CrowdStrike Falcon® Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of the world’s most powerful sandbox solution. This unique combination provides context, enabling analysts to better understand sophisticated malware attacks and tune their defenses. Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). Falcon Sandbox enables cybersecurity teams of all skill levels to increase their understanding of the threats they face and use that knowledge to defend against future attacks.
What's new
Know them. Find them. Stop them.
Get a proactive, intelligence-driven defense
Threat intelligence and hunting. Powered by CrowdStrike.
Unified threat intelligence and hunting
Counter Adversary Operations delivers 24/7 threat hunting across all domains and automated investigation tools to outpace adversaries.
Make every security layer smarter
Integrate threat intelligence across your defenses for better and faster decisions.
All-domain threat hunting
CrowdStrike Falcon® Adversary OverWatch is the industry’s first and only 24/7 managed threat hunting service that proactively hunts adversaries across all attack surfaces. It leverages CrowdStrike first-party endpoint, identity, and cloud data, extended to available third-party Next-Gen SIEM data for a comprehensive picture. Powered by industry-leading threat intelligence and advanced AI, our experts never sleep to stop the breach.
×
![]()
×
![]()
Monitor your brand for fraud
See threats beyond your perimeter with real-time intelligence that uncovers domain impersonations, exposed credentials, and data leakage through customizable monitoring rules. We’re watching for any threat to your brand.
Know your adversary
CrowdStrike Falcon® Adversary Intelligence provides detailed profiles of 255+ adversaries, including nation-states, eCrime groups, and hacktivists. Each profile breaks down their methods, maps their tactics to the MITRE ATT&CK™ framework, and reveals the vulnerabilities they exploit.
×
![]()
×
![]()
Advanced malware and threat analysis
Seamlessly integrated into your security operations, our advanced sandbox automates file, email, and command line analysis within seconds. Triage faster and get essential context for informed next steps.
Industry-leading intelligence reports and analysis
CrowdStrike Falcon® Adversary Intelligence Premium delivers thousands of intelligence reports each year and empowers your team to reduce the attack surface, improve defenses, guide threat hunters and detection engineers, and update leadership on the most relevant threats to your business.
×
![]()
×
![]()
Instantly deploy prebuilt hunting and detection libraries
Reduce the workload of in-house security engineering teams by accessing regularly updated libraries of hunting queries and detection rules created and validated by CrowdStrike experts.
Forrester names CrowdStrike a “Leader” in The Forrester Wave™: External Threat Intelligence Service Providers, Q3 2023
CrowdStrike received the highest ranking of all vendors in the Current Offering category, with the highest score possible in 16 criteria, surpassing all other vendors evaluated in the report.
×
![]()
See why customers trust CrowdStrike
- Security Sales Manager
- IT Engineer
- Security Sales Manager
- System Engineer
Disrupt adversaries. Stop breaches.
Products and services to outpace threat actors.
Featured Resources
1 CrowdStrike BVA – CrowdStrike BVA numbers are projected estimates of average benefits based on recorded metrics provided by customers with 50 security team members and 6 analysts during pre-sale motions that compare the value of CrowdStrike with the customer’s incumbent solution. Actual realized value will depend on individual customer’s module deployment and environment.
Threat Intelligence FAQs
CrowdStrike Falcon® Sandbox FAQ
Hybrid analysis is a file analysis approach that combines runtime data with memory dump analysis to extract all possible execution pathways even for the most evasive malware. The combination of hybrid analysis and extensive pre- and post-execution analysis delivers a unique capability, resulting in the extraction of more IOCs than any other competing sandbox solution. All data extracted from the hybrid analysis engine is processed automatically and integrated into the malware analysis reports.
Hybrid-Analysis.com is a free online malware analysis community enabling users to submit files for free in-depth analysis. In addition, users can search thousands of existing malware reports or download samples and IOCs via the website and well-documented REST API.
Hybrid-Analysis is an independent service, powered by Falcon Sandbox, and is a great way to evaluate the Falcon Sandbox technology. Hybrid Analysis provides a subset of Falcon Sandbox capabilities. The following chart highlights a few of the differences:
| Feature | Hybrid-Analysis.com | Falcon Sandbox |
| DETONATION ENVIRONMENTS | ||
| Windows 7 (32/64) | ✓ | ✓ |
| Windows 10 | ✓ | |
| Ubuntu 16 (64) | ✓ | ✓ |
| FILE SUBMISSIONS | ||
| Max file submissions per month | Up to 30 as Guest | Up to 25,000 |
| Analyze Files/Archives | ✓ | ✓ |
| Analyze URLs | ✓ | ✓ |
| Submission without re CAPTCHA | ✓ | |
| Re-analyze extracted files | ✓ | |
| DOWNLOADS | ||
| Binary Samples/PCAPS | ✓ | ✓ |
| MAEC, STIX, MISP, OpenIOC | ✓ | ✓ |
| PDF, JSON, HTML | ✓ | |
| REPORT FEATURES | ||
| Risk view summary and verdict | ✓ | ✓ |
| View all malicious/suspicious indicators (IOCs) | ✓ | |
| View all network IDS rule triggers | ✓ | |
| Full privacy for your reports | ✓ | |
| INTEGRATION | ||
| CrowdStrike Intel integration (attribution, IOCs, IDS, YARA) | ✓ | |
| Falcon MalQuery Integration | ✓ | ✓ |
| REST API for file submissions and search | ✓ | ✓ |
| Support for SOAR tools (e.g Phantom, Demisto) | ✓ |
Yes, files submitted to Falcon Sandbox are private. All submitted files and associated reports are stored and maintained in the highly secure Falcon platform.
Authors of modern malware are aware of sandbox technology and have instrumented their malware to either stop or hide malicious activity when it detects an external process monitoring the file. Traditional, first-generation sandbox monitors run at the application layer (user mode) to intercept system library calls, which are easily detected. Falcon Sandbox implements monitoring at the operating system level (kernel mode) leaving the target process untouched, making it very difficult to detect. The Falcon Sandbox kernel mode monitor has proven to be robust and extremely effective against “in the wild” and most current malware samples. CrowdStrike’s world-class anti-sandbox and anti-VM detection technology (illustrated by benchmark tools such as Pafish or VMDE) enables analysis of most evasive malware. CrowdStrike is constantly updating Falcon Sandbox to stay ahead of new evasion techniques and verifies its performance with in-house benchmark tools and the public community offering Hybrid-Analysis.com that is field-tested every day.
Falcon Sandbox scales automatically. You can easily process up to 25,000 files per month with the appropriate license. This level of scalability is provided without any infrastructure costs to you.
The Falcon Sandbox supports PE files (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml) and Outlook *.msg files.
You can upload archives with or without a password: ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, wim, xz and zip. If you use a password, the typical, “infected,” password is required.
Falcon Sandbox enables users to take control by providing the ability to configure settings to determine how malware is detonated. These options include setting the date/time, environmental variables, setting command line options, providing passwords for PDF/Office prompts and more. In addition, you can select from many “action scripts” that will mimic user behavior (such as mouse clicks and movement, keyboard entry, etc.) during detonation to help expose malware attempting to hide from sandbox technology.
Behavioral indicators, similar to indicators of attack (IOAs), define high-risk activity or a series of activities taken in sequence that can be considered potentially malicious. Examples include adding an entry to an autostart registry, changing a firewall setting, writing a known ransomware file to disk or sending data on unusual ports. Behavioral indicators provide a more complete view into the potential risk of the file and are used to identify previously unknown threats. Falcon Sandbox includes more than 700 generic behavioral indicators, which are constantly being updated and expanded.
Falcon Sandbox supports Windows Desktop XP, Vista, 7, 8, 10 (32 and 64 bit) and Ubuntu/RHEL Linux (32 and 64 bit). We also support static file analysis for Android APK files.
Falcon Sandbox reports include an incident response summary, links to related sandbox analysis reports, many IOCs, actor attribution, recursive file analysis, file details, screenshots of the detonation, runtime process tree, network traffic analysis, extracted strings and IP/URL reputation lookups. In addition, reports are enriched with information from AlienVault OTX, VirusTotal and by CrowdStrike Intelligence, providing threat actor attribution, related samples and more. In addition, you can review CrowdStrike’s Falcon Sandbox reports for examples.
Yes, Falcon Sandbox provides a variety of search options, including the ability to combine search terms. You can search for a virus family name, threat actor, specific file type, hash, #tag and whether a specific behavioral indicator was triggered. You can even find reports that have contacted a specific IP address, country, domain, URL and much more.
Recursive analysis is a unique capability that determines whether the analyzed file is related to a larger campaign, malware family or threat actor. Falcon Sandbox will automatically search the industries largest malware search engine to find related samples and within seconds expand the analysis to include all files. This is important because it provides analysts with a deeper understanding of the attack and a larger set of IOCs that can be used to better protect the organization.
Falcon Sandbox is licensed on a subscription basis, based upon the number of files analyzed by Falcon Sandbox per month.
For more information, please contact us.
1 Calculated by multiplying the average number of alerts triaged by Charlotte AI by a 5-minute triage time per alert as estimated by the Falcon Complete team. Individual results may vary based on factors such as total alert volume.
2 Accuracy rating is a measure of Charlotte AI triage decisions that match the expert decisions from the CrowdStrike Falcon Complete Next-Gen MDR team.
3 Results based on a survey of Charlotte AI early adopters. Individual results may vary.
2 Accuracy rating is a measure of Charlotte AI triage decisions that match the expert decisions from the CrowdStrike Falcon Complete Next-Gen MDR team.
3 Results based on a survey of Charlotte AI early adopters. Individual results may vary.