Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Cisco's cloud and on-prem malware sandbox that detonates suspicious files, scores behavior, and feeds threat intelligence to AMP and Secure tools.
Cisco Threat Grid Definition: Cisco's cloud and on-prem malware sandbox that detonates suspicious files, scores behavior, and feeds threat intelligence to AMP and Secure tools.
Cisco Threat Grid (now part of Cisco Secure Malware Analytics) is a malware analysis and threat intelligence platform that detonates suspicious files in an isolated sandbox, observes their runtime behavior, and produces a threat score plus actionable indicators. Available as a cloud service or on-premises appliance, it helps security teams understand and respond to unknown threats.
It works by executing a submitted sample in instrumented virtual environments and recording behavioral activity: process creation, registry and file-system changes, network callouts, API calls, and persistence attempts. This dynamic analysis is combined with static inspection and correlated against a large corpus of previously analyzed samples and global threat intelligence. The result is a normalized threat score, a list of indicators of compromise (IOCs), and behavioral context that analysts can pivot on.
This matters because signature-based defenses miss novel and polymorphic malware. By analyzing what a file actually does rather than what it looks like, Threat Grid surfaces zero-day and evasive threats, and its intelligence feeds other Cisco products such as Secure Endpoint (AMP), Secure Firewall, Email Security, and Umbrella through APIs. Without sandbox-based analysis, organizations are largely blind to malware engineered to bypass static detection.
For example, a SOC analyst receives an alert about a suspicious email attachment that no antivirus engine flags. They submit the file to Threat Grid, which detonates it and reveals that the document drops a payload, establishes persistence via a scheduled task, and beacons to a command-and-control domain. The platform returns the C2 domain and file hashes as IOCs, which the team then blocks across the firewall and DNS layer and uses to hunt for other infected hosts.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →