This repository provides integrations of the OpenCTI threat intelligence platform with ANY.RUN's services:
The connectors are Docker-ready, API-driven, and easy to configure. By combining real-time sandbox intelligence with external data sources, this solution strengthens threat detection, investigation, and response workflows within the OpenCTI environment.
The connector for the Interactive Sandbox enables automated submission of files and URLs from OpenCTI for dynamic malware analysis. It retrieves detailed sandbox reports—including network activity, dropped files, and MITRE ATT&CK techniques—that enrich observables in OpenCTI. These insights help analysts rapidly assess threats and improve the incident detection rate to minimize response delays and breach risks.
The connector for Threat Intelligence Lookup allows for enriching OpenCTI artifacts with context from live attack data from over 15K SOCs. It shortens investigation time by providing rapid insights into malicious URLs, IPs, domains, and hashes. This critical context helps security teams streamline triage, cut MTTD, improve incident response, and identify hidden malware in high alert volume environments.
The connector for Threat Intelligence Feeds supports ingestion of high-fidelity indicators of compromise (IPs, domains, URLs), extracted directly from real-time detonations of the latest threats inside ANY.RUN’s Interactive Sandbox. TI Feeds continuously supply fresh IOCs every two hours, ensuring SOC teams receive actionable intelligence on attacks still active in the wild. This enables SOCs to monitor emerging threats and update defenses proactively, minimizing the risk of undetected attacks.
Feel free to reach out to us for help with integration, a quote, or demo via the contact us form.