Securing a university means defending a highly open environment, where thousands of users, devices, and external connections create constant exposure to risk. We had a unique opportunity to get an inside look at how these operations are run at a powerhouse R1 institution, the University of Massachusetts Boston.
We sat down with Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, to discuss how ANY.RUN’s solutions help their team scale triage, prevent incidents, and achieve consistent security risk reduction.
Lean Team, Broad Responsibility
UMass Boston operates as a premier R1 research university with a digital footprint encompassing a population of over 50,000 students, faculty, and staff.
The core security operations team tasked with defending this environment is remarkably compact, consisting of only three specialists and the SISO. Because of this lean staffing model, the team utilizes a cross-pollination strategy where each member manages various roles, including endpoint security, threat hunting, and threat management.
This small group of professionals carries the primary responsibility for the entire institution’s digital safety.
The Challenge of Balancing Threat Response and Infrastructure Overhead
Before adopting a cloud-based sandbox, the team was under constant operational pressure to keep up with incoming threats while maintaining speed and accuracy in triage.
At the time, their setup included an internal detection lab for threat analysis and validation. Yet, managing physical space, equipment, software licensing, and constant updates for an in-house environment pulled limited team resources away from active security operations.
The recent departure of two team members further increased this strain, making it difficult to balance infrastructure maintenance with the daily requirement to fight incoming threats.
“We had a detection lab that was also used to help teach the students, but you have to maintain it as well as fight the things that are coming in as they’re happening.”
The university needed more than a safe, secluded environment to test and validate malware without risking the production network. It needed a way to support faster triage, consistent threat validation, and real-time decision-making as part of everyday SOC workflows, without adding operational overhead.
Introducing ANY.RUN’s Sandbox into the Security Loop
Integration of the Interactive Sandbox was a necessity driven by the critical goal to support faster and more scalable threat validation. The team also needed to teach students in the SOC, within a safe, secluded environment that would not put the institution’s production network at risk.
The university integrated ANY.RUN’s solution as a behavioral validation layer within their defense stack alongside Microsoft Defender and Abnormal Security.
“It’s kind of a big lift to be able to just rely that when I go to ANY.RUN, I know that it’s being maintained.”
The solution was easy to set up and fit into the team’s existing workflows without disruption.
Instead of spending time maintaining their own lab, the team now had a ready-to-use, air-gapped environment for analyzing malicious content at scale. This provided immediate operational value, freeing up time, and allowing the SOC to focus on detecting and responding to critical threats more efficiently.
Scaling Detection and Speeding up Triage with the Same Team
At UMass Boston, the ANY.RUN sandbox now acts as a central component of the daily triage process for the phishing and abuse of mailboxes.
By utilizing ANY.RUN’s API integration with Abnormal, the team automatically sends suspicious emails, links, and attachments for analysis at the click of a button, removing manual steps and standardizing the triage process.
Where previously analysts relied on incomplete signals, they now have a visual confirmation of threats’ behavior.
“Having ANY.RUN’s API connection with our email security vendor has really increased our performance in detecting and being able to tell whether it’s actually phishing.”
The automation transformed how quickly detection and verification happen, reducing the time required to analyze and get conclusive verdicts on suspicious submissions.
“Instead of minutes, [investigations] take seconds.”
Faster, evidence-based triage reduced uncertainty, stabilized operations, and ensured that real threats are identified and handled without delay.
As a result, the team can make confident security decisions at speed and scale, allowing them to process higher volumes of alerts without increasing the headcount or sacrificing decision quality.
Preventing a Phishing Incident Missed by Email Filters
The effectiveness of the team’s sandbox-based defense was demonstrated during a mass email campaign that occurred just before Christmas in 2025, a holiday period when attack volume increases and users are more likely to engage with incoming emails.
Despite having established email security controls in place, the attack passed through primary filters undetected. This is exactly where most organizations become exposed, as missed threats can lead to incidents without a sandbox layer in place.
Instead of relying on the initial verdict, the team escalated the suspicious emails through their sandbox workflow. Using the API integration, they detonated the content and observed its behavior in a controlled environment.
This analysis revealed that the email was a sophisticated phishing scam hosted through Google.
“If we didn’t have ANY.RUN, we would have never picked that up.”
The combination of a proactive team and immediate access to sandbox capabilities allowed UMass Boston to validate the threat, make a confident decision, and contain it before it reached users.
Without this step, the attack could have resulted in credential theft and unauthorized access to internal systems, putting users, research continuity, and institutional trust at risk.
Reducing Risk in Access Control
Beyond email security, ANY.RUN’s solution helps the team manage internal requests regarding blocked websites. When students or staff encounter a firewall block, the security team uses the sandbox to determine if a site is truly malicious or merely misclassified.
“We can take a look at a [potential threat] and see what’s going on and have actual analytics around it.”
This visual verification allows them to see if a legitimate website has been hijacked to serve malware, providing the analytics needed to make accurate access decisions. The team confidently requests re-categorization from their firewall vendor based on observed behavior.
With ANY.RUN, access decisions have become faster and more defensible. Analysts have concrete behavioral evidence to support allow or block actions, reducing unnecessary restrictions for users while maintaining security.
Meeting Compliance and Cyber Insurance Requirements
UMass Boston operates under frequent state audits that require detailed evidence of security processes. These are directly tied to regulations such as FERPA, which governs the protection of student data, and the Massachusetts Data Security Law, which mandates safeguards around personal information and access control.
Modern auditors demand documented artifacts and evidence of how the university manages security. ANY.RUN’s sandbox gives the team this proof. Each analysis shows what the threat does, making it easier to explain decisions and demonstrate how incidents are handled.
Having a dedicated sandbox environment is also a mandatory requirement for many cyber insurance brokers to maintain coverage. Adopting the solution allowed the university to fill a previous gap in their compliance posture and meet these rigorous insurance standards.
A Practical Model for Teams Facing Similar Challenges
The security model developed at UMass Boston is starting to extend beyond a single campus, particularly among teams operating with similar staffing constraints. The team regularly shares real cases and demos with other SISOs and security teams, including peers at Bridgewater State University.
“We have shown people demos and told them that we have also had that problem and this is how we fixed it.”
For teams with limited resources, the sandbox-driven approach provides a way to handle more threats without increasing headcount, while lowering the risk of missed or misclassified incidents.
Conclusion
The UMass Boston case highlights how a lean team can successfully defend a massive research institution by relying on a multi-layered “mesh approach” in security and powering it with effective solutions like ANY.RUN’s Interactive Sandbox.
We would like to thank the University of Massachusetts Boston for allowing us an inside look at their security operations. We are especially grateful to Daniel Mayer, Endpoint Security and Threat Hunting Specialist, and Alison Murray, Senior Information Security Specialist, for sharing their time and professional insights.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC teams, MSSPs, and enterprises investigate threats faster and make more confident security decisions.
With its cloud-based Interactive Sandbox, security teams can safely analyze suspicious files, links, and emails in real time, observe malicious behavior, and receive clear evidence for response without maintaining complex in-house infrastructure.
ANY.RUN’s Threat Intelligence solutions also help organizations uncover threat context, enrich security workflows, and improve visibility into emerging risks. Together, these capabilities support faster triage, stronger incident prevention, and more efficient security operations at scale.
0 comments