® 
Sandboxing
Definition
Sandboxing is a security technique where suspicious code or files are executed in an isolated environment (sandbox) to analyze whether they are harmful, without risk to the real system.
Sandboxing is a security technique where suspicious code, files or applications are executed in an isolated virtual environment to analyse whether they are harmful, without risk to the production system. Sandboxing is an essential component of modern malware analysis and email security.
How does sandboxing work?
A sandbox simulates a complete operating system with expected applications, network connections and user activity. When a suspicious file is opened in the sandbox, the system observes its behaviour: does it try to encrypt files, connect to external servers, modify registry keys or escalate privileges? This behaviour is analysed and compared with known malware patterns. The sandbox is completely isolated from the production system.
Applications of sandboxing
Email security analyses attachments in a sandbox before delivery. Browser sandboxing isolates web tabs so a compromised website cannot access the system. Malware analysis uses sandboxes to examine new variants and extract IOCs. Application sandboxing limits application privileges to the minimum required. Notable sandbox tools include Cuckoo Sandbox (open source), Any.run, Joe Sandbox and VMRay.
Sandbox evasion
Advanced malware attempts to detect and evade sandbox environments. Techniques include: detecting virtual machine artefacts, delayed execution to exhaust analysis time, checking for user interaction, environment checks for specific software, and time bombs that activate after a period.
Impact on organisations
Sandboxing is a crucial defense-in-depth layer. It catches threats that signature-based detection misses, such as zero-day and polymorphic malware. NIS2 requires adequate detection measures and sandboxing contributes to meeting this requirement.
Protection
Implement email sandboxing for all incoming attachments. Combine sandboxing with EDR and threat intelligence for a complete detection picture. Use multiple sandbox environments to detect evasion techniques.
How DEFION helps
DEFION integrates sandboxing technology in the Managed Threat Detection service. The SOC team analyses sandbox results and correlates them with broader threat data.