Threat intelligence should not be limited to expensive commercial feeds.
At RedSide Security, we wanted a way to extract actionable, region-specific threat intelligence from publicly available sources and automatically deliver it into operational threat intelligence platforms.
That idea became AnyStix.
The Problem With Global Threat Feeds
Most threat intelligence feeds generate an overwhelming amount of global data.
While large datasets have value, defenders often face a more practical question:
What threats are actively targeting my region right now?
Organizations operating in a specific country frequently need visibility into:
- Malware actively circulating locally
- Malicious files submitted by regional analysts
- Country-specific phishing campaigns
- Emerging threats observed within their geography
Unfortunately, this signal is often buried beneath massive volumes of global intelligence.
Turning Public Sandbox Data Into Actionable Intelligence
Every day, security researchers and analysts submit suspicious files and URLs to sandbox platforms for analysis.
These submissions represent real-world threats that someone has already identified and investigated.
One of the most valuable public sources is ANY.RUN, where thousands of malicious samples are detonated and analyzed daily.
The challenge is that this information is primarily accessible through a browser interface rather than a traditional API.
AnyStix bridges that gap.
What AnyStix Does
AnyStix automatically collects threat intelligence from ANY.RUN and transforms it into structured intelligence that security teams can operationalize.
Key capabilities include:
Country-Based Threat Collection
Select a country and retrieve malicious submissions observed within that region.
SHA-256 Enrichment
File samples are automatically enriched with:
- SHA-256 hashes
- Malware metadata
- Threat indicators
STIX 2.1 Export
Collected intelligence is converted into clean, standards-compliant:
- STIX 2.1 bundles
- Indicators
- Observable objects
OpenCTI Integration
Threat intelligence can be pushed directly into OpenCTI, allowing:
- Centralized intelligence management
- Correlation with existing indicators
- Automated detection workflows
- Threat hunting enrichment
Continuous Operation
AnyStix can run as a hardened scheduled service that continuously gathers and imports fresh intelligence.
The Technical Challenge
The most interesting part of the project was accessing the data itself.
Unlike many intelligence platforms, ANY.RUN does not expose a traditional REST API for this functionality.
Instead, data is delivered through a Meteor DDP WebSocket protocol.
Rather than relying on:
- Browser automation
- Selenium
- Headless Chrome
- Manual scraping
AnyStix communicates directly with the underlying protocol.
The result is a lightweight Python implementation that:
- Requires no browser
- Requires no login
- Uses minimal resources
- Operates efficiently at scale
Why This Matters
Public sandboxes remain one of the most underutilized resources in cybersecurity.
Every malicious sample submitted to a sandbox represents:
- An attack already observed
- Infrastructure already identified
- Malware already analyzed
Transforming that information into structured threat intelligence allows defenders to benefit from discoveries made by analysts around the world.
By focusing on geographic filtering, AnyStix helps organizations surface the threats most relevant to their environment.
Use Cases
AnyStix is designed for:
- Security Operations Centers (SOCs)
- Threat intelligence teams
- Threat hunters
- DFIR teams
- OpenCTI operators
- National and regional CERT teams
The platform enables continuous ingestion of region-focused threat intelligence without requiring commercial feeds.
Open Source and Free
AnyStix is released under the MIT License and is available as open source software.
GitHub Repository:
https://github.com/RedSideSecurity/AnyStix
Final Thoughts
Threat intelligence becomes significantly more valuable when it is relevant, timely, and operationalized.
AnyStix helps transform publicly available sandbox data into structured, country-focused threat intelligence that can be automatically delivered into OpenCTI and other security workflows.
Instead of monitoring global noise, defenders can focus on the threats most likely to impact their region and infrastructure.