greysec/malware-analysis-pipeline
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
malware-analysis-pipeline/PRODUCT-SPEC.md
T
ghstshdw 11b6032fcc Initial commit: malware-analysis-pipeline
2026-05-08 17:45:23 -05:00

9.6 KiB
Raw Permalink Blame History

GreySec MAL — Product Specification

Product: GreySec Malware Analysis Lab Version: 1.0 Status: BUILDING Date: 2026-05-07 Owner: GreySec (COO: Hermes, CEO: Adam)

What the Product Is

GreySec MAL is a self-hosted malware analysis sandbox for red team operators and security teams. You upload a binary payload, detonate it in an isolated Windows 11 VM instrumented with EDR, and receive a structured analysis report — including a Detection Score (0-100) and MITRE ATT&CK kill chain map — in under 5 minutes.

The core promise: Know exactly what your C2 payloads look like to EDR before you deploy them. Client data never leaves your infrastructure.

What the Client Gets

Primary Deliverable: Analysis Report

Each analysis produces:

  1. Detection Score (0-100)

    • 0-20: Clean — deployable in most environments
    • 21-40: Low — minor suspicious activity, review before deployment
    • 41-60: Medium — multiple suspicious syscalls, test in isolation
    • 61-80: High — significant EDR coverage, likely blocked by most EDR
    • 81-100: Critical — extensive offensive tooling, not production-ready

  2. MITRE ATT&CK Kill Chain Map

    • Ordered list of ATT&CK tactics and techniques the payload used
    • Example: T1086 (PowerShell) → T1055 (Process Injection) → T1105 (Ingress Tool Transfer)
    • Each technique linked to GreySec advisory on how to modify the payload to evade detection

  3. Behavioral Analysis Summary

    • File operations (created / modified / deleted)
    • Network operations (outbound connections, DNS queries, C2 indicators)
    • Process operations (child spawn, process injection)
    • Registry operations (modified keys)

  4. Raw Event Log (optional, for manual review)

    • Full Fibratus event stream for the analysis session
    • Requested separately — not included by default

Target Buyer

Primary: Red Team Operator at MSSP or Security Firm

Pain point: They run adversary simulation engagements for clients. Before deploying C2 payloads, they need to know if the payload will be detected. Cloud malware analysis tools (VirusTotal, ANY.RUN) send IOCs to third parties — bad for client confidentiality and for their own operational security.

Current workaround: Manual RE, testing in isolated VMs, or just hoping for the best. Very time-consuming at scale.

What they'd pay: $500-2,000/month for a self-hosted tool that speeds up their validation cycle without leaking IOCs.

Buying trigger: A client engagement where they got burned — payload detected early, red team exercise cut short.

Secondary: Security Team at Healthcare Organization

Pain point: HIPAA BAA obligations. Any cloud-based malware analysis tool that processes client PHI-adjacent files is a potential BAA violation. They cannot send binaries containing PHI-adjacent content to VirusTotal.

Current workaround: Manual analysis only, or no analysis because it's too slow. Risk of deploying undetected malware that exfiltrates PHI.

What they'd pay: $1,000-3,000/month — healthcare organizations pay premiums for compliance-grade tools.

Buying trigger: A HIPAA audit that flags "malware analysis tool usage" as a gap, or a near-miss incident involving suspicious binary.

Tertiary: CISO at Law Firm or Financial Institution

Pain point: Client confidentiality is non-negotiable. They cannot risk binaries containing M&A data, litigation strategy, or financial records being processed by a third-party cloud service.

Current workaround: Complete ban on external malware analysis tools, or only using isolated air-gapped analysis VMs.

What they'd pay: $2,000-5,000/month for a tool that guarantees data never leaves their infra.

Buying trigger: A data incident at a competitor or peer firm that involved malware analysis tools leaking confidential data.

SLA (Target)

Metric Target Notes
Analysis turnaround < 5 minutes for payloads < 10MB TBD — needs benchmarking
Report availability Via API or dashboard within 1 minute of analysis complete
System uptime 99% TBD — needs redundancy planning with Adam
Max payload size 50MB Hard limit — VM memory constraints
Concurrent analyses 3 simultaneous TBD — needs capacity testing

What we do not commit to: Detecting polymorphic packers, hardware implants, or nation-state tooling with novel evasions (0-day complexity). We detect known offensive techniques, not novel bypasses.

Limitations

  • Polymorphic/packed malware: If a binary unpacks at runtime into new code patterns, static analysis and Fibratus kernel events may not see the unpacked payload. Our analysis covers the execution path we observe — not dynamic unpackers that change behavior mid-run.

  • Hardware implants/BIOS rootkits: These operate below the OS layer. Fibratus (kernel-level) does not capture firmware-level activity.

  • Nation-state 0-day: Detection Score will be low for novel techniques with no known syscall patterns. A 0-day syscall that no EDR rule covers will score as clean. We detect known offensive techniques, not novel bypasses.

  • ARM/IoT binaries: Our analysis VM is Windows x86_64. ARM Windows binaries will not run in this environment. Linux ARM analysis is a future roadmap item.

  • macOS binaries: Not supported in V1. Future roadmap.

Competitive Landscape

Tool Model Cost Strengths Weaknesses for Our Buyer
VirusTotal Cloud $0-650/mo Huge IOC database, easy IOCs sent to third party, bad for red team ops, no behavioral analysis
ANY.RUN Cloud $99+/mo Interactive malware analysis IOCs shared with community, expensive for high volume, no self-hosted option
Joe Sandbox Cloud + on-prem Enterprise Full analysis, MITRE mapping Very expensive, complex setup for on-prem, slow turnaround
Hybrid Analysis Cloud Free + paid Good IOC DB, fast IOCs submitted to public DB, no self-hosted, freemium limits
Elastic + Lima Charlie Self-hosted Open source + $ Full SIEM + EDR control Requires significant engineering to build our specific output, not turnkey
GreySec MAL Self-hosted TBD Client data never leaves infra, local AI augmentations, MITRE ATT&CK output, Detection Score V1 is new (May 2026), limited IOC DB, not a massive public dataset

GreySec MAL's positioning:

  • Self-hosted — client data never leaves their infra (the legal and operational differentiator)
  • Local AI-augmented — not just static analysis, AI-assisted behavioral interpretation
  • Turnkey — not a SIEM/EDR tool that requires a team to operate
  • MITRE ATT&CK native — not just IOCs, structured kill chain output

Pricing Framework (Internal Only)

Do not share externally. Adam reviews and approves all client-facing numbers.

Build vs. Buy Analysis

Building this yourself (internal team):

  • Engineering time: 80-120 hours to replicate GreySec MAL feature set
  • Ongoing maintenance: 10-15 hours/month (VM updates, EDR rule updates, model retraining)
  • Infrastructure: $200-400/month (VM hosting, compute, storage)
  • Total first-year cost: $15,000-25,000 + engineering risk

Using GreySec MAL:

  • Setup: TBD (Adam to price)
  • Monthly: TBD (Adam to price based on usage tiers)
  • Value: Zero engineering risk, faster time-to-value, GreySec maintains the stack

Internal Cost Basis

Cost Item Monthly
VM hosting (Windows 11) ~$50
Docker/RabbitMQ compute ~$20
Supabase (storage + API) ~$25
AI compute (local Ollama, amortized) ~$50
Total direct cost ~$145/month

Plus human review time per analysis: ~5-10 minutes of analyst time at $105-135/hr.

Margin Targets

Internal target: minimum 4x direct cost at scale. At 20 analyses/month: ($145 + $35 human time) × 4 = $720/month breakeven on direct costs.

Roadmap (Future Tiers)

V1 (Current Build — MVP)

  • Single binary upload
  • Windows x86_64 analysis only
  • Detection Score + MITRE ATT&CK output
  • Web dashboard
  • Client upload portal (API key auth)

V2 (Next Quarter)

  • DLL analysis support
  • Multi-file upload (.zip with dependencies)
  • Batch analysis (up to 10 binaries per job)
  • Comparative output (compare two payloads side-by-side)
  • API for CI/CD integration (automated testing in build pipeline)

V3 (Future)

  • Linux binary analysis (Ubuntu VM + strace + osquery)
  • macOS binary analysis (if demand warrants)
  • ARM IoT analysis (if demand warrants)
  • Malware family classification (this is Ransomware, this is a Dropper, etc.)
  • YARA rule generation from analysis results
  • Multi-tenant isolation (each client gets their own VM)

What GreySec Gets Out of This

Building MAL accomplishes three things for GreySec:

  1. Internal tooling: We use this ourselves for red team engagements — testing C2 payloads before deployment, validating client malware samples in IR engagements.

  2. Product revenue: First productized internal capability that can be sold as a subscription. Opens a new revenue line beyond consulting.

  3. Proof of AI capability: MAL demonstrates that GreySec's agent infrastructure can build operational security tooling — a differentiator in proposal conversations vs. firms that just sell human hours.

Status: BUILDING — do not share externally until 4 critical bugs are fixed and Detection Score is validated against real payloads.

Next decision needed from Adam: Pricing tiers and setup fee. See pricing framework above — internal only.

Reference in New Issue View Git Blame Copy Permalink