Retrace Sandbox

See What Malware
Really Does.

AI-powered malware analysis in fully interactive Windows sandboxes.

Closed Beta

Early access is open

We're onboarding security teams and researchers. Request access to start analysing malware in a fully interactive sandbox.

Request Access

analyst

Recycle Bin

Chrome

Invoice_Feb
2026.pdf.exe

report_Q4.xlsx
.locked

client_data.csv
.locked

budget_2026.docx
.locked

passwords.txt
.locked

README_RESTORE.txt - Notepad

========================================

YOUR FILES HAVE BEEN ENCRYPTED

========================================

All your important files have been encrypted

using AES-256 + RSA-2048 encryption.

Do NOT rename or modify encrypted files.

Do NOT use third-party decryption tools.

2:22 PM2/25/2026

PROCESS

NETWORK

FILE SYS

REGISTRY

Waiting for events...

MALICIOUS

70 procs

explorer.exe

4102

Invoice_Feb2026.exe

9867340

cmd.execmd.exe /c vssadmin delete shadows ...

8027388

vssadmin.exevssadmin.exe delete shadows /all /q...

7527412

cmd.execmd.exe /c bcdedit /set {default} r...

7017440

bcdedit.exebcdedit.exe /set {default} recovery...

7017456

powershell.exepowershell.exe -c "Set-MpPreference...

8837500

conhost.execonhost.exe 0x4

7512

svchost.exesvchost.exe -k netsvcs (injected)

6527580

notepad.exenotepad.exe C:\Users\Admin\Desktop\...

7620

csrss.exe

528

services.exe

720

svchost.exesvchost.exe -k netsvcs -p

1084

spoolsv.exe

1340

lsass.exe

672

dwm.exe

620

SearchHost.exe

4200

10,000+Samples Detonated

500+Malware Families Tracked

< 4 minAvg Verdict Time

7M+Unique Fingerprints

How it
Works.

From suspicious artifact to structured intelligence.

CPUID

i5-1135G7

SMBIOS

Dell OptiPlex 7080

DISK

Samsung 980 PRO

RAM

16 GB

BIOS

2.15.0

HOST

DESKTOP-K8F2N1P

MAC

AA:1B:3C:7F:22:D1

LOCALE

Dallas

Who it's
For.

Real workflows. Real scenarios. Every team gets a different answer.

SITUATION

An analyst receives a phishing alert with a suspicious .docm attachment. They need a verdict in under 5 minutes before the email reaches 200 more inboxes.

OUTCOME

Analyst escalates with full ATT&CK mapping. IOCs pushed to firewall block list in 3 minutes.

EXECUTION SEQUENCE

Upload .docm from quarantine

→ Queued — detonating in 8s

Macro executes, drops payload.exe

→ File captured + hashed

payload.exe → C2 callback detected

→ 185.22.1.4 flagged as Cobalt Strike

Verdict: MALICIOUS — Score 94/100

→ IOCs auto-extracted for blocking

SITUATION

A researcher tracking Emotet receives a new loader variant. They need behavioral traces, C2 infrastructure, and config extraction to update detection signatures.

OUTCOME

New Emotet C2 infrastructure mapped. YARA rule updated, shared to community within the hour.

EXECUTION SEQUENCE

Submit loader DLL via API

→ Session with full desktop interaction

Interact with UAC prompt manually

→ Second-stage payload triggered

Memory scan captures decrypted config

→ 3 C2 IPs + RSA key extracted

Export STIX 2.1 bundle

→ Indicators shared to MISP feed

SITUATION

An MSSP manages 40 client environments. Each client's suspicious files need isolated analysis with separate reporting and retention policies.

OUTCOME

40 clients served from a single Retrace deployment. Mean time-to-verdict: 4 minutes across all tenants.

EXECUTION SEQUENCE

API submission with client_id tag

→ Routed to isolated tenant queue

Batch detonation: 12 samples/hour

→ Parallel VMs, no queue contention

Auto-generate per-client PDF reports

→ White-labeled, compliance-ready

Webhook triggers SOAR playbook

→ Client SOC notified automatically

SITUATION

A university cybersecurity course needs students to analyze real malware without any risk of lab infections or complex VM setup.

OUTCOME

30 students complete a malware analysis lab in 45 minutes. No local VMs, no accidental infections.

EXECUTION SEQUENCE

Instructor shares sample via class link

→ Students access shared session

Live desktop visible to all participants

→ Observe malware behavior together

Students explore process tree & network tab

→ Hands-on analysis, zero risk

Export findings for coursework submission

→ Structured report with ATT&CK mapping

Deploy
Your Way.

From individual researchers to air-gapped defense networks.

DEPLOYMENT TIERS

4 OPTIONS

SHARED

Community

For students, researchers, or those exploring the platform.

Free

Community feed access

Standard execution queue

Web interface

Basic report export

Unlimited public analyses

SAAS

Team

For individual analysts, consultants, and small teams.

Contact

Private submissions

Priority queueing

REST API access

Team management

Audit logging

Get Started

DEDICATED CLOUD

Enterprise

For MSSPs, financial services, and regulated industries.

Custom

Multi-tenant workspace

UK, EU or US data residency on request

Dedicated hardware, no shared services

SSO / SAML

Custom data retention

Contact Sales

SELF-HOSTED

Sovereign

For government, defense, and critical infrastructure.

Custom

Air-gap compatible

Unlimited throughput

Full data sovereignty

Custom hardware support

Dedicated account manager

Contact Sales

See What Malware
Really Does.

Early access is open

How it
Works.

Fresh identity. Every session.

Watch it run. In real time.

AI reads the kill chain.

Who it's
For.

Deploy
Your Way.

See What Malware Really Does.

Early access is open

How it Works.

Fresh identity. Every session.

Watch it run. In real time.

AI reads the kill chain.

Who it's For.

Deploy Your Way.

See What Malware
Really Does.

How it
Works.

Who it's
For.

Deploy
Your Way.