deeper organizational log correlation.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">2. Behavioral Pivots: Tracking a Stealer Family via Mutex&nbsp;</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: A suspicious executable is&nbsp;submitted&nbsp;for analysis and identified as a stealer. The analyst notices a mutex with a hardcoded prefix — Global\EVOLUTION — followed by a randomized suffix. The question is whether this prefix is unique to this malware family and, if so, how widely deployed it is.&nbsp;<br>&nbsp;<br><strong>The struggle</strong>: A mutex with a random suffix has no stable IOC value. Standard threat feeds will not carry it. Searching for the full string is guaranteed to miss variants. The behavioral pattern is clearly&nbsp;significant&nbsp;but there is no obvious path from a single sample to campaign-level coverage.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The solution</strong>:&nbsp;A wildcard query in TI Lookup (<a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%22query%22:%22syncObjectName:%5C%22Global%5C%5C%5C%5CEVOLUTION*%5C%22%22,%22dateRange%22:180%7D" target="_blank" rel="noreferrer noopener">syncObjectName:&#8221;Global\\EVOLUTION*&#8221;</a>)&nbsp;immediately&nbsp;surfaces&nbsp;a number of&nbsp;additional&nbsp;samples sharing the same hardcoded prefix with different randomized tails, confirming the pattern is not incidental but a structural artifact of this malware family.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="559" height="629" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_6.png" alt="" class="wp-image-21559" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_6.png 559w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_6-267x300.png 267w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_6-370x416.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_6-270x304.png 270w" sizes="auto, (max-width: 559px) 100vw, 559px" /><figcaption class="wp-element-caption"><em>Malware samples with similar mutexes</em>&nbsp;</figcaption></figure>
</div>


<p class="wp-block-paragraph">Cross-referencing the mutex results against file path artifacts reveals that affected systems consistently produce a dump archive at <em>C:\Users\admin\AppData\Local\Temp\evo_[random]\stolen.zip</em> — a second independent behavioral indicator&nbsp;that&nbsp;definitely looks&nbsp;like a stealer.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="586" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-1024x586.png" alt="" class="wp-image-21561" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-1024x586.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-300x172.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-768x439.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-1536x879.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-2048x1172.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-370x212.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-270x154.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_7-740x423.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>File dropped in malware execution chain</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Running OR and&nbsp;AND&nbsp;lookup&nbsp;combinations of both indicators&nbsp;allows&nbsp;the hunter to tune coverage:&nbsp;OR for maximum reach,&nbsp;AND for high-confidence, low-noise detections:</p>



<ul class="wp-block-list">
<li>filePath:&#8221;C:\Users\admin\AppData\Local\Temp\evo_\stolen.zip&#8221; <strong>OR</strong> syncObjectName:&#8221;Global\EVOLUTION&#8221;</li>



<li>filePath:&#8221;C:\\Users\\admin\\AppData\\Local\\Temp\\evo_*\\stolen.zip&#8221;&nbsp;<strong>AND</strong>&nbsp;syncObjectName:&#8221;Global\\EVOLUTION*&#8221;&nbsp;</li>
</ul>



<p class="wp-block-paragraph">Starting from a single mutex observation, the hunter has now built a multi-indicator behavioral profile of an entire malware family.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Impact:&nbsp;</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Single behavioral artifact expands into full campaign coverage.&nbsp;</li>



<li>Multi-indicator&nbsp;detection logic developed and&nbsp;validated&nbsp;before touching production systems.&nbsp;</li>



<li>No reliance on stable IOCs — detection survives malware updates.&nbsp;</li>
</ul>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Turn threat hunting into an intelligence-driven process.<br>
Use ANY.RUN&#8217;s Threat Intelligence <span class="highlight">to validate hypotheses, enrich investigations, and uncover threats faster.</span>
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/plans-ti/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat-hunting-practical-usecases&#038;utm_term=100626&#038;utm_content=linktotiplans#contact-sales" rel="noopener" target="_blank">
Contact us</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">3. Enrichment: Suspicious Domain in an Inbound Email&nbsp;</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: An email from an unknown sender arrives&nbsp;containing&nbsp;a link to an unfamiliar domain. Standard policy would flag this for review. The analyst needs to&nbsp;determine&nbsp;quickly whether the domain is genuinely malicious or simply unknown, and if malicious, what the full attack chain looks like.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The struggle</strong>: WHOIS data&nbsp;shows&nbsp;the domain is recently registered. Passive DNS shows&nbsp;limited&nbsp;history. Reputation feeds return no verdict. The analyst has a suspicious&nbsp;domain&nbsp;but no behavioral context — no sense of what the domain delivers, what it steals, or what infrastructure it connects to.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The solution</strong>: The domain search in TI Lookup returns sandbox sessions where the domain has been analyzed.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522miracleplayssystems.com%255C%2522%2522,%2522dateRange%2522:60%7D" target="_blank" rel="noreferrer noopener">domainName:&#8221;miracleplayssystems.com&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="366" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-1024x366.png" alt="" class="wp-image-21562" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-1024x366.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-300x107.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-768x274.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-370x132.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-270x96.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8-740x264.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_8.png 1246w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Sandbox sessions with the suspicious domain</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The hunter&nbsp;<a href="https://app.any.run/tasks/35589fe4-bf01-4842-9d7a-2314e981292b/" target="_blank" rel="noreferrer noopener">opens one</a>&nbsp;and&nbsp;immediately&nbsp;sees a Microsoft 365 login page clone hosted on the suspicious domain, automatically tagged by ANY.RUN.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="484" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-1024x484.png" alt="" class="wp-image-21564" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-1024x484.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-300x142.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-768x363.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-1536x726.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-2048x968.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-370x175.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-270x128.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_9-740x350.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware sample detonated in the sandbox&nbsp;</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Suricata network threat detections reveal the specific phishing kit —&nbsp;FlowerStorm.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="191" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-1024x191.png" alt="" class="wp-image-21565" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-1024x191.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-300x56.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-768x144.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-1536x287.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-370x69.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-270x50.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10-740x138.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_10.png 1766w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>FlowerStorm&nbsp;phishkit&nbsp;detected</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The rule details expose the exfiltration endpoint:&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="646" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-1024x646.png" alt="" class="wp-image-21566" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-1024x646.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-300x189.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-768x484.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-370x233.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-270x170.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11-740x466.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_11.png 1396w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Data exfiltration endpoint</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">HTTP tab features&nbsp;a separate domain to which stolen credentials are posted:&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="374" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-1024x374.png" alt="" class="wp-image-21569" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-1024x374.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-300x110.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-768x281.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-370x135.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-270x99.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12-740x270.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_12.png 1390w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">The HTTP traffic view makes the data flow explicit: M365 credentials&nbsp;submitted&nbsp;to the fake login page are&nbsp;forwarded&nbsp;to infrastructure the attacker controls, not to any Microsoft domain.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="242" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-1024x242.png" alt="" class="wp-image-21571" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-1024x242.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-300x71.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-768x182.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-370x88.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-270x64.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13-740x175.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_13.png 1336w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>User&nbsp;credentials sent to a phishing domain</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">This gives the analyst not just a&nbsp;verdict&nbsp;but a full attack chain — delivery domain, phishing kit identity, exfiltration endpoint — all from a single lookup.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Impact:&nbsp;</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Unknown domain enriched with full attack chain in minutes.&nbsp;</li>



<li>Exfiltration infrastructure&nbsp;identified&nbsp;and added to block lists proactively.&nbsp;</li>



<li>Phishing kit attribution enables broader campaign hunting.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">4. Expansion:&nbsp;LOLBin&nbsp;Abuse and Campaign Attribution&nbsp;</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: An alert&nbsp;fires: MSBuild.exe — a standard Microsoft .NET build&nbsp;component&nbsp;— is&nbsp;establishing&nbsp;a network connection to an unknown IP on a non-standard port.&nbsp;This is a textbook living-off-the-land technique, but the specific context (which campaign, which malware family, how widespread) is unknown.&nbsp;<br>&nbsp;<br><strong>The struggle</strong>: MSBuild.exe connecting outbound is not inherently malicious; it is used legitimately in CI/CD pipelines. The challenge is distinguishing targeted abuse from normal build activity and understanding whether the destination IP is part of a broader campaign or an isolated incident.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The solution</strong>:&nbsp;Combining the destination IP with the MSBuild.exe command-line pattern in a TI Lookup query surfaces sessions where the same combination has been&nbsp;observed.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522destinationIP:%255C%2522212.34.141.103%255C%2522%2520and%2520commandLine:%255C%2522C:%255C%255C%255C%255CWindows%255C%255C%255C%255CMicrosoft.NET%255C%255C%255C%255CFramework64%255C%255C%255C%255Cv*%255C%255C%255C%255CMSBuild.exe%255C%2522%2522,%2522dateRange%2522:90%7D" target="_blank" rel="noreferrer noopener">destinationIP:&#8221;212.34.141.103&#8243; and commandLine:&#8221;C:\\Windows\\Microsoft.NET\\Framework64\\v*\\MSBuild.exe&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="243" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-1024x243.png" alt="" class="wp-image-21574" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-1024x243.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-300x71.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-768x182.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-1536x365.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-2048x486.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-370x88.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-270x64.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_14-740x176.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Sandbox sessions with suspicious activity</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Opening a&nbsp;<a href="https://app.any.run/tasks/f1d77751-0c64-4f55-a936-f70042b0b547/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">representative session</a>&nbsp;shows&nbsp;MSBuild.exe&nbsp;establishing&nbsp;a C2 connection and exfiltrating host reconnaissance data&nbsp;— CPU, OS version, running processes:&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="79" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-1024x79.png" alt="" class="wp-image-21575" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-1024x79.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-300x23.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-768x59.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-1536x119.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-370x29.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-270x21.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15-740x57.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_15.png 1760w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="662" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-1024x662.png" alt="" class="wp-image-21576" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-1024x662.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-300x194.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-768x497.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-370x239.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-270x175.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16-740x479.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_16.png 1302w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malicious activity in network stream</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The Processes tab in the sandbox shows what user data gets exfiltrated:</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="813" height="1024" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-813x1024.png" alt="" class="wp-image-21577" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-813x1024.png 813w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-238x300.png 238w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-768x967.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-370x466.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-270x340.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17-740x932.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_17.png 1066w" sizes="auto, (max-width: 813px) 100vw, 813px" /><figcaption class="wp-element-caption"><em>Malware stealing user credentials</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">A vendor-specific detection tag (rmrlx) links this activity to a named malware family:&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522rmrlx%255C%2522%2522,%2522dateRange%2522:90%7D" target="_blank" rel="noreferrer noopener">threatName:&#8221;rmrlx&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="814" height="454" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18.png" alt="" class="wp-image-21578" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18.png 814w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18-300x167.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18-768x428.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18-370x206.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18-270x151.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_18-740x413.png 740w" sizes="auto, (max-width: 814px) 100vw, 814px" /><figcaption class="wp-element-caption"><em>Threat description by malware tag lookup</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Pivoting on that tag reveals associated infrastructure across multiple IP addresses and exposes the threat actor group responsible — Colombian Smugglers — which uses SVG smuggling as a delivery mechanism and&nbsp;<a href="https://www.linkedin.com/feed/update/urn:li:activity:7441841298115989505/" target="_blank" rel="noreferrer noopener">has evolved from targeting Colombian organizations to targeting US and European companies</a>. The hunter can now see the full threat actor profile:&nbsp;initial&nbsp;delivery technique (SVG smuggling), malware families used (vjw0rm, quasar,&nbsp;remcos,&nbsp;xworm,&nbsp;rmrlx), geographic targeting, and infrastructure overlap with adjacent groups like&nbsp;BlindEagle.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522colombian-smugglers%255C%2522%2522,%2522dateRange%2522:180%7D" target="_blank" rel="noreferrer noopener">threatName:&#8221;colombian-smugglers&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="632" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-1024x632.png" alt="" class="wp-image-21579" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-1024x632.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-300x185.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-768x474.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-370x228.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-270x167.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19-740x457.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_19.png 1253w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware samples tagged as Colombian Smugglers attacks</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Use this TI Lookup request to find sandbox analyses exposing SVG smuggling technique:&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522colombian-smugglers%255C%2522%2520and%2520filePath:%255C%2522.svg$%255C%2522%2522,%2522dateRange%2522:180%7D" target="_blank" rel="noreferrer noopener">threatName:&#8221;colombian-smugglers&#8221; and filePath:&#8221;.svg$&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="638" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-1024x638.png" alt="" class="wp-image-21580" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-1024x638.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-300x187.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-768x479.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-370x231.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-270x168.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20-740x461.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_20.png 1251w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware samples with SVG smuggling</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph"><strong>Impact:</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Single alert pivots into full threat actor profile and campaign map.&nbsp;</li>



<li>Infrastructure correlation&nbsp;surfaces&nbsp;additional&nbsp;C2 endpoints for blocking.&nbsp;</li>



<li>Geographic and targeting intelligence&nbsp;enables&nbsp;prioritized defensive response.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">5. False Positive Validation: Hunting Rule Noise Reduction&nbsp;</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: ANY.RUN&#8217;s&nbsp;hunting rules include a signature that fires when a Windows PC hostname is&nbsp;observed&nbsp;being transmitted in network traffic — a behavior common to stealers and RATs that use hostname as a victim identifier.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://intelligence.any.run/analysis/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522HUNTING%2520%5BANY.RUN%5D%2520Windows%2520PC%2520hostname%2520observed%255C%2522%2522,%2522dateRange%2522:7%7D" target="_blank" rel="noreferrer noopener">suricataMessage:&#8221;HUNTING [ANY.RUN] Windows PC hostname observed&#8221;</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="546" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-1024x546.png" alt="" class="wp-image-21581" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-1024x546.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-300x160.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-768x409.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-370x197.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-270x144.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21-740x394.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_21.png 1259w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware samples found by Suricata rule</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The rule catches real threats, but the analyst needs to verify that every hit is genuinely malicious before adding it to production detection.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The struggle</strong>: Hunting rules cast wide nets by design. A rule targeting hostname exfiltration will fire on legitimate software that also transmits device identifiers. Without behavioral context, distinguishing malicious exfiltration from legitimate telemetry requires manual investigation of every hit.&nbsp;</p>



<p class="wp-block-paragraph">The solution:&nbsp;Let’s&nbsp;view one of the found sandbox analyses:&nbsp;<a href="https://app.any.run/tasks/56e01444-87a2-4cf4-874a-41e56ce60221/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">https://app.any.run/tasks/56e01444-87a2-4cf4-874a-41e56ce60221/</a>&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="695" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-1024x695.png" alt="" class="wp-image-21583" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-1024x695.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-300x204.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-768x521.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-1536x1042.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-370x251.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-270x183.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22-740x502.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_22.png 1774w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Phishing email in sandbox analysis</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The analyst sees the Suricata alert firing on Outlook.exe,&nbsp;but the destination is&nbsp;licensing.m365.svc.cloud.microsoft, a legitimate Microsoft licensing endpoint.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="738" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-1024x738.png" alt="" class="wp-image-21585" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-1024x738.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-300x216.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-768x554.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-370x267.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-270x195.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23-740x533.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_23.png 1390w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Legitimate Microsoft domain in threat detection</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">The HTTP details confirm the behavior: Outlook is sending device and license metadata as part of a standard Office perpetual license renewal (renewperpetuallicense), and the server responds with a 200 OK confirming the HomeBusiness2021Retail license status. This is unambiguously legitimate. The analyst documents this as a known false-positive pattern and adds an exclusion for Microsoft licensing endpoints — keeping the rule sharp without discarding it.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Impact</strong>:&nbsp;&nbsp;</p>



<ul class="wp-block-list">
<li>False positive identified and documented before reaching production.&nbsp;</li>



<li>Detection logic refined without reducing coverage of genuine threats.&nbsp;</li>



<li>Analyst time focused on confirmed malicious activity.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">6. Detection Engineering: YARA Rule Development and Validation&nbsp;</h2>



<p class="wp-block-paragraph"><strong>Scenario</strong>: During stealer sample collection, an analyst&nbsp;encounters&nbsp;<a href="https://app.any.run/tasks/32872c5b-dc9b-4713-a3fe-f4db113e99e4/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoservice" target="_blank" rel="noreferrer noopener">a .NET executable</a>&nbsp;that drops a zip archive named with a consistent pattern: Unix-[HOSTNAME]-[ID].zip. The behavioral artifact is&nbsp;interesting&nbsp;but the analyst wants to build a durable, validated detection rule, not just add a file path indicator that will break when the malware author changes the naming convention.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The struggle</strong>: Writing YARA rules against behavioral artifacts requires understanding what strings are genuinely hardcoded into the binary versus what is generated at runtime. Testing rules against a small sample set risks both false positives from broad string matches and false negatives from a sample set too small to&nbsp;represent&nbsp;the full malware family.&nbsp;</p>



<p class="wp-block-paragraph"><strong>The solution</strong>: Static analysis of the .NET binary in Detect It Easy reveals human-readable strings embedded in the assembly — a common characteristic of .NET malware.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="752" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-1024x752.png" alt="" class="wp-image-21587" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-1024x752.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-300x220.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-768x564.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-370x272.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-270x198.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-740x544.png 740w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24-80x60.png 80w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_24.png 1489w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Static analysis of malware sample</em>&nbsp;</figcaption></figure>



<p class="wp-block-paragraph">Filtering for strings&nbsp;containing&nbsp;“Unix&#8221;&nbsp;surfaces several hardcoded identifiers&nbsp;specific for this malware:&nbsp;&nbsp;</p>



<ul class="wp-block-list">
<li>Unix Stealer Log&nbsp;</li>



<li>UnixStealer&nbsp;</li>



<li>UnixStealerIV!@#&nbsp;</li>



<li>UnixStealer2024Key!&nbsp;</li>
</ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="403" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-1024x403.png" alt="" class="wp-image-21589" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-1024x403.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-300x118.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-768x302.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-1536x604.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-2048x805.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-370x145.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-270x106.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_25-740x291.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Searching for *unix* strings</em></figcaption></figure>



<p class="wp-block-paragraph">A YARA rule built around these strings uses wide matching for Unicode-encoded strings and&nbsp;fullword&nbsp;to minimize false positives.&nbsp;&nbsp;</p>



<pre class="wp-block-code"><code>rule&nbsp;UnixStealer&nbsp;{&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;meta:&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;description&nbsp;= "Detects&nbsp;UnixStealer&nbsp;malware"&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;date&nbsp;= "2025-12-18"&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;author&nbsp;= "ANY.RUN:A.Adhikara"&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;strings:&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x1 = "Unix&nbsp;Stealer&nbsp;Log"&nbsp;fullword&nbsp;wide&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x2 = "UnixStealer"&nbsp;fullword&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x3 = "UnixStealerIV!@#"&nbsp;fullword&nbsp;wide&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x4 = "UnixStealer2024Key"&nbsp;fullword&nbsp;wide&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;condition:&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16(0) == 0x5A4D&nbsp;and&nbsp;any&nbsp;of&nbsp;($x*)&nbsp;

}</code></pre>



<p class="wp-block-paragraph">Running the rule through&nbsp;<a href="https://intelligence.any.run/analysis/yara" target="_blank" rel="noreferrer noopener">TI Lookup&#8217;s&nbsp;YARA Search</a>&nbsp;validates&nbsp;it against millions of real malware samples — returning 17 matching samples with no unrelated hits.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="622" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-1024x622.png" alt="" class="wp-image-21593" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-1024x622.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-300x182.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-768x467.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-1536x934.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-2048x1245.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-370x225.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-270x164.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_26-740x450.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Malware samples found by the YARA rule</em></figcaption></figure>



<p class="wp-block-paragraph">Noticing that the year is hardcoded in one string, the analyst refines it to a regex pattern (/UnixStealer20\d{2}Key/ wide) to ensure the rule covers future builds where the author updates the year.&nbsp;&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="618" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-1024x618.png" alt="" class="wp-image-21594" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-1024x618.png 1024w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-300x181.png 300w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-768x463.png 768w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-1536x927.png 1536w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-2048x1236.png 2048w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-370x223.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-270x163.png 270w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_27-740x447.png 740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Optimized YARA rule</em></figcaption></figure>



<p class="wp-block-paragraph">Re-validation against the corpus confirms the refined rule catches the same 17 samples and introduces no new noise.&nbsp;</p>



<p class="wp-block-paragraph"><strong>Impact:&nbsp;</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>YARA rule&nbsp;validated&nbsp;against millions of real samples before deployment.&nbsp;</li>



<li>Rule designed to survive malware version updates through regex generalization.&nbsp;</li>



<li>Detection shipped with high confidence — no post-deployment tuning&nbsp;required.&nbsp;</li>
</ul>



<h2 class="wp-block-heading">How Threat Intelligence Feeds Support Threat Hunting&nbsp;</h2>



<p class="wp-block-paragraph">WhileTI&nbsp;&nbsp;Lookup excels&nbsp;at&nbsp;interactive&nbsp;investigations,&nbsp;Threat Intelligence Feeds help operationalize hunting at scale.&nbsp;</p>



<p class="wp-block-paragraph">Threat Intelligence Feeds can be integrated directly into SIEM, EDR, XDR, SOAR, firewalls, and other security platforms, providing continuously updated indicators and threat context.&nbsp;</p>



<p class="wp-block-paragraph"><strong>For threat hunters, this supports several key workflows:</strong>&nbsp;</p>



<ul class="wp-block-list">
<li>Prioritizing investigations involving known malicious infrastructure.&nbsp;</li>



<li>Correlating internal telemetry with active attacker infrastructure.&nbsp;</li>



<li>Identifying&nbsp;emerging campaigns before internal detections trigger.&nbsp;</li>



<li>Automating enrichment during hunts.&nbsp;</li>



<li>Reducing manual IOC collection and maintenance.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">By continuously injecting fresh intelligence into security tooling, feeds allow hunting teams to focus on analysis rather than data gathering.&nbsp;</p>



<h2 class="wp-block-heading">Accelerating Hunts with Sandbox Intelligence&nbsp;</h2>



<p class="wp-block-paragraph">ANY.RUN’s Interactive Sandbox&nbsp;provides&nbsp;additional capabilities that reduce investigation time and improve analyst productivity.&nbsp;</p>



<h3 class="wp-block-heading">Tier 1 Reports&nbsp;</h3>



<p class="wp-block-paragraph">Tier 1 Reports automatically summarize malware behavior in analyst-friendly language, making it easier for junior and mid-level analysts to understand threats without spending&nbsp;significant time&nbsp;reviewing every artifact manually.&nbsp;</p>



<p class="wp-block-paragraph">This helps SOC teams rapidly assess suspicious files and decide whether deeper hunting activities are necessary.&nbsp;</p>



<h3 class="wp-block-heading">AI Summary&nbsp;</h3>



<p class="wp-block-paragraph">AI Summary condenses complex malware executions into concise narratives, highlighting the most important findings, suspicious behaviors, and attack stages. Hunters can quickly understand what happened during execution before diving into technical details.&nbsp;</p>



<h3 class="wp-block-heading">AI Recommendations&nbsp;</h3>



<p class="wp-block-paragraph">AI Recommendations suggest potential next steps for investigation, including relevant artifacts, indicators, and behaviors worth examining further.&nbsp;This helps analysts&nbsp;identify&nbsp;additional&nbsp;hunting opportunities and reduces the likelihood of missing important evidence.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="580" height="893" src="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_28.png" alt="" class="wp-image-21596" srcset="https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_28.png 580w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_28-195x300.png 195w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_28-370x570.png 370w, https://any.run/cybersecurity-blog/wp-content/uploads/2026/06/hunt_28-270x416.png 270w" sizes="auto, (max-width: 580px) 100vw, 580px" /><figcaption class="wp-element-caption"><em>Tier 1 report with AI summary and recommendations</em></figcaption></figure>



<!-- Regular Banner START -->
<div class="regular-banner">
<!-- Text Content -->
<p class="regular-banner__text">
Build a <span class="highlight">faster, more scalable hunting program</span> with <br> ANY.RUN Threat Intelligence.<br>Equip analysts with actionable context and leaders with measurable security outcomes.
</p>
<!-- CTA Link -->
<a class="regular-banner__link" id="article-banner-regular" href="https://any.run/plans-ti/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotiplans#contact-sales" rel="noopener" target="_blank">
Contact us</a>
</div>
<!-- Regular Banner END -->
<!-- Regular Banner Styles START -->

<style>
.regular-banner {
display: flex;
text-align: center;
flex-direction: column;
align-items: center;
gap: 1.5rem;
width: 100%;
padding: 2rem;
margin: 1.5rem 0;
border-radius: 0.5rem;
font-family: 'Catamaran Bold';
margin-inline: auto;
background: rgba(32, 168, 241, 0.1);
border: 1px solid rgba(75, 174, 227, 0.32);
}

.regular-banner__text {
font-size: 1.5rem;
margin: 0;
}

.highlight {
color: #ea2526;
}

.regular-banner__link {
padding: 0.5rem 1.5rem;
font-weight: 500;
text-decoration: none;
border-radius: 0.5rem;
color: #FFFFFF;
background-color: #1491D4;
text-align: center;
transition: all 0.2s ease-in;
}

.regular-banner__link:hover {
background-color: #68CBFF;
color: white;
}
</style>
<!-- Regular Banner Styles END -->



<h2 class="wp-block-heading">Why Threat Hunting Matters to the Business&nbsp;</h2>



<p class="wp-block-paragraph">Threat hunting is often discussed as a purely technical discipline, but its ultimate purpose is business protection. Organizations invest in hunting because reactive security alone is no longer sufficient. Modern attackers&nbsp;frequently&nbsp;evade automated detections,&nbsp;abuse&nbsp;legitimate tools, and remain hidden for extended periods.&nbsp;</p>



<p class="wp-block-paragraph">However, threat hunting itself introduces operational challenges:&nbsp;</p>



<ul class="wp-block-list">
<li>Significant analyst time requirements.&nbsp;</li>



<li>Skill shortages.&nbsp;</li>



<li>Investigation&nbsp;fatigue.&nbsp;</li>



<li>High volumes of telemetry.&nbsp;</li>



<li>Difficulty prioritizing hunting activities.&nbsp;</li>



<li>Challenges&nbsp;demonstrating&nbsp;measurable business value.&nbsp;</li>
</ul>



<p class="wp-block-paragraph">Without proper intelligence support, threat hunting can become expensive and inefficient. Threat intelligence helps address these challenges by reducing investigation time, improving prioritization, increasing analyst productivity, and enabling teams to focus on the threats that matter most to the business.&nbsp;</p>



<p class="wp-block-paragraph">The result is faster threat discovery, reduced dwell time, lower incident response costs, and improved resilience against advanced attacks.&nbsp;</p>



<p class="wp-block-paragraph">For MSSPs, intelligence-driven hunting also enables more scalable operations, allowing analysts to investigate more environments without proportionally increasing staffing requirements.&nbsp;</p>



<h2 class="wp-block-heading">Conclusion&nbsp;</h2>



<p class="wp-block-paragraph">Threat hunting is no longer about manually searching through massive volumes of logs and hoping to uncover something suspicious.&nbsp;</p>



<p class="wp-block-paragraph">Successful hunting depends on context.&nbsp;</p>



<p class="wp-block-paragraph">Threat intelligence provides that context by connecting indicators, behaviors, infrastructure, malware families, campaigns, and threat actors into a coherent picture. It transforms hunting from a reactive research exercise into a focused,&nbsp;intelligence-driven process.&nbsp;</p>



<p class="wp-block-paragraph">With Threat Intelligence Lookup, Threat Intelligence Feeds, Threat Intelligence Reports, YARA Search, and AI-assisted analysis capabilities, SOC teams can&nbsp;validate&nbsp;hypotheses, enrich investigations, expand discoveries, improve detections, and reduce time spent on manual research.&nbsp;</p>



<p class="wp-block-paragraph">The result is a threat hunting program that is faster, more scalable, and more closely aligned with both security and business&nbsp;objectives.&nbsp;</p>



<h2 class="wp-block-heading">About ANY.RUN&nbsp;</h2>



<p class="wp-block-paragraph"><a href="https://any.run/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktolanding" target="_blank" rel="noreferrer noopener">ANY.RUN</a>, a leading provider of interactive malware analysis and&nbsp;threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more&nbsp;confident security decisions.&nbsp;</p>



<p class="wp-block-paragraph">With its cloud-based&nbsp;<a href="https://any.run/features/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktosandboxlanding" target="_blank" rel="noreferrer noopener">Interactive&nbsp;Sandbox</a>, security teams can safely analyze suspicious files, links, and emails in real time,&nbsp;observe&nbsp;malicious behavior, and receive&nbsp;clear evidence&nbsp;for response without&nbsp;maintaining&nbsp;complex in-house infrastructure.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN’s&nbsp;<a href="https://any.run/threat-intelligence-lookup/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktotilookuplanding" target="_blank" rel="noreferrer noopener">Threat Intelligence</a>&nbsp;solutions also help organizations uncover threat&nbsp;context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale.&nbsp;</p>



<p class="wp-block-paragraph">ANY.RUN is SOC 2 Type II attested and committed to strong security control and customer data protection.</p>



<p class="wp-block-paragraph"><a href="https://any.run/enterprise/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat-hunting-practical-usecases&amp;utm_term=100626&amp;utm_content=linktoenterprise#contact-sales" target="_blank" rel="noreferrer noopener">Scale your SOC with faster threat validation →</a></p>



<h2 class="wp-block-heading">FAQ</h2>



<div class="schema-faq wp-block-yoast-faq-block"><div class="schema-faq-section" id="faq-question-1781093239666"><strong class="schema-faq-question">What is threat hunting in a SOC?</strong> <p class="schema-faq-answer">Threat hunting is a proactive security practice where analysts search for hidden threats, attacker activity, or signs of compromise that may not trigger traditional security alerts.</p> </div> <div class="schema-faq-section" id="faq-question-1781093260809"><strong class="schema-faq-question">How is threat hunting different from incident response?</strong> <p class="schema-faq-answer">Incident response starts after a security event is detected. Threat hunting begins before an alert exists and focuses on discovering threats that may otherwise remain unnoticed.</p> </div> <div class="schema-faq-section" id="faq-question-1781093273138"><strong class="schema-faq-question">Why is threat intelligence important for threat hunting?</strong> <p class="schema-faq-answer">Threat intelligence provides context about attackers, malware, infrastructure, and campaigns, helping analysts prioritize investigations and validate findings faster.</p> </div> <div class="schema-faq-section" id="faq-question-1781093284243"><strong class="schema-faq-question">What hunting workflows benefit most from threat intelligence?</strong> <p class="schema-faq-answer">Hypothesis validation, behavioral hunting, threat enrichment, investigation expansion, false-positive analysis, and detection engineering all benefit significantly from threat intelligence.</p> </div> <div class="schema-faq-section" id="faq-question-1781093297322"><strong class="schema-faq-question">How do threat intelligence feeds support hunters?</strong> <p class="schema-faq-answer">Threat intelligence feeds continuously provide fresh indicators and context that can be integrated into SIEM, EDR, SOAR, XDR, and other security platforms for automated enrichment and prioritization.</p> </div> <div class="schema-faq-section" id="faq-question-1781093308730"><strong class="schema-faq-question">Can threat intelligence help reduce false positives?</strong> <p class="schema-faq-answer">Yes. Intelligence provides historical and behavioral context that helps analysts quickly determine whether suspicious activity is malicious or legitimate.</p> </div> <div class="schema-faq-section" id="faq-question-1781093318603"><strong class="schema-faq-question">How do AI-powered investigation features help threat hunters?</strong> <p class="schema-faq-answer">AI summaries, recommendations, and analyst reports help hunters understand threats faster, identify relevant artifacts, and reduce time spent on manual investigation.</p> </div> </div>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/">Intelligence-Driven Threat Hunting: How SOCs Find What Alerts Miss</a> appeared first on <a href="https://any.run/cybersecurity-blog">ANY.RUN&#039;s Cybersecurity Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://any.run/cybersecurity-blog/threat-hunting-practical-usecases/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>