BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
Threat Intelligence Lookup

Identify threats
with linked indicators

  • Searchable database of linked IOCs
  • Lookup by any event, field, or indicator
  • Real-world malware examples
  • Interactive matrix of popular TTPs
  • Real-time map of C2 locations
  • Web interface and RESTful API

What is Threat
Intelligence Lookup?

Threat Intelligence Lookup lets you query IOCs against a large database of tasks processed in ANY.RUN sandbox.

It provides context and actionable insights on events, IP addresses, domains, file hashes, URLs, and more, allowing you to quickly evaluate the risk of IOCs during incident response or threat hunting.

Efficiently find threats with our detailed lookup engine

Perform detailed searches to add context to indicators and find linked threats. Use a range of fields and conditions to refine your results.

  • Query by any specific field, from system-related indicators to network signatures
  • Combine conditions using AND conjunction
  • Type or paste your search criteria or select from a predefined list

Examine connected indicators and malware samples from search results

Use linked data from search results to understand how individual indicators or events tie to known threats. Each TI Lookup search shows linked:

  • Domains
  • URLs
  • Events
  • Files
  • Tasks
  • And more

Look up threats by any indicator or event and perform wildcard searches

Use any suspicious indicator found in your system to find contextual threat information and identify threats. You perform wildcard searches by:

  • Malware names
  • Events
  • Domains
  • IPs
  • URLs
  • TTPs
  • Registry fields 
  • Hashes
  • Files
  • Process fields
  • Suricata/Behaviour rules 
  • And more

Find threats by file contents
with yara search

Run YARA searches against 2TB of threat data collected over the course of a year by 400,000 researchers analyzing real-world attacks.

  • Receive search results in under 5 seconds.
  • Find real-world examples of malware usage.
  • Download matched files for further in-depth analysis.
  • Use your existing ANY.RUN TI Lookup request quota

To get started, reach out to our sales team

Track popular TTPs, malware families and Suricata detections

Get a better understanding of popular Tactics, Techniques, and Procedures.

  • Find TTPs by any field, event or indicator.
  • Better understand TTPs with real malware examples and see the risk level of each TTP.
  • View which malware families are gaining popularity at a glance
  • Get information on the most frequent Suricata rule detections

Look up C2 locations

Geolocate threats using a live map of known C2 origins

  • See malware families connected to known C2s
  • Find examples tasks involving those threats
  • Filter results by country or family

Track popularity of individual malware families

View real-time malware trends to adjust your security measures against likely threats.

  • Monitor how the popularity of specific malware changes over time
  • Extract fresh IOCs for prevalent malware families with ease
  • See which countries report the most instances of each malware family

Learn more about identified malware families

Learn more about individual malware families, track their popularity and easily find the most recent IOCs and samples

  • See the popularity of each threat over time
  • Collect associated hashes, IPs, domains, and URLs
  • Learn about execution patterns and distribution methods for each malware

A rich datasource of new malware samples

The information about recent threats comes from ANY.RUN’s interactive sandbox, trusted by over 400,000 analysts, SOC and DFIR team professionals.

  • 50+ million samples in the database
  • 14k new daily submissions
  • Only pre-processed, cleaned data makes it into our lookup service

Benefits of TI lookup for your business

  • Get a clearer view of adversaries' intent, capabilities, and targets and quickly identify the threat you are dealing with
  • Quickly link objects you are investigating to threats. Improve triage and prioritize alerts that need to be investigated or escalated using linked indicators
  • Learn more about threat behaviour with real-examples by instantly accessing dynamic analysis of identified threats

Interested to learn more?