Sandbox
An isolated execution environment for safely running and analysing suspicious software without risk to production systems.
What is a Sandbox?
A sandbox is an isolated computing environment in which suspicious software can be safely executed and its behaviour observed without risk to production systems. The sandbox emulates or virtualises the operating system, network and disk resources, creating a controlled laboratory for threat analysis.
In the security context, sandboxes are used in two main scenarios. Malware analysis - researchers run malicious samples in the sandbox to observe what files they create, what registry keys they modify, what servers they communicate with and what detection evasion techniques they employ. Automated detection - security solutions (email gateways, web proxies, EDR) automatically submit suspicious files to the sandbox and decide whether to block them based on behavioural analysis.
Advanced malware can detect sandbox environments (sandbox evasion) - checking for virtualisation tool artefacts, unusual hardware configuration, lack of user activity or accelerated time passage. Modern sandboxes employ counter-evasion techniques: simulating user activity, masking virtualisation artefacts and delayed detonation.
Why does it matter?
A sandbox is an essential tool for both automated protection (sandbox-based detection) and manual malware analysis. It allows safe examination of malicious software behaviour, generation of indicators of compromise (IoCs) and understanding of attacker techniques - without exposing the organisation’s infrastructure.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.