Abstract: A computer-implemented method of verifying software is provided. The method comprises creating a number of virtual machines that simulate computing environments and running a number of software program on the virtual machines. The software programs have full access to the simulated computing environments, but the source code of the software program is unavailable. A hypervisor performs virtual machine introspection as the software programs run on the virtual machines, wherein the virtual machines and software programs are unaware the virtual machine introspection is being performed. Telemetry data is collected about the software programs, including any identified threats posed by the software programs to the simulated computing environments, and presented to a user via an interface.

Abstract: A method for emulating threats in virtual network computing environment is provided. The method comprises creating a number of virtual machines in the virtual network computing environment. A number of threat actors are emulated, wherein each threat actor comprises a number of threat artifacts that form a sequence of attack steps against the virtual network computing environment. The threat actors are then deployed against the virtual network computing environment. Behavioral data about actions of the threat actors in the virtual network computing environment is collected, as is performance data about the virtual network computing environment in response to the threat actors. The collected behavioral and performance data is then presented to a user via an interface.

Abstract: A computer-implemented method of analyzing malware is provided. The method comprises creating a number of virtual machines that simulate environments and running a number of malware programs on the virtual machines. A hypervisor performs virtual machine introspection as the malware programs run on the virtual machines, wherein the virtual machines and malware programs are unaware the virtual machine introspection is being performed. Behavioral data about the malware programs is collected and presented to a user via an interface.

Abstract: A computer-implemented method of verifying software is provided. The method comprises creating a number of virtual machines that simulate computing environments and running a number of software program on the virtual machines. The software programs have full access to the simulated computing environments, but the source code of the software program is unavailable. A hypervisor performs virtual machine introspection as the software programs run on the virtual machines, wherein the virtual machines and software programs are unaware the virtual machine introspection is being performed. Telemetry data is collected about the software programs, including any identified threats posed by the software programs to the simulated computing environments, and presented to a user via an interface.

Abstract: Embodiments of the invention describe systems and methods for malicious software detection and analysis. A binary executable comprising obfuscated malware on a host device may be received, and incident data indicating a time when the binary executable was received and identifying processes operating on the host device may be recorded. The binary executable is analyzed via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to generate runtime data and deobfuscation data attributable to the binary executable. At least some of the runtime data and deobfuscation data attributable to the binary executable is stored in a shared database, while at least some of the incident data is stored in a private, non-shared database.