Security teams today struggle with a paradox. Threat volumes keep climbing, but most of what hits SIEMs and inboxes is noise: indicators stripped of meaning, alerts detached from context, and threat data that treats every organization as if it faces the same risks.
For CISOs, SOC and MSSP leads, this lack of context has a measurable cost. Teams spend too much time qualifying unimportant alerts, incident queues grow, and strategic detection engineering drifts toward generic threats instead of those most likely to hit the business.
Your analysts see that Agent Tesla or Lumma Stealer appeared in the wild, but they don’t know whether it’s actively targeting financial services firms in Germany or primarily hitting educational institutions in Asia.
A Contextual Lens for Your Threat Landscape
ANY.RUN’s Threat Intelligence Lookup now introduces a new layer of clarity with industry and geo threat landscape insights. It is a practical way to see how relevant a threat or indicator is for your specific environment.
%20(1).webp "See Cyber Threats to Your Industry and Region in Just 2 Seconds 2")
It provides risk-based relevance scoring drawn from real sandbox submissions, helping teams understand:
- Which industries are recently seeing this threat or IOC most frequently;
- Which regions report it most;
- Which threat families commonly appear with the queried indicator.
This transforms raw IOCs into contextual intelligence that directly connects to business priorities and operational focus.
Powered by collaborative data from global sandbox submissions, this focused, actionable view offers a snapshot of associations — not certainties — based on patterns in real-world analyses.
At its core, the feature delivers three probabilistic context fields to inform risk-based decisions:
| Context Field | Description | Business Value |
| Risk Score by Industry | Percentage likelihood that a queried threat or indicator appears in attacks linked to each sector, drawn from search results. | Quickly gauge if your industry (e.g., finance at 15% risk) warrants escalated defenses, aligning security spend with sector-specific exposures. |
| Threat Names | Percentage frequency of associated threats in current results. | Spotlight the most probable campaigns or families (e.g., Lumma Stealer at 40%), enabling proactive playbook development for high-impact risks. |
| Submission Countries | Percentage of submissions from each country tied to the query. (Analyst locations uploading samples, not confirmed attack origins.) |
Identify reporting hotspots (e.g., U.S. at 25%) to hypothesize regional trends and tailor compliance efforts for multinational operations. |
Start acting on the full picture. Understand the landscape with TI Lookup and protect before threat strikes
These context fields are powered by analysis from over 15,000 organizations using ANY.RUN’s solutions. The data reflects actual security investigations happening across sectors and regions, providing a real-world lens rather than theoretical attribution.
Use Cases: From Alert to Action in Daily SOC Workflows
1.Map a Known Threat
threatName:”agenttesla”
Agent Tesla stealer recent activity exposed by TI Lookup
Searching TI Lookup by a threat name, an analyst can instantly see:
- Which industries most often encounter it;
- Which regions report it;
- Associated IOCs and artifacts.
If their sector appears high in the breakdown, the threat is treated as high-relevance, helping the analyst focus on meaningful artifacts instead of reviewing everything.
2. Diagnose a Local Industry
Suppose a CISO in German manufacturing company wants a baseline for sector risks.
industry:”Manufacturing” AND submissionCountry:”de”
This query surfaces top threats like Tycoon 2FA and EvilProxy plus highlights the interest of Storm-1747 APT group that operates Tycoon 2FA to the country’s production sector.
This becomes an immediate priority list for detection engineering, threat hunting hypotheses, and security awareness training. Analysts access sandbox sessions and real-world IOCs related to those threats.
3. Deep Dive into a Known Vulnerability
A US hospital security team registers persistent phishing issues. What campaigns target similar businesses in the region?
industry:”health” and submissionCountry:”us” and threatName:”phishing”
Sandbox analyses of phishing samples submitted in the USA, relevant for healthcare organizations
The results reveal the most common threat names — Tycoon2FA, Sneaky 2FA, EvilProxy, and Mamba — along with sandbox analyses showing actual attack chains and indicators from peer organizations.
This intelligence becomes a targeted backlog for detection engineering and threat hunting, focused on the phishing families that security teams in similar organizations are actually investigating, rather than generic global lists that may not reflect a specific risk environment.
The tactic includes directly boosting employee awareness and reducing incident frequency, a key metric for insurance premiums and investor confidence.
Level up detection and response on incident data from 15k SOCs Contact ANY.RUN to start using TI Lookup for geo and industry threat context.
Tangible Benefits: Aligning Security with Business Goals
For corporate leaders, this feature scales prioritization across client segments or divisions, standardizing rules for consistent quality while providing audit-ready evidence of sector-aware monitoring.
MSSPs can group clients by industry/geo, flag high-risk matches for new threats, and export IOCs for bulk protections, streamlining service delivery and client retention.
SOC leads gain a quick applicability check: Query your industry/country for ranked threats, then refine detections and training around them.
When a threat emerges, a glance at industry associations raises priority if your sector ranks high, ensuring immediate artifact access for blocking.
Tier 2-3 analysts benefit from reduced noise: Pivot seamlessly from threats to industries/countries (or vice versa) with rich, real-world artifacts.
This accelerates triage, enriches cases with grounded context, and delivers more accurate recommendations to leadership—empowering analysts to close high-value incidents faster.
Industry & Geo context enhances the entire detection and response lifecycle:
- Shorter MTTD: Analysts instantly understand whether a threat is typical for their environment.
- Faster MTTR: Every landscape slice includes fresh IOCs, behaviors, and sandbox insights.
- Reduced false positives: Indicators that never appear in your sector/region can be deprioritized.
- Better detection engineering focus: Teams build rules for threats that impact similar organizations.
- Higher analyst efficiency: Fewer meaningless alerts, more meaningful cases closed per shift.
Getting Started
Threat Intelligence Lookup uncovers probabilistic industry and geographic patterns in every search, empowering analysts to contextualize IOCs against your unique environment. Narrow the global noise for efficient research, hunting, and response—backed by insights from 15,000 organizations.
Security isn’t about defending against every threat. It’s about defending effectively against the threats most likely to impact your business. Industry and geographic context gives you the intelligence to make that distinction.
Security teams can prioritize faster, detect sharper, reduce false positives, and improve MTTR, focusing on threats poised to hit hardest. Proactively build defenses that safeguard what matters most: your profits and reputation.
Industry & geo threat context is available now to all ANY.RUN Premium subscribers.
Gain threat landscape and evolution insights for focused action. Act on the threats relevant to your business with Threat Intelligence Lookup. 