Every Alert Costs 

When analysts are buried under thousands of notifications, they spend more time triaging noise than responding to real incidents. The result: slower reaction times, missed threats, staff burnout, and ballooning operational costs. 

Every wasted minute translates into a weaker security posture, potential financial loss, and reduced return on your security investments. Alert overload doesn’t just impact your SOC. 

It slows down your entire organization’s ability to respond, recover, and produce revenue.  

What Doesn’t Work 

Organizations often try to tackle alert overload by: 

• Hiring more analysts — which increases headcount costs but doesn’t reduce the noise. 

• Relying on strict filtering rules — which risks missing critical alerts. 

• Adding more tools — which only multiplies data sources and dashboards. 

• Automating without context — which accelerates the wrong decisions. 

These approaches attack the symptoms, not the cause: the lack of context around alerts. Without understanding what triggered an alert and how relevant it is, teams will always be stuck firefighting instead of investigating. 

What Works: Context Powered by Threat Intelligence 

The sustainable way to overcome alert overload is to improve alert quality through contextual threat intelligence. 

When analysts can instantly enrich alerts with reliable, up-to-date data on IOCs, malware families, and infrastructure, they can prioritize faster and make confident decisions. 

This is where ANY.RUN’s Threat Intelligence Lookup comes in — a solution designed to balance the speed of investigation with data completeness, freshness, and accuracy. 

It helps teams quickly understand whether an alert is linked to a known threat, how serious it is, and whether it requires escalation. The outcome: fewer false positives, faster triage, and more efficient use of human and financial resources. 

Threat Intelligence Lookup delivers instant context for IOCs, domains, IPs, hashes, and other artifacts. The data is sourced from 15,000+ SOC environments and millions of malware analysis sessions in ANY.RUN’s Interactive Sandbox, constantly refreshed to reflect real-time global threat activity. 

Benefits for analysts: 

• Immediate access to verified IOC data — no need to switch between platforms. 

• Clear visual indicators of threat relevance and relationships. 

• Faster, more accurate triage decisions. 

Benefits for business: 

• Lower operational costs by reducing wasted analyst hours. 

• Improved detection-to-response ratio, strengthening security ROI. 

• More predictable and measurable SOC performance. 

Try TI Lookup and discover how faster triage turns into measurable cost savings -> Contact ANY.RUN to get 50 trial lookups 

How It Works 

Here is an example of how security teams use TI Lookup to streamline their alert workflows and decision-making. 

Suppose analysts receive an alert on a suspicious domain. TI Lookup provides an instant verdict on the potential indicator along with contextual data:  

domainName:”databap.mom” 

Domain search results: malicious label, linked IOCs, sandbox analyses 

A quick lookup later, your team understands:  

• The domain is a malicious activity indicator; 

• It is associated with the dangerous Lumma stealer; 

• Lumma now targets US and Europe;  

• It has been detected in recent campaigns; 

• It helps to harvest additional IOCs; 

• There are malware sample sandbox analyses featuring this domain that allow to understand the threat’s behavior and TTPs.  

From Overload to Efficiency and Profitability 

When your SOC operates with context-rich data, the entire detection and response cycle accelerates. Analysts stop wasting time on noise. Decision-making becomes data-driven, not reactive. 

That directly translates to measurable business value: 

• Reduced mean time to detect (MTTD) and respond (MTTR). 

• Better analyst productivity without expanding the team. 

• Tangible cost savings from automation that works with — not against — human intelligence. 

In short, eliminating alert overload isn’t just about comfort for the SOC team. It’s a strategic financial decision that strengthens resilience, reduces risk exposure, and safeguards your bottom line. 

Conclusion 

Alert overload can’t be solved by more people or more tools — only by smarter data.

By empowering your SOC with contextual threat intelligence from ANY.RUN’s Threat Intelligence Lookup, you transform chaos into clarity, alerts into insights, and effort into measurable value. 

Accelerate response, control costs, and maximize your team’s performance with TI Lookup. --> Start your trial today.  

The post How to Solve Alert Overload in Your SOC  appeared first on Cyber Security News.

Most solutions force you to choose. Some prove you don’t have to. 

The Intelligence Paradox: Too Much and Never Enough 

Every CISO knows the struggle. Deploy too few threat feeds, and you’re flying blind, missing critical indicators that could prevent the next breach.

Deploy too many, and your SOC analysts spend their days buried in alerts, chasing false positives, and burning out before they can focus on genuine threats. 

This isn’t just an operational headache. It’s a business risk. When analysts are overwhelmed, response times slow. When threat data arrives too late, attackers have already moved.

When intelligence lacks context, your team wastes hours investigating benign activity while real threats slip through undetected. 

The balance seems impossible: you need data that’s simultaneously comprehensive and curated, real-time and actionable, detailed and digestible.  

Business Resilience Happens When Context Meets Speed 

ANY.RUN’s Threat Intelligence Feeds are made with the key principle in mind. Quality feeds don’t just add data — they transform how your entire cybersecurity operation functions.

Think of them as your early warning system, your threat hunting compass, and your analyst productivity accelerator rolled into one. 

 
Or, probably, imagine combining a microscope with a telegraph. One gives you perfect detail; the other gives you instant transmission. Individually useful, but together? Transformative. 

But enough with metaphors. ANY.RUN’s TI Feeds solve the data paradox.  
 
Powered by data from over 15,000 SOCs and researchers using ANY.RUN’s interactive malware sandbox, the feeds deliver live intelligence on real attacks happening right now. Each record is backed by behavioral analysis and real-world evidence. 

Build resilience with live, contextual intelligence from 15K teams -> Request your TI Feeds trial 

This combination of context and freshness is critical for decision-makers. It means your analysts don’t waste time chasing false positives or outdated data. They can prioritize real threats, act early, and protect the organization’s assets before risk turns into loss. 
 
They integrate seamlessly with your SIEM, EDR, firewall, and other security tools, automatically enriching alerts with context and enabling automated response workflows.

They shift your posture from reactive to proactive, allowing you to block threats before they reach your network rather than scrambling after the breach. 

For MSSPs managing security across multiple clients, feeds become even more critical. They enable you to scale protection without scaling headcount proportionally, applying lessons learned from one customer’s threat landscape to protect all others instantly. 

Why Context Matters for Your Bottom Line 

Context transforms raw data into actionable intelligence. When your SIEM flags a suspicious IP address, generic feeds tell you “this is malicious.” 

ANY.RUN’s feeds tell you how it’s malicious, what malware family it’s associated with, which attack techniques it employs, and what IOCs you should look for across your environment. 

For security teams, this means: 

• Faster triage: Analysts immediately understand threat severity and scope; 

• Accurate prioritization: Distinguish between critical incidents and low-risk events; 

• Effective response: Know exactly which containment measures to deploy; 

• Reduced burnout: Spend time hunting real threats, not chasing shadows. 

For business leaders, context transforms into: 

• Lower operational costs: Less time wasted on false positives means better ROI on your security investment; 

• Faster time-to-resolution: Contextual intelligence accelerates incident response from hours to minutes; 

• Informed decision-making: Understand your actual risk exposure, not just a list of scary-sounding indicators. 

When your intelligence reflects the experience of 15,000 SOCs worldwide, you’re no longer reacting in isolation — you’re part of a collective defense network. 

Why Freshness Is Non-Negotiable 

Threat actors evolve their techniques daily, launching new campaigns, rotating infrastructure, and modifying malware to evade detection. 

ANY.RUN’s TI Feeds deliver intelligence with up-to-the-minute freshness because they’re derived from live analysis happening right now — as security teams worldwide investigate active threats using ANY.RUN’s Interactive Sandbox. 

This real-time advantage means: 

• Proactive blocking: Stop emerging threats before they become widespread; 

• Reduced dwell time: Detect active compromises faster with the latest IOCs; 

• Instant awareness: Gain visibility into novel attack techniques as they emerge; 

• Competitive protection: Access intelligence that attackers haven’t yet adapted to evade. 

For MSSPs, this freshness is a competitive differentiator. You can promise clients protection against threats that other providers won’t detect for days—because by the time those threats appear in slower feeds, you’ve already blocked them. 

Make your next security decision data-driven, turn live threat data into strategic advantage -> Start you trial of ANY.RUN’s TI Feeds 

TI Feeds: Business Objectives Met 

ANY.RUN’s Threat Intelligence Feeds deliver business value across multiple dimensions: 

• Real-World Threat Visibility: You’re receiving data about actual incidents and attacks that are impacting other companies right now. The threats currently investigated by 15,000 SOCs using ANY.RUN’s Interactive Sandbox.  

• Cost-Effective Scale: ANY.RUN’s Feeds give you enterprise-grade intelligence without enterprise-level overhead.  

• Regulatory Compliance and Due Diligence: Demonstrate to auditors, board members, and customers that you’re using current, comprehensive threat intelligence.  

• Improved Detection Rates: Enrich your existing security tools with high-fidelity indicators that dramatically reduce false negatives. Catch threats that generic signature-based detection misses. 

• Accelerated Incident Response: When a threat is detected, contextual intelligence means your team already knows the attack chain, associated IOCs, and effective countermeasures.  

• Strategic Planning Support: Aggregate intelligence helps security leaders identify trends, understand your industry’s threat landscape, and make informed decisions about security investments and priorities. 

• Reduced Analyst Fatigue: Analysts spend time doing interesting, meaningful work instead of drowning in noise. 

• Interoperability: The feeds integrate seamlessly with your existing security infrastructure: SIEM platforms, threat intelligence platforms, EDR solutions, firewalls, and more.  

Conclusion 

Cyber resilience isn’t about having more data — it’s about having the right data at the right moment. ANY.RUN’s Threat Intelligence Feeds provide exactly that: live, contextual insights from real incidents across the globe.

They help organizations cut through noise, reduce uncertainty, and make every security decision count. 

The post Why your Business Need Live Threat Intel from 15k SOCs appeared first on Cyber Security News.

Every SOC sees thousands of signals: odd domains, masquerading binaries, strange persistence artifacts. On their own, these indicators mean almost nothing. A suspicious process might be malware or a legitimate update from a vendor you barely know. 

But the moment you add threat context — history, connected IOCs, malware family relations, sandbox behavior — the picture changes completely. 

Meet TI Lookup: The Context Engine 

ANY.RUN Threat Intelligence Lookup is a real-time investigation tool that lets analysts instantly understand what they’re dealing with — from domains and IPs to file hashes and URLs. 

It’s powered by rich data crowdsourced from 15,000+ SOCs and researchers worldwide, continuously enriched by ANY.RUN’s sandbox detections. Instead of wasting time digging through multiple feeds, analysts get actionable context in seconds. 

 
You achieve:  

• Instant clarity: Quickly identify whether an IOC is malicious, suspicious, or benign; 

• Deeper context: View sandbox behavior, relations, and threat actor links in one place; 

• Smarter triage: Speed up incident response with verified data and fewer false positives. 

Context turns data into decisions. And decisions stop breaches from happening. 

Here are five highly practical ways SOC analysts use context to speed triage, reduce noise, and fight more effectively: powered by ANY.RUN’s Threat Intelligence (TI) Lookup.  

Tactic 1: Domain Intelligence – From Suspicious to Confirmed Threat 

The Alert: 

Domain contacted: logrecovery[.]com 

Without Context: Could be legitimate cybersecurity resource. Requires manual investigation across multiple platforms. 

With TI Context: 

• Observed in AsyncRAT and Amadey sandbox executions; 

• Linked to active command-and-control infrastructure; 

• Associated with information-stealing campaigns and botnets. 

domainName:”logrecovery.com” 

Immediate Action: Block the domain at your proxy/firewall, tag it as a high-confidence IOC in your threat intelligence platform, and hunt retroactively for any historical connections in your network traffic logs. 
 
Why It Matters: Stealer malware exfiltrates credentials, session tokens, and sensitive data. Every minute it remains unblocked is a window for data theft. Context lets you move from “investigate” to “contain” immediately. 

Stop hunting for context, start acting on it. Sign up to trial Threat Intelligence Lookup and see how it works 

Tactic 2: Email Attachment Analysis – Spotting Campaign Patterns 

The Alert:  

Suspicious attachment: Electronic_Receipt 

Without Context: Generic filename. Could be legitimate invoice or phishing. Requires time-consuming manual analysis. 

With TI Context: 

• Detected in a number of malware analyses; 

• Part of  credential-harvesting campaigns; 

• Linked to a most dangerous Tycoon phishing kit. 

filePath:”Electronic_Receipt” 

Malware samples featuring file pattern 

Immediate Action: Add the file hash to your SIEM blocklist, check egress logs for any systems that may have already connected to associated C2 domains, and update mail gateway filters to catch variants. 

Why It Matters: Tycoon 2FA can intercept user credentials and session cookies to bypass MFA, enabling unauthorized access to accounts even with additional security measures. Organizations using cloud services are at the most risk.

Recognizing campaign patterns helps you understand the scope: is this a targeted attack or part of a broader spray-and-pray operation? Context answers that question instantly.  

Tactic 3: IP Address Intelligence – Understanding Payload Delivery 

The Alert: 

Outbound connection to: 45.155.205[.]11 
 
Without Context: Could be legitimate software update checks. Requires manual investigation across multiple platforms. 

With TI Context: 

• Observed in DBatLoader and GuLoader sandbox executions; 

• Linked to active command-and-control infrastructure; 

• Associated with information-stealing campaigns. 

destinationIP:”162.241.62.63″ 

IP context: malware and campaign associations 
 
Immediate Action: Block the domain at your proxy/firewall, tag it as a high-confidence IOC in your threat intelligence platform, and hunt retroactively for any historical connections in your network traffic logs. 

Why It Matters: Stealer malware exfiltrates credentials, session tokens, and sensitive data. Every minute it remains unblocked is a window for data theft. Context lets you move from “investigate” to “contain” immediately. 

Tactic 4: Process Behavior – Detecting Credential Theft 

The Alert: 

Unusual process detected: New Text Document mod.exe 

Without Context: Can be a nonchalantly attributed document, but the .exe extension arouses suspicion. Manual verification required. 

With TI Context: 

• Observed in XRed backdoor campaigns; 

• Associated with session hijacking and credential theft; 

• Tampers with Windows registry, establishes persistence. 

filePath:”New Text Document mod.exe” 

Malware running the similar process 

Immediate Action: Check all endpoints for this process name and file hash, flag any instances for immediate investigation, and monitor for suspicious authentication behavior patterns like impossible travel or unusual access times. 

Malicious process poorly disguised as a document 

Why It Matters: XRed is a backdoor designed for long-term system infiltration and control and stealing sensitive data. It combines elements of remote access Trojans (RATs), infostealers, and backdoors to execute a range of malicious activities. 

Tactic 5: Registry Key Persistence – Finding the Foothold 

The Alert:  
 
Registry modification: \Software\Microsoft\update 

Without Context: Registry changes happen constantly. Could be legitimate software, Windows updates, or persistence mechanism. Difficult to prioritize without additional information. 

With TI Context: 

• Appears in known malware persistence mechanisms 

• Seen in stealer campaigns 

• Used to maintain access across system reboots 

• Indicator of established compromise, not initial infection 

RegistryKey:”Software\\Microsoft\\update” and threatLevel:”malicious” 

Search for malware that modifies registry 
 
Immediate Action: Escalate immediately to incident response team, scan affected hosts for additional IOCs associated with notorious stealers, and check for lateral movement indicators across your environment. 

Why It Matters: If you’re seeing persistence mechanisms, the attacker has already established a foothold. This isn’t prevention, it’s containment. Context tells you this is a critical escalation requiring full IR protocols, not just endpoint remediation. 

The Context Advantage: From Hours to Minutes 

Each of these scenarios represents a fork at the road of a SOC analysts. Without context, you’re stuck in investigation mode chasing down leads, correlating data points, and hoping you make the right call. With context, you skip directly to response. 

Consider the time savings: 

• Manual TI gathering: 20-45 minutes per artifact across multiple platforms 

• TI Lookup with context: Seconds to retrieve comprehensive intelligence 

• Decision confidence: Immediate clarity on threat severity and appropriate response 

For a SOC analyst triaging 50+ alerts per day, that’s the difference between constantly playing catch-up and staying ahead of threats. 

How Threat Intelligence Delivers Context Automatically 

TI Lookup doesn’t just tell you whether an artifact is malicious, it shows you the full picture: 

• Sandbox execution history: See how the artifact behaves in real, interactive malware analysis sessions 

• Associated campaigns: Understand which threat actors and malware families use this indicator 

• Infrastructure relationships: Map connections between domains, IPs, and file hashes 

• Temporal context: Know if this is an emerging threat or part of an established campaign 

Instead of piecing together intelligence from multiple sources, you get a unified view that connects artifacts to actual malware behavior.  

Start Making Context-Driven Decisions Today 

Next time an alert hits your queue, ask yourself: do you have the context to act confidently, or are you about to spend the next thirty minutes hunting for it? 

Context isn’t a luxury for SOC analysts. It’s the difference between reactive scrambling and proactive defense. The threats are already using automation and infrastructure at scale. Your intelligence should, too. 

Ready to add context to your threat hunting workflow? Explore ANY.RUN’s TI Lookup and see how instant threat intelligence transforms the way you analyze and respond to security alerts. 

Speed without guessing, confidence without over-triaging. Choose threat intelligence trial option for your SOC. 

The post Beat Threats with Context: 5 Actionable Tactics for SOC Analysts  appeared first on Cyber Security News.

One scan, and the victim lands on a fake login page designed to steal credentials or trigger a download; often from a mobile device completely outside your SOC’s visibility. 

Why Quishing Is Hard to Catch 

From a detection standpoint, Quishing breaks the usual rules. The phishing payload isn’t in the email body or attachment, it’s embedded inside an image as a QR code. That means: 

• No clickable links for secure email gateways or URL filters to analyze. 
• No obvious indicators for content inspection or heuristic engines. 
• No telemetry once the user scans the code on a mobile device outside the corporate network. 

Analyst’s New Weapon: Expose QR Phishing in Seconds 

For SOC analysts, Quishing is a time sink and a blind spot. Traditional tools can’t scan QR codes and decoding them manually is slow and risky. 

That’s why many teams now rely on interactive sandboxes like ANY.RUN to safely expose what’s hidden behind those codes without leaving the protected environment. 

Instead of extracting images or using external decoders, the sandbox automatically detects and decodes QR codes from emails, PDFs, and screenshots. 

It follows the resulting link in an isolated VM, giving analysts the full attack context, from payload delivery to network activity, in just seconds. 

Real-World Example: Voicemail Scam Exposed in Under 60 Seconds 

An email arrives claiming you’ve missed a voicemail. Instead of a link, it contains a QR code urging the user to “listen to the message.” 

Check how sandbox exposes the hidden QR code 

Once uploaded to ANY.RUN, the sandbox automatically detects and decodes the QR without manual extraction or third-party tools.  

Reveal complex threats in seconds inside ANY.RUN’s interactive sandbox, cutting investigation time and turning hidden attacks into clear evidence -> Join ANY.RUN now 

The decoded URL is displayed immediately in the Static Discovering section, and automated interactivity triggers a controlled browser session. 

In 60 seconds, the sandbox discovered the full attack chain, surfacing relevant TTPs, exportable IOCs, network connections, and a shareable analysis report analysts can use to block, hunt, and write detections. 

Well-structured report generated by ANY.RUN for easy sharing 

Why SOC Analysts Choose ANY.RUN for Quishing Analysis 

Quishing attacks are built to waste analyst time; ANY.RUN gives that time back. With automated QR detection, real-time interaction, and deep visibility, analysts can shift from manual decoding to instant validation. 

• 90% of attacks exposed in under 60 seconds: The sandbox reveals hidden payloads, redirect chains, and credential-harvesting pages in seconds, cutting average triage time by more than half. 
• Full visibility in one interface: Analysts see process trees, network traffic, and decoded URLs together; no switching between tools, no risk of missing a step. 
• Automatic evidence collection: Every session generates IOCs, network indicators, and screenshots that can be exported or shared in a single click. 
• Faster detection engineering: Verified TTPs and IOCs can be turned into new detection rules directly from the sandbox report. 
• Safe handling environment: QR codes, phishing pages, and scripts execute only inside the isolated VM, analysts stay fully protected while observing real behavior. 
• Collaborative workflows: Share sessions across the team or integrate with your SIEM, SOAR, or ticketing system to accelerate incident response. 

Turn QR Phishing from a Blind Spot Into a 60-Second Investigation 

Quishing doesn’t only test your defenses but also your efficiency. Analysts spend hours decoding images, validating links, and correlating telemetry that should already be visible. 

ANY.RUN changes that balance, giving SOCs the kind of context they can act on instantly. 

With automation built into every stage of analysis, SOC teams using ANY.RUN report measurable results: 

• Up to 58% more threats identified overall, including those that bypass standard filters and static analysis. 
• 94% of users report faster triage, thanks to automated IOC collection and ready-to-share reports. 
• 95% of SOC teams speed up investigations, connecting decoded URLs, network traffic, and threat behavior in one workflow. 

Try ANY.RUN to uncover hidden phishing payloads, decode QR attacks safely, and turn every investigation into actionable insight. 

The post SOCs Have a Quishing Problem: Here’s How to Solve It  appeared first on Cyber Security News.

Top-performing SOC analysts don’t necessarily go through more alerts than others; they simply know where to look for reliable data. That’s what allows them to achieve higher results without the need to overwork. They go another way, and so can you.

What Causes Alert Overload in the First Place

It’s a myth that more data equals better efficiency. Thousands of alerts, most of which are false positives, lack of context for prioritization of incidents, and too much manual work: this is a common struggle for many SOCs.

The overwhelm of Tier 1 analysts leads to alert fatigue, as well as unnecessary escalations. The entire team experiences its negative effects: missed alerts, slower MTTR, and burnout across the board. 

To sidestep these challenges, you need a source of intel that works in your favor. It makes all the difference and helps skyrocket detection rates with lesser load.

What to Look for in Threat Intelligence Sources

Threat intelligence sources that stand out are:

• Noise-free

They might provide less data, but if this is the result of filtering, it’s a huge pro, not a con. Fewer false positives mean less work and better focus on real threats.

• Trustworthy

Look for feeds that provide indicators coming from the very core of malicious configurations rather than from third-party sources. This, once again, guarantees that you get reliable information, not outdated and irrelevant info.

• Context-fueled

Not all threat intelligence is made equal. While most feeds provide just a collection of feeds, others feature threat context, which helps accelerate triage by providing a deeper visibility into threats.

• Timely

Delayed alerts are practically useless. The less time it takes for an indicator to make it to the feed, the better. Solutions with real-time updates should be your go-to if you want to stay on top of things.

Analysts Stay Ahead with ANY.RUN Threat Intelligence Feeds

There aren’t many threat intelligence feeds that fit these requirements. Accurate and fresh data with little to no false positives isn’t easy to obtain: it requires access to unique threat data.

ANY.RUN’s Threat Intelligence Feeds are powered by a global network of 15K SOC teams and 500K malware analysts who continuously provide live attack data, which then gets filtered and delivered to users’ systems. This means that every indicator is backed by an actual threat investigation, giving you confidence and real-world insights.

TI Feeds by ANY.RUN keep your systems up-to-date with exclusive IOCs in real time

Detect more threats with less noise and tap into live malware analysis data -> Try TI Feeds in our SOC

The results TI Feeds users see:

• Decreased workload: Indicators from TI Feeds enrich your SIEM, EDR/XDR, and other systems for a smoother workflow. As a result, the case load for Tier 1 analysts lowers by 20%.
• Wider coverage: 99% of IOCs in TI Feeds are unique and can’t be found elsewhere, so you automatically extend your monitoring range.
• Constant updates: No more missed threats and false alerts caused by outdated indicators.
• Actionability: High-confidence threat intelligence fueled with context gives you a hand in classifying and prioritizing alerts for targeted action.

Conclusion 

Analysts increase their detection rates using validated intelligence that enriches their system in real time, shortly after a threat emerges. TI Feeds with wide coverage and deep context supplied by reliable sources give SOC teams an upper hand in triage and cut their workload for better overall efficiency.

The post How SOCs Detect More Threats without Alert Overload appeared first on Cyber Security News.

In those seconds, the difference between an average SOC and a great one is obvious. Some scramble for answers; others move in sync, sharing context fast and turning confusion into clarity before the panic begins.

That level of control doesn’t come from luck but a few simple rules that keep elite SOCs fast, focused, and ahead of the game.

Rule #1: Speed Turns Panic into Precision

Speed changes everything. When threats hit, fast visibility turns chaos into clarity. The faster a team understands what’s happening, the faster it can stop the spread, cut damage, and regain control.

That’s why most modern SOCs rely on cloud-based sandboxes like ANY.RUN to make speed their first line of defense. There’s no need to deploy or maintain virtual machines; analysis launches in seconds, giving teams an immediate look into the full attack chain.

The verdict of most analyses is ready in under 60 seconds, providing actionable insight long before traditional tools even finish scanning. 

For instance, in one recent analysis, a LockBit attack was fully exposed in just 33 seconds; complete with related IOCs, mapped TTPs, behavior details, and process trees.

View LockBit attack exposed fully in 30 seconds

When detection is this fast, panic never has a chance to set in. Teams can shift instantly from reaction to strategy, understanding the threat, planning the response, and staying firmly in control.

Turn speed into strategy; connect with ANY.RUN and see how instant detection powers stronger, faster decisions across your SOC: Talk to ANY.RUN Experts

Rule #2: Threat Detection is a Team Sport

Even the best analysts can’t detect everything alone. When communication breaks down and teams work in silos, critical context slips away; alerts are missed, work gets repeated, and investigations slow to a crawl.

That’s why collaboration has become a core part of modern SOC performance. Inside the ANY.RUN sandbox, the Teamwork feature lets analysts join the same live workspace, share results in real time, and coordinate across roles without switching tools. Team leads can assign tasks, monitor progress, and track productivity; all from a single interface that keeps the team aligned, no matter the time zone.

The result is a SOC that thinks and moves as one. Every analyst knows their focus, every lead sees the full picture, and decisions happen without hesitation. That’s what real teamwork looks like, and that’s how strong threat detection actually happens.

Rule #3: Automate What Slows You Down

Every SOC knows the feeling; too many alerts, too many clicks, not enough time. Analysts lose hours on repetitive actions: opening files, running scripts, clicking through pop-ups, or solving CAPTCHAs just to trigger hidden payloads.

With Automated Interactivity inside the ANY.RUN sandbox, all those steps happen automatically. The system opens malicious links hidden behind QR codes, interacts with fake installers, solves CAPTCHAs, and performs other routine actions; no human input needed. The sandbox handles these interactions on its own, exposing every stage of the attack chain in a fraction of the time.

The benefit? Analysts skip the busywork and jump straight to insight. Faster detection, cleaner data, and more time for the investigations that require human judgment. Automation clears the path for cybersecurity professionals to do their best work, saving enormous time.

Rule #4: Go Hands-On to Expose Hidden Threats

Even the best detection tools miss things. False negatives happen all the time; a file marked “safe” can still hide malicious behavior deep in its code or trigger only under specific conditions.

That’s why elite SOCs never rely on automation alone. When something looks suspicious, analysts dig deeper in an interactive environment, where they can open files, click buttons, follow links, and provoke real behavior in real time. 

Inside the ANY.RUN sandbox, this hands-on control turns static analysis into active discovery, revealing payloads, persistence mechanisms, and hidden network activity that automated scanners overlook.

Automation gives you speed; hands-on gives you certainty. It’s the balance between the two that stops real damage.

Rule #5: Train Analysts Through Real Experience

You can’t train great analysts on theory alone. Real skill comes from seeing how threats behave, testing hypotheses, and learning through direct experience, not static examples or outdated labs.

That’s why modern SOCs use sandboxes to turn real-world incidents into learning opportunities. Inside the ANY.RUN sandbox, junior analysts can safely explore live samples, experiment with behavior, and build intuition that no textbook can teach. 

Meanwhile, through Teamwork Management features, managers can observe progress in real time, tracking how analysts investigate, collaborate, and grow with each session.

The result is faster onboarding, stronger retention, and a team that learns from actual threats instead of simulated ones. It saves both time and training costs while building real, lasting expertise across the SOC.

Build the SOC That Sets the Standard

When these five rules become part of your daily SOC workflow, results follow fast.
Teams that blend automation, collaboration, and hands-on analysis work smarter, with measurable improvements across every tier.

• Up to 58% more threats identified: Detect attacks that bypass standard defenses with interactive analysis and data from 15K+ global businesses.
• 88% of attacks visible within 60 seconds: See live behavior instantly, automate detection, and enrich alerts with key indicators.
• 94% of users report faster triage: Collect IOCs and TTPs, simplify assessments, and act faster with real threat data.
• 95% of SOC teams speed up investigations: Collaborate in real time, handle more alerts, and track performance in one workspace.
• Up to 20% lower Tier 1 workload and 30% fewer escalations: Reduce manual effort, remove hardware costs, and eliminate alert fatigue.

Contact ANY.RUN experts to bring these results to your team and build a SOC that truly sets the standard.

The post 5 Must-Follow Rules of Every Elite SOC: CISO’s Checklist appeared first on Cyber Security News.

Still, it doesn’t have to be this way. With the right approach, combining interactive sandboxing and smart automation, SOCs can take the pressure off, resolve incidents faster, and keep analysts focused on what matters most: catching threats before they spread. 

Here are three ways to make that happen: 

1. See and Explore Full Attack Chain in Real Time 

One big reason analysts burn out is the constant waiting. Traditional tools often take hours to confirm whether an alert is real, forcing teams to chase uncertainty while the clock keeps ticking. By the time a threat is verified, it may already be moving through the network, and the workload has doubled. 

Interactive sandboxes, such as ANY.RUN change that. Instead of relying on static reports, analysts can watch an attack unfold live inside a secure virtual machine. Suspicious files, URLs, or scripts are detonated instantly, revealing every step of the behavior chain, from initial dropper to payload, without risking production systems. 

That visibility turns slow, fragmented investigations into fast, confident decisions. Analysts know exactly what they’re dealing with and how to stop it, often within seconds. 

For instance, this analysis session gave final verdict and full attack chain of LockBit 5.0 attack in just 33 seconds: 

View real-world attack exposed in 33 secs 

According to the recent research carried out by ANY.RUN team, companies using interactive sandboxing had the following real-world results: 

• 88% of attacks become visible within the 60 seconds of analysis. 

• Teams report up to a 36% higher detection rate on average. 

See how your SOC can cut investigation time and handle more threats with less stress.  -> Talk to ANY.RUN Experts 

2. Find Evasive Threats Before They Drain Your Team’s Time 

Some attacks are built to stay hidden. They wait for the right user action, a click, a CAPTCHA, a file download, before revealing their true behavior. Traditional tools can’t always simulate these steps, which means analysts often spend hours trying to manually trigger and analyze the attack chain. 

ANY.RUN’s interactive sandbox changes that. Its Automated Interactivity feature mimics real user behavior inside a secure virtual machine, clicking links, solving CAPTCHAs, opening attachments, and following redirects, to expose even the most evasive threats automatically. 

That means analysts no longer need to repeat the same manual steps for every case. What once took hours, like uncovering a malicious link hidden in a QR code or a payload buried behind multiple redirects, can now be done in seconds. 

Here’s an example of Automated Interactivity inside the ANY.RUN sandbox: 

View analysis session with malicious QR code  

As shown in the session, the sandbox performs user actions on its own, uncovering the malicious link hidden in a QR code, solving the CAPTCHA, and collecting all behavioral indicators for immediate review. Analysts get a full report, complete with IOCs and TTPs, without spending too much time and effort. 

Real-world results: 

• Up to 58% more hidden threats identified compared to traditional tools. 

• 30% fewer Tier 1 → Tier 2 escalations, as junior analysts can handle more incidents independently. 

By automating the tedious parts of analysis, SOCs find evasive threats faster, cut down investigation time, and free analysts to focus on higher-value work. 

3. Connect Your Tools for a Faster, Smoother Workflow 

Even the most skilled team can lose momentum when tools don’t work together. Jumping between dashboards, copying IOCs, and updating multiple systems manually eats away at valuable investigation time, and adds to analyst frustration. 

With ANY.RUN’s connectors, your sandbox, threat intelligence, and automation tools all work in sync. The platform connects with popular SOC systems like QRadar, Cortex XSOAR, OpenCTI, and Microsoft Sentinel, letting analysts access threat data, behavioral insights, and enrichment directly from their main workspace. 

Instead of switching tabs, the context travels with you. Every alert is enriched with fresh IOCs and real behavioral data, helping teams make faster and more confident response decisions. 

Real-world results: 

• Up to 3× faster response times thanks to a connected, zero-delay workflow. 

• Access to 24× more IOCs per case, powered by data from over 15,000 SOCs worldwide. 

By keeping every system in sync, SOCs save time, eliminate repetitive work, and maintain a clear, unified picture of what’s happening, all without adding extra complexity. 

Turn Overload into Faster, Confident Response 

SOC burnout doesn’t happen overnight. It builds up through endless alerts, manual work, and tools that don’t fit together. But when teams gain real-time visibility, automate repetitive tasks, and work within one connected system, the pressure starts to fade, and efficiency takes its place. 

Analysts can focus on meaningful investigations instead of chasing noise. Collaboration improves, and incidents get solved faster, often in a fraction of the time it used to take. 

With interactive sandboxing, automation, and integrations that bring everything together, ANY.RUN helps SOCs cut response time by an average of 21 minutes per case, turning daily overload into fast, confident action. 

Contact the ANY.RUN Enterprise team to see how your SOC can do the same. 

The post 3 Steps to Beat Burnout in Your SOC and Solve Cyber Incidents Faster  appeared first on Cyber Security News.

Let’s look at how it worked, and how analysts can gather the full chain of intel in a safe sandbox environment.

Inside the Recent SVG Attack

Here’s a sandbox session that shows the full behavior. Check the real case to watch the redirects and payload extraction live:

View the sandbox session (SVG attack)

Delivery & disguise: The file arrives looking like a PDF attachment but is an SVG (XML) file. Because SVG supports scripts, attackers embed active content instead of static pixels.

Uncover hidden threats, cut investigation time from hours to minutes, and stay ahead of evolving attack techniques.Try ANY.RUN now

Fake prompt shown: Opening the file in a browser displays a “protected document” message to social-engineer the user into clicking or waiting.

Script execution (XOR decoder): The embedded JavaScript runs an XOR decode routine that reconstructs the true redirect code and then executes it (via eval). 

You can see this directly in ANY.RUN’s static/HEX view: the decoder variables, the hex/escaped bytes (for example ‘\x65′,’\x76’,…) and the reconstructed script are all exposed in the session. That view lets analysts dump the decoded payload and review the exact commands the SVG runs.

Layered redirects: The decoded code pushes the browser through multiple intermediary domains, obfuscating the trail. Examples observed in this chain include:

1. loginmicrosft365[.]powerappsportals[.]com
2. loginmicr0sft0nlineofy[.]52632651246148569845521065[.]cc

Final phishing page: The user lands on a Microsoft-branded credential page that even uses a Cloudflare Turnstile widget to look legitimate and bypass cursory checks. With ANY.RUN’s automated interactivity, these verifications are handled automatically, so analysts don’t waste time clicking through manually.

Credential collection & persistence: Entered credentials are captured and forwarded to attacker-controlled infrastructure built for scale (PhaaS-like), enabling mass harvesting.

What the sandbox reveals: The interactive session shows every redirect and HTTP transaction, exposes the decoded JavaScript in HEX/Text, and captures runtime artifacts.

Exportable IOCs and reports can be directly integrated with SIEM, EDR, and threat-intel platforms, so analysts get the data inside the tools they already use, saving time and cutting extra steps.

The Sandbox Advantage: Fast Detection of New Attacks

As you can see, interactive sandboxes are especially valuable for spotting new and evasive attacks. Instead of waiting on static signatures or delayed alerts, they run the file in a live environment and surface malicious behaviors in real time.

With ANY.RUN, analysts can:

• Get malicious verdicts in under 60 seconds: 88% of threats are detected this quickly.
• Reveal the full attack chain instantly: every redirect, script, and payload mapped out without guesswork.
• Accelerate triage and response: teams report up to 94% faster triage and 3× higher SOC performance.
• Turn findings into action: export IOCs and TTPs directly into SIEM, EDR, or TI platforms to update detections and launch hunts immediately.

By transforming hours of manual work into minutes of automated visibility, sandboxes give analysts the speed, clarity, and context needed to stay ahead of new attack techniques.

Request your 14-day trial and see how fast you can catch new attacks with ANY.RUN’s sandbox.

The post Malicious SVGs in Phishing Campaigns: How to Detect Hidden Redirects and Payloads appeared first on Cyber Security News.

As a Level 2 threat analyst at a mid-sized financial firm, he was drowning in false positives and spending precious hours manually investigating each suspicious hash, IP address, and domain.  
 
Then everything changed during one particularly brutal 3 AM investigation. While researching a suspicious executable that had triggered multiple endpoint alerts, Alex stumbled upon a threat intelligence lookup service that connected him to insights from thousands of other security operations centers.

Within seconds, the verdict was clear: sophisticated banking trojan, multiple C2 communications, credential harvesting capabilities. 

What would have taken Alex two hours of painstaking analysis was resolved in under five minutes. More importantly, he had the confidence and evidence needed to escalate immediately to the incident response team. By morning, a potential breach had been contained. 
 

Why Speed is the Key: How Faster Alert Management Transforms Analyst’s World 

In the high-stakes arena of cybersecurity, speed isn’t a luxury. It’s survival. Threat actors evolve in hours, not days, and every delayed response risks escalation. But mastering alerts and artifacts at lightning speed doesn’t just fend off attacks; it supercharges your efficiency, effectiveness, KPIs, and career trajectory while safeguarding the business and nailing SOC/MSSP goals:   

1. Boosts Personal Efficiency: Rapid triage means handling 2-3x more alerts per shift without the mental fog of endless rabbit holes. Solutions that deliver instant context, like Threat Intelligence Lookup, free up brainpower for creative hunting, not rote googling.  
 
See how it works: a domain search returns an instant “Malicious” verdict, a last-seen date to evaluate a threat’s relevance, a list of additional IOCs, and a selection of sandbox analyses of malware samples featuring the domain.  

domainName:”randomuser.me” 

Domain lookup results with contextual data 

Try TI Lookup to make quick actionable decisions on possible threats.  
Just sign up to start 

2. Enhances Effectiveness in Threat Hunting: Quick IOC validation uncovers hidden patterns across incidents, turning isolated pings into proactive takedowns. You’ll spot campaigns early, disrupting attackers before they burrow deep. 

3. Skyrockets KPIs Like MTTR and Resolution Rates: Shave minutes off each investigation and watch metrics soar. MTTR drops by up to 10x, resolution rates climb, and alert fatigue plummets. With ANY.RUN’s TI Lookup 88% of threats are detected within 60 seconds of analysis. Happy metrics mean rave performance reviews. 

4. Accelerates Career Growth: Analysts who resolve threats faster stand out. Faster validations lead to high-impact contributions, mentorship opportunities, and that senior role you’ve eyed. Speed builds reputation as the go-to expert. 

5. Fortifies Business Protection: Swift artifact checks minimize dwell time, reducing breach costs. Early detection prevents data leaks, downtime, and regulatory fines, keeping the C-suite smiling. 

See how it works: a quick lookup shows a strong correlation of an IP with Lumma, one of the most dangerous malware families.  

destinationIP:”195.82.147.188″ 

IP search results: now we know that it’s a symptom of Lumma stealer in the system 

6. Drives SOC Team Morale and Retention: When alerts aren’t a Sisyphean slog, burnout fades. Teams collaborate better on validated intel, fostering a culture of wins over exhaustion since this is the key for retaining top talent in a field desperate for skilled hands. 

7. Achieves SOC/MSSP KPIs with Ease: Hit SLAs on response times, exceed client expectations, and scale services without ballooning headcount. Faster ops mean more billable hours and glowing testimonials, fueling business growth. 90% companies report higher threat detection rates after integrating TI Lookup. 

See how it works: if your logs contain a suspicious PowerShell command, just submit it to LI Lookup. 
 
imagePath:”powershell” AND commandLine:”$codigo” 

Malware samples with steganography, with sandbox analyses showing attack chains 

This search results expose malware that utilizes steganography: the practice of hiding malicious code in the source code of images or other benign objects to avoid detection. 

Upgraded to the Premium plan, Threat Intelligence Lookup supports over 40 search parameters, additional search operators, and an assortment of wildcards. Comprehensive queries for deeper research become available. 

Uncover TI Lookup full potential for rapid threat detection, escalation, and mitigation: choose you plan.  

 
Speed isn’t about rushing — it’s about precision. When speed meets accuracy, both the analyst and the business win. 
 

ANY.RUN’s Threat Intelligence Lookup: Your Window into 15,000 SOCs 

The breakthrough Alex experienced wasn’t luck, it was the power of community-driven threat intelligence. ANY.RUN’s Threat Intelligence Lookup provides instant access to analysis results from over 15,000 security operations centers worldwide who use ANY.RUN’s Interactive Sandbox for malware analysis. 

Every day, security professionals across the globe upload suspicious files, URLs, and other artifacts to ANY.RUN’s Interactive Sandbox for analysis. These investigations happen in real-time, creating a constantly updated database of threat intelligence from actual security incidents and investigations. 

When you query an IOC through the Threat Intelligence Lookup, you’re not just getting static reputation data. You are accessing fresh insights from recent sandbox sessions where other analysts investigated the same indicators you’re seeing in your environment. When a hash shows up in your alerts, you can instantly see: 

• Whether other SOCs have recently analyzed this file 

• What behaviors were observed during sandbox analysis 

• Network communications and C2 infrastructure 

• File system modifications and persistence mechanisms 

• Screenshots and process trees from actual execution 

• IOCs associated with the same campaign or threat actor 

Interactive sandbox sessions capture the complete attack chain, helping you understand not just what you’re dealing with, but how it operates and what additional IOCs to hunt for in your environment. 
 

Conclusion  

Validating alerts no longer has to be a slow, painful process. With threat intelligence from a global community of SOC analysts, you can turn alert overload into actionable security insights. 
 
For threat analysts striving to excel in an ever-evolving cyber landscape, ANY.RUN’s Threat Intelligence Lookup offers an unparalleled opportunity to transform investigative efficiency and impact.  
 
By integrating it into your workflow, you can significantly reduce mean time to respond (MTTR), enhance detection accuracy, and achieve KPIs with greater consistency, directly bolstering your professional reputation and career trajectory. 

The post Want to Validate Alerts Faster? Use Free Threat Intel from 15K SOCs  appeared first on Cyber Security News.

The secret to radically cutting response time for incidents lies in equipping your SOC team with an enterprise-grade solution suited for teams that delivers fast, efficient results.

In this article, we’ll break down how Interactive Sandbox by ANY.RUN helps teams worldwide significantly reduce MTTR and improve proactive detection. 

What makes interactive malware analysis stand out 

ANY.RUN’s hands-on approach promotes a cutting-edge way to achieve improved metrics, including reduced MTTR, and well-informed protection of company infrastructure.

The dual power of interactivity and real-time visibility into threats solves two major challenges SOC teams often face: 

That’s what takes interactive sandboxes like ANY.RUN a step beyond traditional automated malware analysis. Analysts see more than the final verdict; they can control the process and interact with malware. All this leads to a better understanding and more efficient conclusions. 

Impact in numbers 

With interactive malware analysis, SOC teams achieve impressive results, such as: 

• 21 min reduction in MTTR per incident 

• Up to 58% more threats identified overall 

• Faster threat investigations in 95% of cases 

Another factor that further accelerates incident response is smart automation. In ANY.RUN sandbox, most repetitive actions can be done automatically, including solving a CAPTCHA or opening a link.

The sandbox performs actions necessary for detonation without increasing the workload of the analyst, allowing them to focus on more pressing tasks. 

Cut response time and boost detection with ANY.RUN’s Interactive Sandbox for enterprises  -> Get a trial for your company 

Breaking down a real-world threat in under a minute 

Most attacks start with phishing. Malicious emails can be very deceptive and lead to company-wide security compromises. But it takes seconds to see the truth in ANY.RUN’s Interactive Sandbox. 

In the analysis below, you can see a pdf file that seems harmless at first glance. But once opened, it reaches out to a phishing page hosted on SharePoint, a legitimate domain that once again might lead you to believe that it’s trustworthy.

However, the sandbox flags it as malicious and attributes as phishing within seconds. 

View analysis 

By browsing through tabs and observing threat behavior, analysts get to react to the threat as quickly as possible: they can confirm and escalate the high-risk threat, block malicious domains or IPs related to it, and start remediation before attackers gain a foothold. 

Without a sandbox, this kind of attack would be easy to miss. The file looks like a regular PDF, the hosting domain is trusted. But this threat could lead to stolen credentials using social engineering and invisible redirections.  

Empower your SOC with a fast and simple sandbox to gain: 

• Faster Threat Response: Attacks will be detected early on, reducing the window of exposure. 

• Lower MTTR: Immediate insights into threat behavior will enable analysts to act with speed and confidence. 

• Less Routine Workload: SOC team will be free to focus on high-value tasks and strategic action, while repetitive tasks will be done automatically. 

Conclusion 

By reducing investigation time and eliminating manual setup, ANY.RUN helps SOC teams operate more efficiently, while minimizing exposure to threats.

Faster detection and deeper visibility give analysts the clarity and control needed to protect company’s environment before an incident escalates. 

Reduce MTTR with instant analysis and in-depth threat visibility  -> Streamline SOC workflow with ANY.RUN  

The post How to Radically Cut Response Time for Each Security Incident  appeared first on Cyber Security News.