Threat intelligence should not be limited to expensive commercial feeds.

At RedSide Security, we wanted a way to extract actionable, region-specific threat intelligence from publicly available sources and automatically deliver it into operational threat intelligence platforms.

That idea became AnyStix.

The Problem With Global Threat Feeds

Most threat intelligence feeds generate an overwhelming amount of global data.

While large datasets have value, defenders often face a more practical question:

What threats are actively targeting my region right now?

Organizations operating in a specific country frequently need visibility into:

  • Malware actively circulating locally
  • Malicious files submitted by regional analysts
  • Country-specific phishing campaigns
  • Emerging threats observed within their geography

Unfortunately, this signal is often buried beneath massive volumes of global intelligence.

Turning Public Sandbox Data Into Actionable Intelligence

Every day, security researchers and analysts submit suspicious files and URLs to sandbox platforms for analysis.

These submissions represent real-world threats that someone has already identified and investigated.

One of the most valuable public sources is ANY.RUN, where thousands of malicious samples are detonated and analyzed daily.

The challenge is that this information is primarily accessible through a browser interface rather than a traditional API.

AnyStix bridges that gap.

What AnyStix Does

AnyStix automatically collects threat intelligence from ANY.RUN and transforms it into structured intelligence that security teams can operationalize.

Key capabilities include:

Country-Based Threat Collection

Select a country and retrieve malicious submissions observed within that region.

SHA-256 Enrichment

File samples are automatically enriched with:

  • SHA-256 hashes
  • Malware metadata
  • Threat indicators

STIX 2.1 Export

Collected intelligence is converted into clean, standards-compliant:

  • STIX 2.1 bundles
  • Indicators
  • Observable objects

OpenCTI Integration

Threat intelligence can be pushed directly into OpenCTI, allowing:

  • Centralized intelligence management
  • Correlation with existing indicators
  • Automated detection workflows
  • Threat hunting enrichment

Continuous Operation

AnyStix can run as a hardened scheduled service that continuously gathers and imports fresh intelligence.

The Technical Challenge

The most interesting part of the project was accessing the data itself.

Unlike many intelligence platforms, ANY.RUN does not expose a traditional REST API for this functionality.

Instead, data is delivered through a Meteor DDP WebSocket protocol.

Rather than relying on:

  • Browser automation
  • Selenium
  • Headless Chrome
  • Manual scraping

AnyStix communicates directly with the underlying protocol.

The result is a lightweight Python implementation that:

  • Requires no browser
  • Requires no login
  • Uses minimal resources
  • Operates efficiently at scale

Why This Matters

Public sandboxes remain one of the most underutilized resources in cybersecurity.

Every malicious sample submitted to a sandbox represents:

  • An attack already observed
  • Infrastructure already identified
  • Malware already analyzed

Transforming that information into structured threat intelligence allows defenders to benefit from discoveries made by analysts around the world.

By focusing on geographic filtering, AnyStix helps organizations surface the threats most relevant to their environment.

Use Cases

AnyStix is designed for:

  • Security Operations Centers (SOCs)
  • Threat intelligence teams
  • Threat hunters
  • DFIR teams
  • OpenCTI operators
  • National and regional CERT teams

The platform enables continuous ingestion of region-focused threat intelligence without requiring commercial feeds.

Open Source and Free

AnyStix is released under the MIT License and is available as open source software.

GitHub Repository:

https://github.com/RedSideSecurity/AnyStix

Final Thoughts

Threat intelligence becomes significantly more valuable when it is relevant, timely, and operationalized.

AnyStix helps transform publicly available sandbox data into structured, country-focused threat intelligence that can be automatically delivered into OpenCTI and other security workflows.

Instead of monitoring global noise, defenders can focus on the threats most likely to impact their region and infrastructure.