The New Standard for URL Analysis: Closing Phishing Blind Spots with In-Browser Data Inspection 

Modern URL phishing relies on dynamic pages, credential harvesting flows, client-side scripts, and layered redirect chains. But most SOC workflows are still built around static analysis, making them blind to most of these tactics. 

ANY.RUN changes this forever with in-browser data inspection. 

The new technology takes URL analysis to the next level by bringing static and dynamic analysis into one single workflow. Now, every phishing URL’s behavior like script execution and redirects is visible to the analyst in real time, leaving no blind spots for attackers to exploit.  

Available to all ANY.RUN users, this new layer of URL phishing visibility provides a massive boost for the triage and response speed for SOC & MSSP teams, enabling them to see and contain critical attacks before they become incidents. 

Before vs. After: Fixing Slow and Painful URL Triage Process 

Right now, the typical URL analysis process for most SOC and MSSP teams looks like this: A suspicious URL comes in, and the analyst starts assembling context. They scan the URL to get basic info, sandbox it to see what it does, trace redirects, inspect traffic, and still have to piece everything together manually to make a decision. 

This turns every alert into a time-consuming task. Analysts spend extra time validating signals, escalate cases by default, and still risk closing malicious URLs without fully understanding their behavior.  

URL Analysis with ANY.RUN: Full Static & Dynamic URL Context within Seconds 

In-browser data inspection solves this friction by giving you the full static and dynamic URL context in just one click. The page executes in a real browser, and everything that matters, redirects, scripts, DOM changes, user-facing content, is captured and presented to you in a single view. No tab switching. 

The result is an instant view of the attack in one place: How the user is redirected, what scripts drive the interaction, where data is collected, and how the phishing flow is constructed end-to-end.  

The context that used to take up to an hour to collect is now delivered within seconds, complete with a verdict and ready for confident next-step decisions. 

Why Existing URL Investigation Approaches Fall Short 

Many security solutions still lack the dynamic browser-level visibility needed to clearly understand how a phishing attack unfolds in real time, resulting in critical gaps: 

• Analysts may see a screenshot of the final page, but not the full path that led to it: redirects, scripts, iframe activity, and intermediate page states 

• Limited visibility into the forms, content, and user-facing elements the victim actually saw and interacted with 

• Missing context around DOM changes, injected content, and dynamically loaded elements during page execution 

• Reliance on static page analysis instead of a dynamic, step-by-step view of real browser behavior 

• Lack of automatically collected DOM history that allows analysts to inspect page changes across different execution stages 

• No visibility into browser activity preceding WAF alerts or application logs 

Without browser-level inspection, critical evidence can remain hidden from investigators. As a result, analysts often need to combine multiple tools and data sources to fully understand a single URL. 

The Operational Impact of Visibility Gaps for Security Teams 

These visibility gaps create several operational challenges for SOC teams: 

• Fragmented Workflow: Reconstructing webpage behavior across multiple tools and data sources slows investigations, increases manual effort, and delays response. 

• Inefficient Resource Management: When analysts lack sufficient evidence to classify a URL confidently, potentially benign links are often escalated to senior team members, consuming valuable resources. 

• Phishing Analysis Gap: Solutions focused on file or network activity may miss critical phishing context, leaving analysts without sufficient browser-level evidence. 

As phishing attacks continue to rise, security teams need faster and more reliable ways to investigate suspicious URLs. In-browser data inspection closes this visibility gap by introducing a new layer of webpage-level investigation evidence. 

Beyond URL Scanning: Full Browser Visibility for Phishing Investigations 

As phishing and browser-based threats continue to grow in both volume and sophistication, it’s time for SOC and MSSP teams to upgrade their operations to match the reality of modern attacks. 

Available to all ANY.RUN users, in-browser data inspection introduces an investigation layer missing from many security operations today. Unlike workflows that force analysts to piece together evidence across multiple tools, ANY.RUN provides dynamic, in-depth browser visibility, making URL investigations faster, clearer, and more reliable. 

This new investigation layer enables SOC analysts to: 

• Instantly validate, enrich, and prioritize phishing threats using evidence that often remains hidden in conventional URL analysis workflows 

• Reduce uncertainty during investigations with direct visibility into what happens during execution 

• Reveal the complete attack chain, including redirects, executed scripts, iframes, and dynamically loaded content 

• Track browser and DOM changes across every stage of page execution 

• Gather the evidence required for fast triage, escalation, and response from a single investigation workflow 

• Access threat intelligence required for detection engineering, hunting, and campaign analysis 

All without leaving the sandboxing interface. 

Instead of relying solely on network logs or file traces, the new inspection method allows you to see all browser activity observed on the webpage, including forms, content, DOM changes, scripts, and redirects. This provides direct access to behavioral insights and evidence that often remain unavailable in URL analysis and sandboxing workflows. 

Unlike workflows that require analysts to manually reconstruct browser activity from multiple data sources, in-browser data inspection consolidates browser telemetry, page content, behavioral evidence, and threat intelligence into a single investigation experience. 

This allows teams to move from URL analysis to confident decisions faster, with less effort and greater visibility. The result is accelerated triage, more validated escalations, stronger detections, and more efficient security operations. 

Change the Way You Investigate Phishing with In-Browser Data Inspection 

In-browser data inspection changes how phishing investigations are performed. By delivering dynamic browser visibility within ANY.RUN’s Interactive Sandbox, it helps SOC and MSSP teams investigate threats faster, reduce uncertainty, and make more confident incident response decisions. 

Instead of piecing together screenshots, redirects, page content, browser artifacts, and external intelligence from multiple tools, analysts receive a complete browser-level investigation within a single workflow. 

To start your investigation, simply open the Browser Data tab to access a complete, dynamic view of the web page execution. It’s available within every URL analysis in ANY.RUN’s Interactive Sandbox. 

View analysis 

Understand the Attack Flow 

The Browser Data within ANY.RUN’s Interactive Sandbox provides the entire web page execution tree, from initial URL to the final page view, featuring all redirects and activated iframes. Color highlights and tags point to the pages responsible for triggering detections. 

Investigation outcome: Accelerate triage and escalation decisions by gaining an immediate overview of the dynamic attack flow and identifying the most relevant stages for further analysis. 

Detailed HTTP Requests data provides complete visibility into redirects, requests, and responses generated during page execution.  

Investigation outcome: Improve threat validation and detection engineering by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules. 

Analyze Browser-Level Behavior 

Explore browser-level telemetry, including triggered signatures, domain, URL, and IP statistics, as well as rendered screenshots of the analyzed page. 

Investigation outcome: Improve threat validation and detection engineering by reconstructing redirect chains and collecting evidence for IDS detections and network-based hunting rules. 

To see which code fragments were added to the DOM after the page loaded, go to the HTML DOM Changes tab for deobfuscation. It will reveal what static analysis misses: 

View analysis 

In-browser data inspection captures the fully rendered and interactive state of the page, allowing the analyst to see the actual behavior, including hidden forms, redirects, and user interaction logic that were impossible to understand statically. 

Investigation outcome: Strengthen threat hunting and detection engineering by identifying phishing elements, reconstructing the loading process, and extracting behavioral artifacts. 

Expand the Investigation Beyond the Initial Sample 

Collected Indicators include URLs, domains, IP addresses, and hashes of web content associated with the analyzed page. 

Investigation outcome: Expand investigations beyond a single sample by developing pivoting hypotheses and uncovering attacker-controlled infrastructure. 

Content extracted from web page snapshots can also be used to create custom hunting and detection rules backed by ANY.RUN Threat Intelligence. 

In this example, a YARA rule created from a single phishing page identified 145 related samples within Threat Intelligence Lookup & YARA Search: 

Investigation outcomes: 

• Expand visibility beyond a single URL or alert 

• Validate threat hunting hypotheses with browser-level evidence 

• Assess the scale of an attack campaign 

• Develop resilient detections based on attacker tooling and page artifacts 

Turning Powerful Visibility into Stronger Security Outcomes 

By combining interactive sandboxing, full browser-level visibility, and threat intelligence sourced from over 15,000 security teams, ANY.RUN transforms URL investigations from fragmented, manual analysis into fast, evidence-based decision-making. 

Through eliminating visibility gaps and reducing the need for disconnected tools, security teams can improve outcomes across the entire investigation workflow: 

• Faster triage and fewer unnecessary escalations: With immediate access to browser-level evidence, Tier 1 analysts can validate suspicious URLs faster and escalate fewer benign cases, improving productivity and reducing pressure on senior teams. 

• Smoother handoff and incident response: When escalation is required, Tier 2 analysts receive a complete evidence package rather than disconnected indicators, accelerating validation and reducing MTTR. 

• Stronger detection engineering: Browser telemetry provides a new source of intelligence for building custom detections, hunting hypotheses, and phishing signatures based on real-world attack behavior. 

• Structured reporting: Built-in SOC-ready reports transform complex investigations into decision-ready intelligence, simplifying triage, escalation, response, and stakeholder communication. 

For enterprises and MSSPs, these operational improvements translate into faster investigations, more efficient use of analyst resources, stronger phishing defenses, and the ability to scale security operations without proportionally increasing workload. 

Conclusion 

In-browser data inspection closes a critical visibility gap in modern phishing investigations. With it, SOC analysts and threat hunters can investigate phishing attacks directly inside ANY.RUN without manually extracting web content from traffic captures, reconstructing redirect chains, or comparing raw page source against the content rendered in the browser. 

Instead, all browser-level evidence is collected, correlated, and presented within a single investigation environment, helping enterprise security teams investigate threats faster and respond with greater confidence. 

About ANY.RUN 

ANY.RUN helps SOC teams, MSSPs, and enterprises investigate cyber threats faster through interactive malware analysis and threat intelligence. 

Its cloud-based Interactive Sandbox enables security teams to safely analyze suspicious files, URLs, and emails in real time, observe attack behavior as it unfolds, and collect actionable evidence for rapid response. 

ANY.RUN’s Threat Intelligence solutions provide additional context around threats, infrastructure, and attacker activity, helping organizations enrich investigations, streamline security workflows, and improve threat detection. Together, these capabilities enable faster triage, more informed decision-making, and more efficient security operations at scale. 

FAQ