Malware analysis,
without the compromise.

ThreatLab gives security teams a private, local malware analysis sandbox they fully control. No cloud uploads, no per-analysis fees, no session time limits. Just you, an isolated VM, and full control.

Watch Demo
Why ThreatLab
Built for what cloud sandboxes can't do.
Generic Cloud Sandbox
ThreatLab
Pricing Model
Per-analysis fees and submission quotas that scale with your workload.
Flat per-seat. Unlimited analyses, every feature included.
Where Samples Go
Uploaded to vendor infrastructure, often shared publicly by default.
Stays on your machine. No uploads, no sharing, no exceptions.
Session Interactivity
Limited or none. No desktop control, no UI navigation.
Full keyboard and mouse. Drive the sample like a real user.
Session Duration
2 to 10 minute hard caps. Misses delayed detonation and long sleep cycles.
As long as you need. Run it an hour. Hibernate and resume.
Concurrent Sessions
Capped by your subscription tier.
Limited only by your hardware. Run as many as your machine can handle.
Custom Environments
Fixed menu of vendor templates. No client EDR or GPO support.
Build your own base images. EDR, GPOs, client configs - all yours.
Reporting
Vendor-formatted output, often locked behind higher tiers.
AI-powered PDF reports. Executive summary, IOCs, severity breakdown. Branded with your logo.
The Payoff
What that means for you.
πŸ”’

Client data stays in your hands

No compliance gaps, no broken NDAs, no awkward conversations about who else has seen the file. Everything runs on hardware you control.

♾️

Your bill doesn't scale with your workload

Run one sample a week or forty in an afternoon. Either way, your invoice is the same flat per-seat cost. No quotas, no overages, no upgrade nags.

🎯

Reports your clients will actually read

AI-powered analysis with executive summaries, IOCs, MITRE ATT&CK mapping, and severity breakdowns. Branded with your logo. Ready to send.

What You Get
One platform, fully loaded.
Everything you need for malware analysis and incident investigation in a single desktop application.
πŸ”¬
Interactive Sandbox Isolated Hyper-V VMs with live desktop interaction, video recording, and full keyboard/mouse control.
πŸ“‘
Deep Visibility Sysmon-powered monitoring across processes, network, files, registry, DLL injection, and credential access.
πŸ“‹
AI-Powered Reports Client-ready PDF reports with AI threat assessment, risk scoring, MITRE ATT&CK mapping, and your branding.
πŸ”Ž
EVTX Analyzer Built-in event log analyzer with 2,900+ Sigma rules. Timeline view, CSV/JSON export, severity filtering.
🌐
VPN Routing WireGuard tunnels across 4 regions with kill switch. Malware never sees your real IP.
πŸ–₯️
Custom Base Images Create custom VM templates with pre-installed software, EDR tools, or client-specific configurations.
Product Walkthrough
ThreatLab in action
ThreatLab session window showing live malware analysis with VNC viewer and monitoring dashboard
AI threat analysis showing risk rating and behavioral findings
Process tree visualization showing execution chains
EVTX log analyzer with Sigma rule detections
PDF report page key statistics and severity distribution
PDF report page showing threats detected and IoC summary

Want to try ThreatLab?

Request a free trial and see what ThreatLab can do for your team. No commitment, no credit card required.

Pricing
Simple, transparent pricing.
One product, one price per seat. Volume discounts reward larger teams. No hidden fees, no per-analysis charges, no surprises.
Monthly
Annual Save 10% with annual billing
Starter
1–2 seats
$ 99 / seat / month
All features included. Unlimited sessions. No per-analysis fees. Full VPN, AI analysis, PDF reports, EVTX analyzer, etc. See Features for a full breakdown.
Subscribe
Best Value
Team
3+ seats
$ 84 / seat / month
15% volume discount
All features included. Unlimited sessions. No per-analysis fees. Full VPN, AI analysis, PDF reports, EVTX analyzer, etc. See Features for a full breakdown.
Subscribe
All plans include the same features. Volume discounts are applied automatically based on seat count.
Need more than 10 seats? Contact us for custom pricing.
Free Trial
Ready to try ThreatLab?

Fill out the form below and we'll set you up with trial access. No credit card required.

βœ“

Request Received

We'll review your request and send you trial access within 24 hours. Check your email.

FAQ
Common questions

What is a seat?

A seat is one machine activation. Each machine running ThreatLab requires one seat. Seats can be deactivated and moved to different machines through the management portal.

Can I change my seat count?

Yes. You can add or remove seats at any time from the Stripe billing portal. Adding seats is prorated immediately. Removing seats takes effect at the end of your billing period.

Is there a free trial?

Yes. We offer free trials on request - no credit card required. Use the form above to get started.

What are the system requirements?

Windows 10/11 Pro or Enterprise (64-bit) with Hyper-V enabled. 16 GB RAM minimum, 4+ CPU threads with virtualization support, and 50 GB free disk space.

Can I switch between monthly and annual?

Yes. You can switch billing periods at any time through the Stripe billing portal. Switching to annual applies the 10% discount immediately.

What's your refund policy?

We offer a 7-day refund window on new subscriptions. After 7 days, subscriptions are non-refundable but can be cancelled at any time - access continues until the end of the billing period.

Features
Everything under the hood.
A detailed look at what ThreatLab brings to your security workflow.
πŸ”¬

Interactive Sandbox

Fully isolated analysis environments powered by Hyper-V

βœ“
Hyper-V Isolation Each session runs in a dedicated VM cloned from a clean Windows 11 base image using differencing disks.
βœ“
Live Desktop Interaction Full keyboard and mouse control via VNC. Interact with malware exactly as an end user would.
βœ“
File & URL Analysis Drop suspicious files or paste URLs. Samples are placed on the VM desktop for manual detonation.
βœ“
Video Recording Automatic session recording from the moment you connect. Saved as WebM files for review.
βœ“
Session Save & Resume Hibernate sessions and resume later. Pick up exactly where you left off.
βœ“
Multiple Concurrent Sessions Run several analysis sessions simultaneously, each with its own isolated VM and monitoring.
βœ“
Configurable Resources Adjust VM memory and CPU allocation per session based on your analysis needs.
βœ“
Network Isolation One-click network isolation cuts internet access while keeping your VNC connection alive.
βœ“
Custom Base OS Images Create modified VM templates with pre-installed software, EDR agents, or client configurations. Each session clones from your chosen image.
βœ“
Global Exclusions Exclude known-good processes from monitoring across all sessions.
πŸ“‘

Monitoring & Detection

Deep visibility into everything that happens inside the sandbox

βœ“
Sysmon Event Monitoring Process creation, network connections, file system changes, registry modifications - all captured in real time.
βœ“
DLL Injection Detection Non-system DLL loads, remote thread creation, and process access monitoring.
βœ“
Credential Access Monitoring LSASS access detection distinguishes legitimate OS operations from credential theft attempts.
βœ“
Real-Time Threat Scoring Events scored 0–10 in real time based on behavioral indicators, process chains, and known-bad patterns.
βœ“
Scheduled Task & Service Monitoring Track persistence mechanisms: task creation, service installation, and startup modifications.
βœ“
Ransomware Canary Detection Canary files placed in the VM detect ransomware behavior through continuous integrity checks.
βœ“
Windows Defender Integration Choose to run sessions with Defender enabled or disabled. Defender alerts are captured when active.
βœ“
Privilege Switching Toggle between Local Admin and Standard User during a live session to test behavior under different privileges.
βœ“
Certificate Store Monitoring Detects modifications to Windows root and intermediate CA certificate stores, flagging potential MITM or rogue certificate installation.
πŸ“‹

Analysis & Reporting

From raw events to client-ready deliverables

βœ“
AI-Powered Threat Analysis Automated threat assessment with risk scoring, behavioral analysis, key findings, and MITRE ATT&CK mapping. Can be toggled on or off in settings.
βœ“
PDF Report Generation Professional multi-page reports with executive summary, IOCs, severity distribution, and full technical details.
βœ“
Custom Report Branding Replace the ThreatLab logo with your own company branding on generated PDF reports.
βœ“
EVTX Log Analyzer Built-in Windows Event Log parser with timeline view, severity filtering, and event statistics.
βœ“
2,900+ Sigma Detection Rules Community-maintained Sigma rules bundled and applied during EVTX analysis for deep detection coverage.
βœ“
Quick URL Analysis Instant URL threat assessment - domain age, WHOIS data, TLD reputation - without a VM.
βœ“
CSV & JSON Export Export EVTX findings in CSV or JSON format for integration with other tools and workflows.
βœ“
EVTX File Download Download raw EVTX files from any session for analysis in external tools or evidence preservation.
βœ“
Process Tree Visualization Interactive process chain viewer with per-node enrichment. Network, file, registry, injection, and service activity mapped to each process with severity scoring and chain-aware filtering.
βœ“
Bring Your Own LLM Connect your own API key from Anthropic, OpenAI, or Google for AI analysis. Keys encrypted locally with AES-256-CBC. Custom prompt instructions per analysis type.
🌐

Network & Privacy

Anonymous analysis with complete data sovereignty

βœ“
Multi-Region VPN Routing WireGuard exit nodes in the US, UK, Germany, and Spain. Malware C2 never sees your real IP.
βœ“
VPN Kill Switch Hypervisor-level ACLs block all internet if the tunnel drops. The VM cannot bypass it.
βœ“
100% Local Execution No samples uploaded anywhere. All analysis happens on your hardware. Complete data privacy.
βœ“
Direct Mode Run sessions without VPN when anonymity isn't required or for testing internal network scenarios.
πŸ›‘οΈ

Platform & Management

Everything that makes ThreatLab production-ready for your team

βœ“
Web Management Portal License management, seat allocation, machine tracking, downloads, and documentation.
βœ“
Built-in Issue Reporting Report issues directly from the app with optional log attachment. Detailed application logging to disk.