By extracting encryption keys directly from process memory, it increases the detection rate of phishing inside the sandbox<\/strong>, helping every user and SOC team in our community to see critical threats early. <\/p>\n\n\n\n Phishing remains the #1 cyber risk for companies, and its scale is intensifying. Gartner predicts<\/a> that AI agents will cut the time required to exploit exposed accounts by 50 percent by 2027. This means that the window for early detection is shrinking. <\/p>\n\n\n\n A top challenge in identifying modern phishing<\/a> is encrypted HTTPS sessions. Credential harvesting, redirect chains, and token theft often look like normal web traffic. <\/p>\n\n\n For SOC teams, this means more uncertainty. Alerts require deeper validation. Escalations increase. Investigations take longer. The risk of missing credential compromise rises. <\/p>\n\n\n\n Encrypted traffic is typically inspected using man-in-the-middle (MITM) interception. While effective in specific scenarios, MITM is resource-intensive and can disrupt realistic analysis. As encryption becomes the default channel for phishing, this approach is no longer enough. <\/p>\n\n\n\n Detection must work at scale, without slowing confirmation or disrupting execution. <\/p>\n\n\n\n To remove one of the biggest obstacles in phishing detection for every ANY.RUN user<\/strong>, the Interactive Sandbox<\/a> now automatically decrypts HTTPS traffic by default, <\/strong>boosting visibility into the most evasive attacks. <\/p>\n\n\n Here\u2019s how it works: <\/p>\n\n\n\n By allowing Suricata rules and other detection mechanisms to analyze decrypted content immediately, phishing gets confirmed without extra steps<\/strong>, saving tens of minutes of analysts\u2019 time. <\/p>\n\n\n\n Since traffic decryption applies to 100% of sandbox sessions<\/strong>, the phishing detection<\/strong> coverage is now systematically wider and stronger<\/strong> across every investigation. <\/p>\n\n\n Our stats show a\u00a05x increase in SSL-decrypted phishing\u00a0detection <\/strong>after implementing the\u00a0new technology\u00a0in the sandbox.\u00a0This also provided an\u00a0extra 60K confirmed malicious URLs\u00a0<\/strong>to Threat Intelligence Lookup<\/a> monthly.\u00a0<\/p>\n\n\n\n For your SOC, this means: <\/p>\n\n\n\n By raising the sandbox\u2019s capability to catch evasive attacks, ANY.RUN transforms your entire triage & response <\/strong>pipeline to be quicker and more effective<\/strong>. <\/p>\n\n\n\n\nPhishing Pressure Is Rising. Detection Needs to Catch Up <\/h2>\n\n\n\n
![\"Traffic](\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image-1024x576.png\")
Scaling Phishing Detection Across Every Investigation with Automatic SSL Decryption <\/h2>\n\n\n\n
![\"Automatic](\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-1024x576.png\")
\n
\n
\n
\n
\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/SSL_results-1024x576.png\")
\n
\n
\n