Open-source malware analysis sandbox.
Submit files or URLs, execute them in isolated Docker/QEMU sandboxes, and observe behavior in real time: process trees, network traffic, file drops, MITRE ATT&CK mapping, YARA and Suricata signals, threat-intel enrichment, AI-assisted analysis, and report export.
| Area | Details |
|---|---|
| Static analysis | Hashing, file typing, PE/ELF parsing, strings, entropy, YARA |
| Dynamic analysis | Docker Linux sandbox, QEMU Windows path, process tree, PCAP, filesystem diff, screenshots, VNC |
| Detection | MITRE ATT&CK mapping, Suricata alerts, behavior rules, threat-intel enrichment |
| Outputs | HTML, Markdown, CSV, JSON, STIX 2.1, IOC exports |
| Learning path | Malware reverse engineering masterclass with lab-driven exercises |
Detonate doubles as a hands-on Malware Reverse Engineering Masterclass β a lab-driven curriculum (foundations β static β dynamic β unpacking β anti-analysis β config extraction β capstone) where this sandbox is your lab bench. Start at
masterclass/, and readmasterclass/SAFETY.mdbefore touching a sample.
+------------------+
| Next.js 16 |
| Frontend |
+--------+---------+
|
+--------+---------+
| FastAPI API | 75 endpoints
| (async) | 12 DB tables
+--+----+----+--+--+
| | | |
+------+ +--+--+ | ++-------+
|Postgres|Redis | |MinIO |Ollama
| 16 | 7 | |(S3) |(LLM)
+--------+-----+ +---------++------+
|
+---------+---------+
| Celery Workers |
+--------+----------+
|
+----------+----------+
| Sandbox Machinery |
+-----+----------+----+
|Docker| |QEMU|
|Linux | |Win |
+------+ +----+
- File upload with automatic hashing (SHA256/MD5/SHA1), type detection, MIME identification
- URL submission -- fetches content and creates submission automatically
- PE parsing (imports, exports, sections, resources, digital signatures, suspicious indicators)
- ELF header parsing (class, type, machine, entry point)
- String extraction (ASCII + UTF-16LE) with IOC categorization (URLs, IPs, emails, registry keys, file paths)
- Shannon entropy analysis (overall + per-section)
- YARA scanning with 26 built-in rules (suspicious strings, packers, malware indicators)
- Docker-based Linux sandbox (Ubuntu 22.04 + strace + tcpdump + YARA)
- Process tree with parent-child tracking via strace clone/clone3 syscalls
- Network capture (PCAP) with DNS, TCP/UDP connections, HTTP host extraction
- Filesystem monitoring (created/modified/deleted files via fs diff)
- Real-time WebSocket telemetry streaming
- Suricata IDS alerts on captured PCAP
- Optional screenshots (Xvfb + scrot) and video recording (ffmpeg)
- Interactive VNC sessions via websockify
- Windows sandbox infrastructure (QEMU/KVM + Sysmon guest agent)
- Configurable timeout, network isolation, machine pooling
- 26 behavioral rules mapping syscall patterns to ATT&CK techniques
- Optional LLM-enhanced classification for higher coverage
- Tactic coverage matrix and confidence scoring
- Technique catalog browsing and search
- VirusTotal -- file hash, IP, domain reputation
- AbuseIPDB -- IP abuse confidence scoring
- AlienVault OTX -- multi-indicator pulse intelligence
- URLhaus -- malicious URL/payload database (no API key needed)
- MalwareBazaar -- malware sample intelligence (no API key needed)
- Redis-backed caching (1h TTL) and per-provider rate limiting
- Provider-agnostic: Ollama (local/dev) or Anthropic Claude (production)
- Automated behavioral summarization
- Threat classification with verdict/score/confidence
- Autonomous agent analysis with tool use
- Interactive chat with full analysis context
- AI-powered comprehensive threat reports
- IOC-based similar submission correlation
- Automated extraction of IPs, domains, URLs, hashes, file paths from analysis results
- STIX 2.1 bundle export
- CSV export with type/value/context columns
- JSON structured export
- AI-generated markdown threat reports
- Self-contained HTML reports (no external dependencies)
- CSV IOC reports
- Per-submission downloadable reports
- Full-text search across hashes, filenames, tags
- Advanced filters: verdict, file type, tag, score range, date range, analysis status
- Sortable results with pagination
- Analytics dashboard: submission stats, verdict breakdown, timeline, top file types, top tags, top IOCs
- JWT authentication + API key support
- User registration, login, profile management
- Team/organization management with role-based membership
- Submission comments with edit/delete
- Auto-tagging (16 behavioral rules + file type detection)
- Webhook notifications with HMAC-SHA256 signing
- YARA rule management (upload, validate, edit, delete via API)
- Machine pool management (scale up/down, health checks)
- Feature flags and configuration status endpoint
- Celery task monitoring
# Clone
git clone https://github.com/allsmog/detonate.git
cd detonate
# Start infrastructure (PostgreSQL, Redis, MinIO, Ollama)
make services
# Install dependencies, run migrations
make setup
# Pull the AI model
make ollama-pull
# Build the sandbox Docker image
make sandbox-build
# Start API + frontend
make devThe app will be available at:
- Frontend: http://localhost:3000
- API: http://localhost:8000
- API Docs: http://localhost:8000/docs
Dynamic analysis requires a Celery worker:
cd api
PYTHONPATH="$(pwd)/..:$(pwd)" uv run celery -A worker.app:celery_app worker \
-l info -Q dynamic,static,ai,enrichment -c 2Copy .env.example to .env and configure:
# Required
POSTGRES_PASSWORD=detonate
REDIS_URL=redis://127.0.0.1:6379/0
# AI (pick one)
LLM_PROVIDER=ollama # or "anthropic"
ANTHROPIC_API_KEY=sk-ant-... # if using Anthropic
# Threat Intelligence (optional, all free tier)
VIRUSTOTAL_API_KEY=...
ABUSEIPDB_API_KEY=...
OTX_API_KEY=...
# Auth (optional)
AUTH_ENABLED=false
JWT_SECRET_KEY=change-me-in-production
# Features (optional)
SCREENSHOTS_ENABLED=false
SURICATA_ENABLED=false
SANDBOX_POOL_ENABLED=false| Component | Tech | Purpose |
|---|---|---|
| API | FastAPI (Python 3.12) | 75 REST endpoints, WebSocket telemetry, SSE streaming |
| Frontend | Next.js 16, React 19, Tailwind 4, shadcn/ui v4 | SPA with real-time updates |
| Database | PostgreSQL 16, SQLAlchemy 2.0 async, Alembic | 12 tables, JSONB for results |
| Storage | MinIO (S3-compatible) | Samples, PCAPs, screenshots, videos |
| Cache/Broker | Redis 7 | Celery broker, threat intel cache, rate limiting, pub/sub |
| Workers | Celery | Dynamic analysis, AI tasks, threat intel enrichment |
| AI | Ollama / Anthropic Claude | Summarization, classification, chat, reports |
| Linux Sandbox | Docker (Ubuntu 22.04) | strace, tcpdump, YARA, Xvfb, scrot, ffmpeg, x11vnc |
| Windows Sandbox | QEMU/KVM + libvirt | Sysmon monitoring, HTTP guest agent |
| IDS | Suricata | Offline PCAP analysis with ET Open rules |
POST /api/v1/submit File upload
POST /api/v1/submit-url URL submission
GET /api/v1/submissions List submissions
GET /api/v1/submissions/{id} Get submission
GET /api/v1/submissions/{id}/static Static analysis (PE/ELF/strings/entropy)
POST /api/v1/submissions/{id}/analyze Start dynamic analysis
GET /api/v1/submissions/{id}/analyses/{id} Get analysis results
POST /api/v1/submissions/{id}/analyses/{id}/mitre MITRE ATT&CK mapping
GET /api/v1/submissions/{id}/threat-intel Threat intel enrichment
GET /api/v1/submissions/{id}/iocs Extract IOCs
GET /api/v1/submissions/{id}/iocs/stix STIX 2.1 export
POST /api/v1/submissions/{id}/ai/summarize AI summarization
POST /api/v1/submissions/{id}/ai/report AI threat report
GET /api/v1/search?q=...&verdict=... Advanced search
GET /api/v1/dashboard/stats Analytics dashboard
POST /api/v1/auth/register User registration
POST /api/v1/auth/login JWT login
...and 60+ more endpoints
Full OpenAPI docs available at /docs when running.
make api # Start FastAPI dev server (port 8000)
make frontend # Start Next.js dev server (port 3000)
make services # Start Docker infrastructure
make migrate # Run Alembic migrations
make migration msg="description" # Create new migration
make test-api # Run pytest
make lint # Ruff + ESLint
make format # Ruff format + Prettier
make sandbox-build # Build Linux sandbox image
make suricata-build # Build Suricata IDS image
make mitre-pull # Download MITRE ATT&CK dataset
make ollama-pull # Pull Ollama AI model- π Masterclass β the malware reverse-engineering curriculum.
- π§ͺ masterclass/SAFETY.md β how to handle samples safely and legally. Read before detonating anything.
- π€ CONTRIBUTING.md β contribute platform code or curriculum modules.
- π SECURITY.md β report vulnerabilities and sandbox escapes responsibly.
- π CODE_OF_CONDUCT.md β community standards.
MIT
