Solving Analyst Burnout: From Manual Malware Analysis to Interactive Sandboxing
Published
Key Takeaways
- According to ANY.RUN augmented Intelligence, with humans at the center, is the preferred model.
- Lapshin notes that process automation is not enough and human intervention is essential to thwart sophisticated attacks.
- Automated Interactivity enables hands-free, in-depth malware detonation and analysis.
- AI-generated summaries improve analyst understanding, training, and SOC efficiency.
- Machine learning allows expanding complex attack scenarios that cannot be auto detonated by other tools.
Aleksey Lapshin, CEO at ANY.RUN, traces the origins of his work in malware analysis to the operational strain analysts face when relying on rigid tools, manual workflows, and fragmented reports during live incidents.Â
What began as a technical challenge evolved into a scalability problem as alert volumes grew and investigations needed speed, clarity, and context. As a former malware analyst, Lapshin experienced firsthand how repetitive tasks, ineffective sandbox outputs, and manual environment setup slowed response and contributed to analyst fatigue, especially among junior team members.
Lapshin emphasizes that understanding threats without digging through dozens of pages is critical during active incidents. He adds that AI-generated summaries help break down complex malicious behavior into clear insights, making it easier for junior analysts to learn, and act more quickly.Â
Vishwa: Can you share your journey to founding ANY.RUN and what sparked your passion for malware analysis and sandboxing?
Aleksey: I’ve always been into reverse engineering and finding out how malware functions under the hood. In fact, my journey to ANY.RUN started when I worked as a malware analyst and had first-hand experience of struggling with ineffective tools in my day-to-day tasks. My colleagues faced the same challenges.
It was clear that most of the products we used put business interests first and completely ignored the needs of engineers. Often, to find anything useful in an automated sandbox report, you had to already know where to look, which was not exactly helpful during actual incidents.
We also had to do a lot of things by hand, from setting up virtual machines on isolated computers to writing reports. This cost the company a great deal of time and resources and did not provide the results we needed. Basically, there was a problem that had to be fixed.
My initial idea was to improve my team's workflow by removing all the repetitive manual tasks and bringing the process to a unified standard. I wanted analysts to have all the critical information right in front of them, without digging through dozens of pages. And in case they needed to go a step further, all the extra details had to be available with just one click. That was the maximum compromise I was willing to make.
I also wanted to let analysts quickly deploy virtual environments, where they could perform all the investigations and record them for the final report. That’s how I came up with the idea for a fully interactive malware sandbox.
Soon I realized that such a solution could help not only analysts alone, but entire SOC teams and the businesses they protect. By speeding up analysis with real-time visibility into threats’ behavior and hands-on control, companies could save time and resources while catching more threats.
This inspired ANY.RUN’s journey, and I'm glad that my vision is now shared by 15,000 businesses and 500,000 security professionals that use ANY.RUN today.
Vishwa: What allowed you to transform ANY.RUN from a tool for analysts into a service used by numerous companies around the world?
Aleksey: I think there were several factors that led to this, including the unique functionality of the service and our focus on growing the community.
From the very beginning, we focused on supporting security engineers who were swamped with repetitive tasks and feeling burned out. Our solution lets them break free from the ineffective routine by working with threats inside a dynamic and intuitive environment. This means they can spot and understand incidents in seconds, while also learning more about how threats work and growing their expertise with every analysis.Â
Engineers instantly see the value and have no problem demonstrating it to their managers and leaders. That's why SOC teams and businesses adopt our sandbox naturally, not because it’s imposed from the top down. This makes it easy for teams to integrate it into their workflows.
ANY.RUN’s interactivity stood out against the automated sandboxes available at the time. Analysts could control the virtual environment, triggering threats in real time, which made analysis faster and more effective than waiting for automated runs, sometimes requiring several ones to detonate just a single threat.
No matter how much you automate the process, with the current rate of malicious activity and increasingly sophisticated attacks, some manual work is inevitable.
What we built was a direct response to the businesses' needs. We were the first to prove this approach works, and we’re still pushing it forward. We also offered a free tier from the start to build a community around the service, which drew in users worldwide. As more SOC professionals adopted ANY.RUN, their managers noticed significant improvements in performance and began reaching out to us with requests to accommodate more team members.
To meet the growing demand, we introduced an Enterprise plan with collaboration features and privacy controls, enabling managers to assign tasks and streamline workflows. We also added API support for easy integration of the sandbox with other security solutions of our clients.
Ultimately, this shifted ANY.RUN from a tool for individual analysts to a service for security teams, helping them protect their organizations more effectively.
Vishwa: What do businesses have to say about the product?
Aleksey: There are many reviews on G2 and Gartner that talk about the speed and depth of analysis brought by ANY.RUN. This contributes to our clients’ higher detection rates, less alert fatigue, and more confident decisions at different SOC levels, from triage to incident response and threat hunting.Â
To give you an example, Expertware, which is a leading IT consultancy in the EU, was able to cut the turnaround time for their malware investigation and IOC extraction processes by over 50%, which significantly accelerated their ability to mitigate incidents and reduce potential damage.
It’s also encouraging to hear clients saying that ANY.RUN helps with training. The analysis of real-world threats inside the sandbox comes with clear explanations and highlights of malicious behaviors. It builds analysts’ expertise and enhances their skills with every new session, letting them speedrun their onboarding.Â
As a result, companies transform new hires into job-ready professionals in less time, see continuous progress among team members, and spend less money.
Vishwa: How do you manage the balance between meeting business objectives and maintaining a strong, community-focused approach?
Aleksey: At ANY.RUN, we build our business around our community, so they are always in sync and work hand in hand. Many individual researchers and analysts contribute new malware and phishing samples to our public database of sandbox analyses, which is available to everyone for research.Â
The submissions they share help us expand the sandbox’s ability to detect emerging and evolving threats, which in turn lets the whole community, including commercial clients, SOC teams, and other professionals spot more attacks and stop them faster.
This community-driven data also fuels our enterprise-oriented threat intelligence solutions, TI Lookup and TI Feeds, which help our clients achieve early threat detection in their infrastructure, reducing risks and response costs.
Vishwa: How do you determine the strategic direction of ANY.RUN's development in the context of a constantly evolving cyberthreat landscape?
Aleksey: ANY.RUN’s development decisions are always based on the current trends in cybersecurity, listening to user feedback, and prioritizing features that deliver measurable business value.
For example, to address the growing threats targeting corporate mobile devices and companies’ server infrastructure, we introduced Android and Linux VMs. This expanded coverage has helped SOCs gain visibility into a wider range of attack scenarios, solve more problems, and boost proactive security, which has improved their overall effectiveness.
Vishwa: What is your stance on the impact of machine learning and artificial intelligence on the future of malware analysis?
Aleksey: Machine learning and artificial intelligence are definitely transforming malware analysis, but they work best when paired with human expertise. We are already seeing plenty of research showing that a fully autonomous SOC is not possible. Companies chasing this goal could face overwhelming pressure on their Tier 2/3 teams by the end of next year. Handing all tasks to AI will still require skilled analysts to double-check its work. Meanwhile, there won’t be enough Tier 1 specialists to fill the gaps.
To address this challenge, we see Augmented Intelligence as the solution, where human analysts remain at the core of decision-making, while acquiring more knowledge and growing skills quicker with the help of AI. This way, Tier 1 tasks do not disappear; they are just performed a lot more efficiently and with a faster collection of critical threat info. We genuinely believe in this approach, and this is what drives our innovations: accelerating how quickly important knowledge is acquired.
One key feature where we utilize machine learning is Automated Interactivity, a sandbox mode that auto-detonates threats, ensuring quick, in-depth, and hands-free analysis of cyber attacks.Â
Thanks to machine learning, we are able to constantly expand the number of complex attack scenarios supported by our sandbox that cannot be auto-detected by other tools. These include phishing emails with attachments and documents with QR codes. The result for SOCs is hours of saved time, higher detection rate and accuracy, and faster response.
There is also a built-in AI summary tool in the sandbox. It analyzes malicious activities logged during a session and breaks down complex behaviors into easy-to-understand insights. This is especially helpful for training junior analysts, as it speeds up their learning and improves team efficiency.
Vishwa: What advice would you give to aspiring cybersecurity entrepreneurs based on your experience?
Aleksey: Find a real pain point that security teams face and solve it better than anyone else. When I started ANY.RUN, I saw analysts wasting hours on manual virtual machine setups and inconsistent threat analysis, which slowed down response and left companies vulnerable.Â
Focus on a specific issue like this and build a solution that’s simple and practical. Test your idea with real users early to ensure it hits the mark. Keep iterating based on what users say and deliver value fast to build trust and grow.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular