SandGNAT
Automated Malware Sandbox Analysis
Detonate. Enrich. Investigate. Repeat.
Suspicious artifacts pile up faster than analysts can detonate them
- Manual sandbox submission is slow — each artifact is a ticket, a wait, a manual review
- Results arrive in sandbox vendor formats — another normalization step before they're useful
- Detonation findings are disconnected from the investigation they were triggered by
- Repeat detonation of known samples wastes analyst time and sandbox capacity
The enrichment gap
An artifact in an investigation is a question mark until it's detonated. SandGNAT automates the answer — and puts it back in the investigation where the question was asked.
Automated detonation & artifact enrichment
- Automated submission — GNAT routes suspicious artifacts to SandGNAT without analyst intervention
- Detonation & behavioral extraction — file behavior, network calls, registry changes, dropped files, C2 indicators
- STIX enrichment — findings published back to the GNAT investigation graph as structured objects
- Deduplication — known samples aren't re-detonated; cached findings are returned immediately
Closed loop
An artifact enters the investigation as a question. SandGNAT detonates it, extracts behavioral indicators, and posts the answers back — automatically, without a separate queue or manual correlation step.
Triggered by GNAT. Results back to GNAT.
From detonation to structured intelligence
Network Indicators
C2 domains, IPs, URLs contacted during execution. Protocols used, ports, connection timing.
File Artifacts
Dropped files, written paths, created processes. Hashes for every artifact observed during detonation.
Registry & System
Registry keys written or modified. Service installations, scheduled tasks, persistence mechanisms observed.
Behavioral Profile
Execution chain, API calls, injection attempts, anti-analysis techniques detected during sandbox run.
MITRE ATT&CK Mapping
Behaviors mapped to ATT&CK techniques where applicable. Surfaces relevant TTPs automatically.
Verdict & Score
Malicious / suspicious / benign verdict with confidence score. Analyst retains final judgment.
Don't detonate the same thing twice
- Every detonation result is cached by hash
- When GNAT routes an artifact that was already detonated, cached results are returned immediately
- Reduces sandbox capacity consumption — saves resources for novel samples
- Deduplication works across investigations — findings from a previous case can enrich a new one
Cross-investigation value
When a hash recurs across investigations, SandGNAT surfaces its prior detonation history — connecting current activity to past findings automatically.
Detonation findings power the wider investigation
SenseGNAT
Network IOCs extracted by SandGNAT feed SenseGNAT's anomaly detection. C2 domains and IPs from detonation become behavioral indicators to watch for in live traffic.
RedGNAT
ATT&CK techniques mapped by SandGNAT seed RedGNAT validation runs. Confirm whether your defenses catch what the sample actually does — not what you assume it does.
Every artifact gets an answer. Automatically.
- Suspicious artifacts are detonated without a separate submission step
- Detonation results appear in your investigation graph — no context switch to a sandbox console
- Behavioral indicators from detonation are linked to the artifact and to the broader investigation
- MITRE ATT&CK mappings surface relevant TTP context immediately
- Prior detonation history surfaces automatically when a hash recurs
Getting started with SandGNAT
- Have GNAT core deployed with the workflow engine active
- Deploy SandGNAT and configure the GNAT connector
- Configure routing rules in GNAT: which artifact types and sources trigger automatic submission
- Run a test investigation — submit a known sample and verify detonation results land in the graph
- Tune routing rules to match your operational tempo and sandbox capacity