Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates

Security leaders are under growing pressure to reduce the time between threat detection and response without adding more complexity to already overloaded SOC workflows. ANY.RUN’s May updates help teams act on security risks more efficiently, improve consistency across investigations, and maintain stronger protection as attacker tactics continue to evolve.

Discover the updates your team can use to strengthen SOC performance, reduce response delays, and stay ahead of emerging threats. 

Product Updates

In May, ANY.RUN introduced new capabilities to help SOC and MSSP teams reduce investigation delays, improve threat visibility, and make faster response decisions. The updates include decision-ready Tier 1 Reports with AI-powered insights and a new Threat Intelligence Feeds integration with Elastic Security.

Reduce Investigation Delays with Decision-Ready Tier 1 Reports 

SOC teams can now generate structured Tier 1 Reports directly in ANY.RUN’s Interactive Sandbox, turning complex analysis findings into clear, actionable intelligence for faster response decisions.

Instead of reviewing raw technical data or rebuilding investigation context during escalations, teams receive a ready-to-use report with a threat verdict, key IOCs, behavioral indicators, and MITRE ATT&CK mapping. Each report also includes an AI Summary with threat classification, a concise overview of the incident, and recommendations for the next response steps.

This gives SOC managers, Heads of SOC, and CISOs a clearer view of incident severity, potential business impact, and response priorities while helping teams move cases forward without unnecessary delays.

With Tier 1 Reports, your SOC can: 

• Accelerate alert triage: Help Tier 1 teams validate threats and make faster escalation decisions.
• Reduce investigation delays: Give Tier 2 and incident response teams structured context without requiring them to reconstruct the case from raw data.
• Improve SOC efficiency: Reduce repetitive reporting work and free senior teams to focus on high-priority incidents. 
• Strengthen business-risk visibility: Help decision-makers understand which threats require urgent action and where response efforts should be focused.
• Standardize incident reporting: Create consistent, easy-to-share reports for faster internal communication and more informed decisions.

Unlimited Tier 1 Report generation, including AI Summary and Recommendations, is available with Enterprise Suite and Hunter plans. Free plan users receive five shared generations.

ANY.RUN Threat Intelligence Feeds Are Now Available in Elastic Security 

SOC and MSSP teams can now integrate ANY.RUN Threat Intelligence Feeds directly into Elastic Security to bring fresh, sandbox-backed IOCs into their existing workflows.

Built from live sandbox investigations across more than 15,000 organizations and a community of 600,000 security professionals, ANY.RUN Threat Intelligence Feeds provide indicators linked to activephishing, malware delivery, and attacker campaigns.

Once configured, the integration ingests IP addresses, domains, URLs, and other IOCs into Elastic Security on a scheduled basis. Each indicator includes additional context and a direct link to the related sandbox report, helping teams quickly understand threat behavior and TTPs.

Here is what your team gains: 

• Detect threats early: Use fresh indicators from live attacks to identify malicious activity sooner.
• Validate alerts with real context: Use sandbox-backed evidence instead of relying only on static indicators.
• Reduce manual work: Eliminate repetitive enrichment steps and tool switching. 
• Improve detection quality: Use high-confidence indicators in detection rules and correlation logic.
• Speed up triage and response: Access additional context directly in Elastic Security and make faster decisions.

The plug-and-play integration is available to teams with an active Threat Intelligence Feeds license (Threat Intelligence Live or Complete subscriptions).

Integrate ANY.RUN Threat Intelligence Feeds with Elastic Security → 

Threat Coverage Updates 

In May, the detection team continued to strengthen ANY.RUN’s threat coverage by adding 120 new behavior signatures, 1,327 new Suricata rules, and 7 new YARA rules. These additions expand detection capabilities across suspicious behaviors, network-level activities, and file-based indicators.

New Behavior Signatures 

The 120 new behavior signatures added in May cover malware-specific activities, mutex indicators, and exploitation-related behavior. These signatures focus on observable actions and artifacts that appear duringdetonation, helping security teams confirm sample behavior within the sandbox.

Highlighted detections include: 

Tools, RMM & Exploitation: 

New Suricata Rules 

A total of 1,327 new Suricata rules were implemented in May to improve visibility into malicious network activity, including phishing kit communications and C2 check-ins.

• Generic Fake Captcha HTTP activity (sid: 85007558): Detects fake captcha implementations used in the execution chains of various phishing campaigns.
• DrimKit related HTTP GET request (sid: 85007566): Identifies activity associated with the emerged phishing kit known as DrimKit.
• Tycoon2FA related JS file in HTTP response (sid: 84003241): Tracks client-side code loaded by phishing pages related to Tycoon2FA.

New Threat Intelligence Reports 

In May, ANY.RUN released three new Threat Intelligence Reports providing in-depth analysis of recent malware activity and attacker techniques. These reports are available to TI Lookup Premium subscribers tosupport faster investigations.

• CLIPBANKER, KYCSHADOW, and SLOTAGENT: Analysis focusing on clipboard hijacking and related malicious agents.
• SHEETRAT, LOTUS WIPER, and CLOUDZ: Detailed examination of this RAT and associated wiper/cloud-based threats.
• STEALC, NFCMULTIPAY, and NWHSTEALER: Coverage of these specific stealers and their operational behaviors.

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps businesses and organizations strengthen security operations with faster threat understanding andclearer evidence for response.

Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, as well as Threat Intelligence solutions built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, detect active threats earlier, and support investigation and response workflows with relevant context.

ANY.RUN is SOC 2 Type II attested, reflecting its strong security controls and commitment to protecting customer data. For SOCs, MSSPs, and enterprise teams, the platform helps reduce investigationuncertainty, improve triage speed, and turn threat analysis into actionable insights for faster, better-informed decisions.

Integrate ANY.RUN into your SOC workflow →