VMRay Analyzer

VMRay Joins the Microsoft Intelligent Security Association (MISA)

VMRay’s MISA nomination brings advanced threat detection capabilities to Office 365 and enables integration into Azure Sentinel.


Analyzer – The Gold Standard for Threat Detection & Analysis

Catching Threats Other Vendors Miss

Incorporating many industry “firsts” and “bests”, VMRay Analyzer empowers DFIR and SOC teams to

Delivering What Matters Most

Developed for ultimate protection and response, ensuring evasion resistance and providing full visibility

Engineered for evasion resistance

VMRay Analyzer runs solely in the hypervisor layer, an unprecedented engineering feat that allows monitoring to take place from outside the analysis environment. By always remaining invisible, VMRay defeats even the most evasive measures built into advanced threats.

Full visibility into malware behavior

As malware executes in the sandbox, VMRay transparently monitors every interaction with the target machine, logging all control flow mechanisms, calling conventions and privilege levels. With complete and continuous visibility into malicious behavior, the SOC team can quickly and accurately triage the most urgent threats for further investigation or mitigation.

Output that’s all signal, no noise

Noisy results are a daily frustration for SOC analysts and managers. Excessive noise impedes manual investigations, and it discourages efforts to automate the sharing of results—because doing so propagates the weaknesses of those results to other systems.

VMRay’s Intelligent Monitoring generates concise, focused output that only addresses the malware’s core behavior. This eliminates false positives, streamlines analysis, and scales automated detection.

Noise-free output reports for focused visibility to malware behavior and effective SOC response

Analyzer detection sample showing how it detects the undetectable threats and eliminates blind spots

Consistently Put to the Test & Winning

As the saying goes: you can fool some of the people some of the time but you can’t fool Analyzer. With brand new malware entering the cybersphere every second, it is inevitable that some will slip through your EDR defences. Analyzer helps you fill those gaps and address those blind spots: it is the last bastion and your ultimate source of truth. Built by industry pioneers and having stood the test of time for over 10 years, Analyzer catches what others don’t.

Complete coverage on Word, Excel, PowerPoint, Access, Visio file types for Microsoft Office, as well as Executable, System and Sprint files for Windows and MacOS, in addition to all Adobe, Internet, Email and Compressed file formats

Complete coverage on Windows (up to Redstone) and macOS (including Catalina)

The Cloud version of VMRay Analyzer includes support for the latest Windows Redstone operating system as well as macOS Catalina. The following file types can be analyzed.

Achieve Complete Malware Visibility

With Analyzer, you get a multitude of ways to see the detection and analysis results:

  • Dashboards with high-level verdict summaries and the lowest-level of detailed reports are available in the Web Interface.
  • Brandable PDF reports can be customized and shared among the team or with management.
  • Complete result sets are available in a single JSON file.
  • The Analysis Archive provides a comprehensive collection of all related IOCs and artifacts, compressed into a single file, which is ideal for sharing and archiving, and for performing the deepest possible analytical dives. Your super-techies will love it!

Reach out with Comprehensive Connectivity

Analyzer will quickly become an essential component in your security ecosystem, and so it needs to talk to all or your other components:

  • Pre-built Connectors make it easy to not only input from other systems, but also, output to other systems, and for this we have Connectors to Splunk, MISP, IBM Resilient, Carbon Black, Cybereason, SentinelOne, Rapid7, Swimlane, ThreatConnect and many more.
  • Syslog and other common SIEM and SOAR formats are also supported for easy integration with a SIEM or SOAR system of your choice.
  • For custom-building your own connections, our brand new Analyzer REST API Integration Kit, which includes pre-defined sample code of the most common operations, means you can be talking to Analyzer within minutes. Comprehensive documentation helps you program it to do anything within days.

VMRay Analyzer Core Capabilities

VMRay automatically generates IOCs with every analysis. Going beyond what a traditional sandbox will do, we apply VMRay Threat Identifier (VTI) rules to flag and score artifacts, filtering out the noise and providing true, actionable IOCs.


The MITRE ATT&CK framework is mapped to VMRay Threat Identifiers (VTIs). This allows security teams to understand the scale and impact of an incident fast, leading to actionable mitigation measures.


Manually interact during the analysis runtime using a built-in VNC viewer.


Detect geo-location evasion techniques. VMRay provides analysts the ability to choose an exit node from a list of over 40 countries when they submit a sample.


VMRay triggers more frequent and more relevant memory dumps to capture a comprehensive view of malware characteristics and behavior. This increases the speed and accuracy of malware analysis and detection.


With our IDA Pro Plugin, analysts can investigate other processes monitored and logged inside the VMRay analysis archive – so files that were downloaded or dropped, then executed afterward, can also be investigated without further effort.


VMRay Analyzer
in Action

See how Expel’s security team is using VMRay Analyzer
to elevate their game.

Frequently Asked Questions About VMRay Analyzer

A malware sandbox is a cyber security term referring to a specifically prepared monitoring environment that mimics an end-user operating machine. Malware sandboxes represent an important tool in the arsenal of security teams and are used to safely observe the behavior of suspected malware in a controlled environment without risking infection of the host machine.

VMRay offers a unique mix of stealthiness and efficacy that allows it to stand out from the pack. Traditional sandbox solutions either do not produce results at all due to being detected by malware (which then ceases operation) or produce too much data due to poor result filtering or slow performance.

VMRay delivers reliable results without adding the burden of filtering irrelevant data for your analysts. With years of experience and continuous efforts, VMRay is well-equipped both for current malware, as well as for staying ahead of the game when encountering new threats.

VMRay Analyzer Cloud and On-Premises both have the same core functionality and ability to analyze and detect malware. The main difference between Cloud and On-Premises is the level of customization offered.

VMRay Analyzer On-Premises supports extensive customization of:

  • Target VMs: Security teams can analyze files and URLs in fully customized VM images, such as the organization’s own Gold Image.
  • Detection Rules and the Analysis Scoring System: Security teams can add their own detection rules and customize the built-in analysis scoring system (VMRay Threat Identifier or VTI Score as well as Yara rules )
  • Backend Global Settings: This includes the ability to create independent user groups, modify advanced network configuration settings, change other advanced settings such as the total size and number of memory dumps per analysis etc.

VMRay Analyzer Cloud or On-Premises are annual subscriptions. Licensing is based on the number of dynamic analyses performed per day. A perpetual license option is available for on-premises customers.

VMRay Analyzer Data Sheet

Learn why leading DFIR teams worldwide see VMRay Analyzer the gold standard for dynamic analysis.


Defeating Evasive Malware

Learn about the primary methods threat actors use to evade sandbox detection.


How Ransomware Evades Detection

Learn how to build stronger defenses against ransomware.