Malware analysis,
without the compromise.

ThreatLab is an interactive malware analysis sandbox that runs entirely on your machine. No cloud uploads, no per-analysis fees, no session time limits. Just you, an isolated VM, and full control.

Launching Soon
Watch Demos
OPEN BETA

We're looking for MSPs and security professionals to try out ThreatLab. Free access during Beta.

Requires Windows 10/11 Pro with Hyper-V enabled
Help Shape ThreatLab - Join the Beta Now
ThreatLab session window showing live malware analysis with VNC viewer and monitoring dashboard
AI threat analysis showing risk rating and behavioral findings
Process tree visualization showing execution chains
EVTX log analyzer with Sigma rule detections
PDF report page key statistics and severity distribution
PDF report page showing threats detected and IoC summary
πŸ”’

Your Data Stays Yours

No samples uploaded to third-party clouds. No shared infrastructure. Everything runs locally on your own hardware.

♾️

No Limits, No Quotas

Run as many sessions as you want, for as long as you want. No daily upload caps, no per-analysis fees, no 5-minute session timeouts.

🎯

Built for MSPs

Transparent seat-based pricing that won't destroy your budget. Client-ready PDF reports. Multi-region VPN routing. Designed for your workflow.

What You Get
One platform, fully loaded.
Everything you need for malware analysis and incident investigation in a single desktop application.
πŸ”¬
Interactive Sandbox Isolated Hyper-V VMs with live desktop interaction, video recording, and full keyboard/mouse control.
πŸ“‘
Deep Visibility Sysmon-powered monitoring across processes, network, files, registry, DLL injection, and credential access.
🧠
AI Threat Analysis AI-powered threat assessment with risk scoring, behavioral analysis, and MITRE ATT&CK mapping.
πŸ“‹
PDF Reports Professional, client-ready analysis reports generated from your session data. Brandable with your own logo.
🌐
VPN Routing WireGuard tunnels across 4 regions with kill switch. Malware never sees your real IP.
πŸ”Ž
EVTX Analyzer Built-in event log analyzer with 1,200+ Sigma rules. Timeline view, CSV/JSON export, severity filtering.
⚑
Quick Analysis Instant URL threat assessment without spinning up a VM. Fast triage for suspicious links.
πŸ“οΈ
Session History Full session history with recordings, screenshots, EVTX logs, reports, and all collected data preserved for every analysis. Your evidence library, always accessible.
🌳
Process Tree Visualization Interactive process chain viewer with enriched data per node. Trace parent-child relationships, injection paths, and severity scoring across the full execution tree.
πŸ–₯️
Custom Base Images Create custom VM templates with pre-installed software, EDR tools, or client-specific configurations.

Why ThreatLab over cloud sandboxes?

No per-analysis fees No file uploads to third parties No session time limits No shared infrastructure Full interactive control Unlimited sessions
Features
Everything under the hood.
A detailed look at what ThreatLab brings to your security workflow.
πŸ”¬

Interactive Sandbox

Fully isolated analysis environments powered by Hyper-V

βœ“
Hyper-V Isolation Each session runs in a dedicated VM cloned from a clean Windows 11 base image using differencing disks.
βœ“
Live Desktop Interaction Full keyboard and mouse control via VNC. Interact with malware exactly as an end user would.
βœ“
File & URL Analysis Drop suspicious files or paste URLs. Samples are placed on the VM desktop for manual detonation.
βœ“
Video Recording Automatic session recording from the moment you connect. Saved as WebM files for review.
βœ“
Session Save & Resume Hibernate sessions and resume later. Pick up exactly where you left off.
βœ“
Multiple Concurrent Sessions Run several analysis sessions simultaneously, each with its own isolated VM and monitoring.
βœ“
Configurable Resources Adjust VM memory and CPU allocation per session based on your analysis needs.
βœ“
Network Isolation One-click network isolation cuts internet access while keeping your VNC connection alive.
βœ“
Custom Base OS Images Create modified VM templates with pre-installed software, EDR agents, or client configurations. Each session clones from your chosen image.
βœ“
Global Exclusions Exclude known-good processes from monitoring across all sessions.
πŸ“‘

Monitoring & Detection

Deep visibility into everything that happens inside the sandbox

βœ“
Sysmon Event Monitoring Process creation, network connections, file system changes, registry modifications - all captured in real time.
βœ“
DLL Injection Detection Non-system DLL loads, remote thread creation, and process access monitoring.
βœ“
Credential Access Monitoring LSASS access detection distinguishes legitimate OS operations from credential theft attempts.
βœ“
Real-Time Threat Scoring Events scored 0–10 in real time based on behavioral indicators, process chains, and known-bad patterns.
βœ“
Scheduled Task & Service Monitoring Track persistence mechanisms: task creation, service installation, and startup modifications.
βœ“
Ransomware Canary Detection Canary files placed in the VM detect ransomware behavior through continuous integrity checks.
βœ“
Windows Defender Integration Choose to run sessions with Defender enabled or disabled. Defender alerts are captured when active.
βœ“
Privilege Switching Toggle between Local Admin and Standard User during a live session to test behavior under different privileges.
βœ“
Certificate Store Monitoring Detects modifications to Windows root and intermediate CA certificate stores, flagging potential MITM or rogue certificate installation.
πŸ“‹

Analysis & Reporting

From raw events to client-ready deliverables

βœ“
AI-Powered Threat Analysis Automated threat assessment with risk scoring, behavioral analysis, key findings, and MITRE ATT&CK mapping. Can be toggled on or off in settings.
βœ“
PDF Report Generation Professional multi-page reports with executive summary, IOCs, severity distribution, and full technical details.
βœ“
Custom Report Branding Replace the ThreatLab logo with your own company branding on generated PDF reports.
βœ“
EVTX Log Analyzer Built-in Windows Event Log parser with timeline view, severity filtering, and event statistics.
βœ“
1,200+ Sigma Detection Rules Community-maintained Sigma rules bundled and applied during EVTX analysis for deep detection coverage.
βœ“
Quick URL Analysis Instant URL threat assessment - domain age, WHOIS data, TLD reputation - without a VM.
βœ“
CSV & JSON Export Export EVTX findings in CSV or JSON format for integration with other tools and workflows.
βœ“
EVTX File Download Download raw EVTX files from any session for analysis in external tools or evidence preservation.
βœ“
Process Tree Visualization Interactive process chain viewer with per-node enrichment. Network, file, registry, injection, and service activity mapped to each process with severity scoring and chain-aware filtering.
βœ“
Bring Your Own LLM Connect your own API key from Anthropic, OpenAI, or Google for AI analysis. Keys encrypted locally with AES-256-CBC. Custom prompt instructions per analysis type.
🌐

Network & Privacy

Anonymous analysis with complete data sovereignty

βœ“
Multi-Region VPN Routing WireGuard exit nodes in the US, UK, Germany, and Spain. Malware C2 never sees your real IP.
βœ“
VPN Kill Switch Hypervisor-level ACLs block all internet if the tunnel drops. The VM cannot bypass it.
βœ“
100% Local Execution No samples uploaded anywhere. All analysis happens on your hardware. Complete data privacy.
βœ“
Direct Mode Run sessions without VPN when anonymity isn't required or for testing internal network scenarios.
πŸ›‘οΈ

Platform & Management

Everything that makes ThreatLab production-ready for your team

βœ“
Web Management Portal License management, seat allocation, machine tracking, downloads, and documentation.
βœ“
Built-in Issue Reporting Report issues directly from the app with optional log attachment. Detailed application logging to disk.