Runtime analysis

What the dynamic sandbox detects

In short

Extuno runs each extension or package in an ephemeral, network-segmented micro-VM and records what it actually does at runtime - the endpoints it contacts, the exact payloads it sends, the API calls it makes, and the data it tries to steal.

Why run code instead of only reading it?

Static analysis is fast and safe but obfuscation and remotely hosted code can hide behavior from it. Running the artifact reveals what it really does: the destination of an exfiltration request, the payload it carries, the wallet approval it asks for, the miner it starts.

How does Extuno run untrusted code safely?

Every dynamic run happens in an ephemeral micro-VM that is network-segmented and destroyed after the run. Untrusted code never touches the main platform, so the sandbox can observe real malicious behavior without risk.

What behavior does it capture?

Runtime exfiltration with the destination and payload, remote code execution, credential and cookie theft, clipboard wallet swaps, crypto-mining, and command-and-control beaconing - each turned into a finding with the captured evidence.

FAQ

Common questions

Is it safe to run real malware?
Yes, in the right boundary. Extuno executes in an ephemeral, network-segmented micro-VM destroyed after each run, so the analyzed code cannot reach the platform or persist.
What does dynamic analysis catch that static misses?
Behavior that only appears at runtime or behind obfuscation - the actual endpoint contacted, the payload sent, and code fetched and run after install.