ANY.RUN Sandbox Reviews & Product Details

ANY.RUN has become one of the most valuable tools in my malware analysis workflow. The interactive sandbox is incredibly fast, intuitive, and gives me real-time visibility into process behavior, network traffic, file system actions, and registry modifications—all in one place. The fact that I can interact with the malware live (click buttons, enter text, browse folders) sets it apart from traditional static sandboxes.

The preconfigured analysis environments save a lot of time, and the ability to pivot into deeper analysis—like unpacking, process tree visualization, and network IOCs—is extremely helpful. Their public submissions database is also a great resource when hunting emerging threats.

What I Like Most:

Real-time interactive analysis

Beautiful and clear process tree visualization

Rich metadata and automatic extraction of IOCs

Easy to use even for junior analysts

Great for SOC, DFIR, and malware research Review collected by and hosted on G2.com.

Would love to see even more OS/Browser versions in interactive mode

Heavy samples sometimes take a bit longer to load—but still faster than many alternatives Review collected by and hosted on G2.com.

We utilize Any.Run Sandbox to analyze email attachments received from users in order to determine their legitimacy and identify potential malicious content. The sandbox environment allows us to safely observe the behavior of files or software in an isolated setting, ensuring our internal systems remain protected from exposure. Its very easy to use and convenient yet very powerful tool. Review collected by and hosted on G2.com.

The product has limitation like file size is very limited, the time is also limited some time the time runs out before the investigation completes. Review collected by and hosted on G2.com.

ANY.RUN sandbox provides a powerful and advanced Threat Analysis Platform, significantly improving and broadening visibility into potential threats that may impact your organization. Giving the opportunity to understand behavior of each sample that we intended to analyze, in addition to an enrichment of every Analysis with the different tools and third party sources that ANY.RUN enables to each Report based on this most important Security and Compliance Frameworks. Easy to understand and making it part of any IT Security Team that is trying to create a Threat Intelligence process on the organization make ease to implement and fit on internal Threat Intelligence Procedures. Review collected by and hosted on G2.com.

I would like to see a direct integration with the Crowdstrike Platform, so that all the intelligence provided by ANY.RUN can be incorporated into the security IT architecture of any organization aiming to address today's threats and adversaries. Review collected by and hosted on G2.com.

ANY.RUN is an easy to use platform that we use regularly to confirm nagging suspicions when something "nearly ok" makes it through email filters. The ability to quickly review all the actions of a nefarious link or file provides a clear visual aid to help new members of the team learn new vectors. Review collected by and hosted on G2.com.

The only problem I can think of isn't even an issue with ANY.RUN, but a testament to threat actors, is that many inspections stop as soon as infection products detect the presence of a VM, thus limiting insights. That being said, any time links don't fully resolve, it's a clear sign that we were right to be concerned. Review collected by and hosted on G2.com.

Clean and functional web interface

Support for multiple operating systems

Tor network support — useful for advanced threat analysis

Automatic TTP and IOC mapping — speeds up investigations

Wide range of options when launching the VM, e.g., define the execution path of the binary

Comprehensive reports — logs, screenshots, video, and full execution details Review collected by and hosted on G2.com.

Session time is very limited — in some cases it prevents completing more complex analyses

Low image quality during simulations — makes it hard to clearly observe visual behavior or interface details Review collected by and hosted on G2.com.

The best thing i like about any run sandboxing tool is that it provides a very accurate results and the GUI is very user friendly and easy to use.

It helps the user for easy implementation of the sandboxing.

I use this sandboxing tool very often and frequently as a part of my daily BAU. It consist of a variety of features which allows the user to analyse on ease.

Also, in case of any queries the customer support is very responsive and supportive.

It also provide various integration features to implement with our day-to-day tools for on the go use. Review collected by and hosted on G2.com.

The only thing i dislike is while entering a base-64 URL it gives an error for incorrect URL. Review collected by and hosted on G2.com.

I use ANY.RUN Sandbox to investigate files and URLs on a daily basis as part of my work as a Security Operations Engineer. Thanks to ANY.RUN Sandbox, we can privately investigate any file or web link for suspicious indicators. I love the ability to pick specific OS versions like Windows 10, 11, or Linux, and specific browsers such as Chrome or Edge. The easy-to-read timelines of events, from processes to network connections, give a good visual indicator of what's happening on the machine after opening a file or link. Being able to run different operating systems helps check for payloads targeting a specific OS. The event viewers for network connections or processes happening live are invaluable, providing a clear image of the machine's events, helping us understand how malware gains persistence and track its connections in a safe environment. The Text Report is another excellent tool that makes reporting easy for showcasing to management. Setting up ANY.RUN was incredibly easy, just creating a free account lets you start checking links or files safely. ANY.RUN is an invaluable part of my toolbox for everyday work. Review collected by and hosted on G2.com.

I would love to see more OS choices, from different Linux distros to even MacOS one day. The Text Report is an excellent tool, but it could use some summary feature that explains in text everything that happened, making it easier for management to understand. Review collected by and hosted on G2.com.

I find ANY.RUN Sandbox incredibly valuable as it allows me to safely detonate suspicious files or URLs and observe real-time behavior, which is essential for my role as a SOC analyst. The real-time interactive analysis is a feature I particularly appreciate, as it provides verdicts, IOCs, and risk scores within seconds, allowing me to make timely decisions and block malicious entities swiftly. The detailed reports offered by ANY.RUN Sandbox give me structured insights like MITRE ATT&CK mappings and behavioral timelines, which are crucial for accurate triage and seamless integration into SIEM/SOAR workflows. Eliminating the need to build a lab from scratch, ANY.RUN Sandbox offers a ready-to-use interactive environment that saves me both time and resources. It simplifies my investigations by eliminating manual VM setups, freeing me up to focus on high-value investigations. The tool's intuitive nature meant I could log in and start using it immediately, making the setup process effortless. The combination of these features significantly accelerates my investigations and enhances detection accuracy, making ANY.RUN Sandbox an indispensable tool in my cybersecurity toolkit. Review collected by and hosted on G2.com.

I find the limited free plan to be a constraint, as it does not allow for deep investigations without immediately needing an upgrade. The short VM timeouts of 60 seconds restrict the ability to fully observe multi-stage attacks that require more time for activities such as delayed payload drops or command and control callbacks. Additionally, the small file size limits of 16 MB hinder the testing of complex samples like bundled archives or installers, which are common in real-world attacks. Review collected by and hosted on G2.com.

I appreciate the ANY.RUN sandbox system because it functions like an online system, similar to a Docker or TryHackMe machine. This provides a valuable platform for IT security research, education, and the safe handling of suspicious and harmful content. One of the outstanding features is the detailed listing of reactions and triggered processes, which allows me to delve deeper into the analysis. The initial setup of ANY.RUN Sandbox was simple, enabling a smooth start with the tool. Overall, I find the service so beneficial that I would give it an unreserved recommendation with the highest rating of 10 out of 10. Review collected by and hosted on G2.com.

I use the free version of ANY.RUN Sandbox, where a 'detonation' is only available for a short time. This limitation means that I cannot always interact in time and may miss some activities that should be observed. Review collected by and hosted on G2.com.

I am able to watch as I safely detonate suspected malware. The report options, even for free users, is amazing, as are the TI Feeds which is critical to my work as a Cybersec Analyst. Any.Run is a tool I use to gather intel about emerging threats which while not affecting me directly, may, and I need to prepare for that. Lastly, the MITRE TTP IOCs are also important so I can perform adversary emulation more quickly. Review collected by and hosted on G2.com.

I wish there were more lower cost paid options, around $50 a month, but I understand why the price is so high given I work in this field and how important this data is. Review collected by and hosted on G2.com.