greysec/malware-analysis-pipeline
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
malware-analysis-pipeline/SALES-SPEC.md
T
ghstshdw 11b6032fcc Initial commit: malware-analysis-pipeline
2026-05-08 17:45:23 -05:00

160 lines
8.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# GreySec MAL — Sales Specification
**Product:** GreySec Malware Analysis Lab
**Status:** Internal — for Adam review
**Date:** 2026-05-07
**Classification:** Internal only — no client-facing numbers
---
## Market Analysis
### The Problem Nobody Talks About
Red team operators, security researchers, and adversarial testing teams have a problem they don't talk about publicly: they need to test their C2 payloads and malware samples before deploying them, but every cloud-based malware analysis tool sends those samples to a third party.
VirusTotal has 80+ anti-virus engines and a massive IOC database. If you upload a C2 payload there, every major AV vendor now has that payload's signature — including the ones your clients are running. You've just burned your own operation.
ANY.RUN, Joe Sandbox, Hybrid Analysis — same problem. Samples go into a community database, get analyzed by third-party engines, and the IOCs propagate.
For offensive security teams, this is an operational security nightmare.
### Who Actually Pays for Self-Hosted Malware Analysis
Not enterprises — they don't run offensive operations. The real buyers:
1. **MSSPs running adversary simulation engagements**
- They test C2 payloads against client environments
- They cannot send client malware to VirusTotal — that's a client data breach
- They can't afford to burn their own IOCs before deployment
- Willing to pay: $500-2,000/month for a reliable self-hosted solution
2. **Security teams at healthcare organizations**
- HIPAA BAA obligations mean cloud malware tools are off-limits for anything touching PHI
- They need to validate that their endpoint controls detect known malware strains
- They want to test suspected malicious files from email attachments before sandboxing
- Willing to pay: $1,000-3,000/month (healthcare premium)
3. **Law firms and financial institutions**
- Client confidentiality is attorney-client privilege or regulatory mandated
- Malware samples from M&A due diligence, litigation support, or financial investigations
- Cannot send those to third parties under any circumstance
- Willing to pay: $2,000-5,000/month
4. **Red team operators at government/defense contractors**
- Sensitive operations where cloud submissions are a clearance violation
- Air-gapped analysis VMs are the norm — they want something that works like VirusTotal but stays local
- Willing to pay: $1,000-4,000/month
### The Pain Is Real and Growing
The offensive security industry is booming. Red team ops, adversary simulation, purple team testing — all of these require payload analysis before deployment. The more mature teams have figured out the cloud problem. The less mature ones are still burning IOCs and wondering why their C2 keeps getting flagged on day one.
GreySec MAL is positioned for the market that's figured out the problem and wants a turnkey solution, not another custom build.
---
## Competitive Landscape
| Tool | Model | Cost/Month | Self-Hosted | Key Limitation |
|------|-------|------------|------------|---------------|
| VirusTotal | Cloud | $0-650 | No | IOCs shared with AV vendors |
| ANY.RUN | Cloud | $99-399 | No | IOCs shared with community |
| Joe Sandbox | Cloud + on-prem | Enterprise | Yes | $50K+ setup, slow |
| Hybrid Analysis | Cloud | Free + $50+ | No | Public IOC database |
| Triage | Cloud | $250+ | Yes (enterprise) | Complex setup |
| GreySec MAL | **Self-hosted** | **TBD** | **Yes — fully** | **V1 (new, May 2026)** |
**GreySec MAL's key differentiation:**
- Client data never leaves your infrastructure (legal differentiator)
- MITRE ATT&CK kill chain mapping (structured, not just IOC dumps)
- Detection Score (0-100) — actionable output, not raw event logs
- Local AI augmentation — doesn't rely on cloud AV signatures alone
---
## Buyer Personas
### Persona 1: Marcus, Red Team Lead at Nexus MSSP
**Who:** Marcus runs adversary simulation for 12 enterprise clients. His team deploys C2 infrastructure, tests phishing campaigns, and validates security controls. Every week they build 3-5 custom payloads.
**Pain:** Before deploying any payload, Marcus's team manually spins up an isolated VM and watches what the payload does. It takes 20-30 minutes per payload. They process 15-20 payloads per week. That's 5-10 hours of manual analysis time — every week.
**What he really wants:** Drop the payload, get a report in 5 minutes, move on.
**What he'll pay:** $1,200/month for a tool that eliminates 8 hours of manual analysis per week.
**Buying trigger:** A client engagement where their C2 was flagged on day one — they burned the operation because they didn't test it.
---
### Persona 2: Dr. Sarah Chen, CISO at Pacific Regional Medical Center
**Who:** Sarah oversees security for a 2,000-bed healthcare system with 8 affiliated clinics. HIPAA compliance is her top priority. She has a BAA with a cloud SIEM provider but has told her team: no cloud malware analysis, ever.
**Pain:** Her IR team handles suspicious email attachments from clinical staff. They need to know if a file is malicious before they sandbox it. They've been doing manual RE or just hoping. They've had two near-misses where they deployed a file that turned out to be credential-stealing malware.
**What she really wants:** A locked-down environment where her IR team can drop a file and get a detection verdict in 5 minutes. No cloud. No BAA risk.
**What she'll pay:** $2,500/month for healthcare org pricing.
**Buying trigger:** A HIPAA audit that flags "malware analysis procedures" as inadequate. Or a near-miss where they almost deployed undetected malware.
---
### Persona 3: James Rodriguez, Senior Associate at Morrison & Vale Law
**Who:** James handles cybersecurity for a 200-attorney law firm. They process M&A documents, litigation evidence, and financial records for high-stakes cases. Any malware analysis must be done on-site with zero data leaving the firm.
**Pain:** A suspicious file arrives via secure file transfer from a client. James needs to know if it's malware before his team opens it. He has an isolated VM but no structured way to analyze the file beyond "it looks suspicious."
**What he really wants:** A simple report: is this malware, and what does it do?
**What he'll pay:** $800/month — law firms are price-conscious but security is non-negotiable.
**Buying trigger:** After the Okta breach at a peer firm that involved malware delivered via secure file transfer. He realized his firm had no formal malware analysis process.
---
## Pricing Framework (Internal)
### Direct Cost Basis
| Cost Item | Monthly (at 20 analyses) |
|-----------|--------------------------|
| Windows VM (hosting) | $50 |
| Docker/RabbitMQ compute | $20 |
| Supabase storage + API | $25 |
| AI compute (local Ollama) | $50 |
| Human review (5 min × 20) | $175 (at $105/hr) |
| **Total** | **$320/month** |
At 4x margin: ~$1,280/month. At 5x margin: ~$1,600/month.
### Price Tiers (Internal Planning Only — No Client Numbers)
| Tier | Analyses/Month | Price Target | Buyer |
|------|---------------|-------------|-------|
| Essentials | 20 | ~$1,000-1,200/mo | Small MSSP, solo researcher |
| Professional | 50 | ~$2,000-2,500/mo | MSSP, healthcare org |
| Enterprise | Unlimited | ~$4,000-5,000/mo | Large enterprise, law/finance |
Setup fee: 1 month fee (standard SaaS onboarding).
**Adam to finalize all client-facing numbers before external distribution.**
---
## Objection Handling
**"Why not just use VirusTotal? It's free."**
VirusTotal is free for IOCs. The cost is your C2 payload signatures being distributed to every AV vendor globally. For offensive security, VirusTotal burns your operation. We give you the same behavioral analysis without sharing your IOCs with anyone.
**"How is this different from just running a VM with Wireshark?"**
Manual analysis takes 20-30 minutes per payload and requires an expert watching the VM. GreySec MAL automates the analysis, produces a structured MITRE ATT&CK kill chain, and gives you a Detection Score you can track over time.
**"Isn't this just for hackers?"**
It's the same technology your blue team uses to build detection rules. We use it for testing our own offensive tools. Healthcare organizations use it to validate that their EDR detects known attack patterns. Law firms use it to screen files before opening them in a client engagement.
**"What if the AI gets it wrong?"**
The Detection Score is based on observed behavior (syscalls, network activity, process behavior), not AI inference. If Fibratus sees a payload call VirtualAllocEx + WriteProcessMemory + CreateRemoteThread, that scores high regardless of what the AI model thinks. The AI augments the analysis; the data is from the actual execution.
Reference in New Issue View Git Blame Copy Permalink