Cohesity launches secure sandbox analysis powered by Google Threat Intelligence

Bad actors are constantly evolving their tactics, techniques, and procedures (TTPs) to evade detection. From zero-day exploits to living-off-the-land (LOTL) methods, these sophisticated threats can slip through traditional defenses. Relying solely on signature-based threat detection is no longer sufficient—it simply can't catch them all, leaving organizations vulnerable to persistent intrusions.

This is where scanning backups emerges as an essential second line of defense. By threat hunting through secondary data with newly available, higher-fidelity signatures and indicators of compromise (IoCs), you can uncover hidden malware that was missed in real-time.

That said, threat hunting often reveals suspicious files that don't match any known signatures. In these cases, a malware sandbox becomes invaluable: it allows safe detonation of the file, observing its behavior to determine if it's malicious or benign, without relying on third-party verification.

We’re excited to announce that Cohesity now offers this capability, helping you to stay one step ahead of evolving threats. Secure sandbox analysis is now available in Cohesity Data Cloud, powered by Google Threat Intelligence (GTI). This feature allows you to assess the danger posed by suspicious files.

(Review documentation – customer login required.)

You can review details of the IoC, then detonate a copy of the file in question inside a secure, isolated sandbox—without exposing production environments or compromising data privacy. It’s the fastest, safest way to assess the danger posed by unknown entities.

 Details of an indicator of compromise with a file reputation, powered by GTI.

The challenge: When threat scans produce unclear results

Our platform, Cohesity Data Cloud, includes threat protection capabilities that identify suspicious files using:

• Google Threat Intelligence feeds (Review documentation – customer login required)
• File hash reputation lookup (Review documentation – customer login required)

Scans result in files being categorized as:

• Malicious: The file is confirmed to be harmful and poses a security threat. 
  • You can proceed to eliminate the threat.
• Suspicious: Possible malicious activity detected, requires further investigation.
  • You can investigate further, using a clean room and other forensic methods.
• Benign: The file is safe and does not show any harmful behavior. 
  • Good news—the file is known to be safe!
• Undetected: No evidence of malicious intent was found, but the file is not guaranteed to be safe.
  • The file is known to be “not bad.” The risk from this verdict is quite low.
• Unknown: There is no information available about the file. It has not been analysed before. 

The “unknown” verdict is problematic. Historically, your options to address this situation have been limited. You could choose to:

• Bring up the infected snapshot to the live environment.
• Manually export files to third-party sandboxes.

Either option potentially breaks data-governance policies and introduces operational and compliance risk. You also risk proliferating infection, losing visibility, and auditability.

Now, you have a much better way to address “unknown” files—Cohesity’s new secure sandbox analysis feature.

A closer look at the secure sandbox analysis

Cohesity Data Cloud performs behavioral malware detonation directly from backup data, using Google Threat Intelligence Private Scanning.

Infrastructure and security teams can now use this capability to:

• Validate whether suspicious files behave maliciously.
• Observe runtime behaviour (processes, registry activities, network calls, system calls, portable executables, etc).
• Make confident recovery decisions supported by forensic evidence.
• Maintain strict privacy and tenant isolation.

All of this can be done from the Cohesity Data Cloud console without leaving the environment. 

How it works

Here’s a quick tutorial on private sandbox scanning.

1. Run a threat scan across your data estate

A threat protection scan will then be performed over a range of data sources such as:

• VM snapshots
• NAS shares
• Acropolis (AHV)
• Physical Servers
• Hyper V
• Isilon
• Cohesity SmartFiles
• NetApp

If the scan identifies suspicious files, they appear in the Threat Scan Results with IOC context, as shown below.

Threat scan result from Cohesity Data Cloud. Note the “verdict” column on the right.
 

2. Threat investigation with Google Threat Intelligence

The user then drills into the file hash and sees the “Unknown” result under the GTI Verdict. Because the file is “Unknown,” you won’t see any details about it.

3. Secure sandbox submission (with explicit consent)

To better understand the risk posed by this file, the user selects “Detonate in Sandbox / Private Scan.”

A consent pop-up message clearly explains:

• The file will be securely transmitted via the Cohesity control plane.
• The analysis is performed in Google’s isolated sandbox in Google Cloud.
• Sensitive or regulated data must be authorized before submission.

No file submission proceeds without explicit user consent.

Consent window to proceed with file submission.
 

4. Asynchronous sandbox detonation

Here’s what happens once the file is submitted:

• The file is detonated in an isolated sandbox running on Google Cloud.
• Runtime behavior is captured, including:
  • Process creation
  • File system changes
  • Read/Modified/Deleted Registry Keys
  • Network connections
  • Dropped payloads
  • Mitre att&ck techniques
  • Screenshots
• The user sees “Analysis in Progress” in the Cohesity Data Cloud UI, shown below.

5. Automated notification & report availability

When the analysis completes, the user receives:

• An email notification
• An in-app alert in the Cohesity Data Cloud console

The full behavioral report becomes available in File Details. No more guesswork!

The Secure Sandbox Analysis report includes:

• Verdict: Malicious / Suspicious / Benign / Undetected
• Behavioral Summary: Key runtime actions
• Network IOCs: Domains, IPs, URLs
• Dropped Files: Secondary payloads
• Screenshots & Execution Timeline
• Detection Severity Breakdown: Critical / High / Medium / Low

All this data is neatly presented in a single screen, shown below. For advanced analysis, users can download the full report as a PDF or compressed archive.
 

Privacy first: Built-in controls

Cohesity’s secure sandbox analysis is built with privacy-first principles:

• No customer file content is retained by Cohesity.
• The submitted file is deleted after the report is made available to the user. 
• Google doesn't retain any customer file and sandbox detonation report.
• Reports are:
  • Private
  • Tenant-isolated
  • Accessible only to authorized users (who has submitted the file)
• No samples are shared publicly or reused.

Secure sandbox analysis can be suitable for certain regulated industries such as finance, healthcare, and government.

Private sandbox scanning is an essential tool for cyber resilience

With secure sandbox analysis, you can move beyond threat protection into threat validation—a critical step in modern cyber resilience.

This new practice combines:

• Backup-native threat detection
• Behavioral sandbox analysis
• Privacy-preserving design
• Seamless operational workflow

Cohesity empowers you to wield a capability in a single workflow that previously required multiple tools and manual interactions. 

Want to learn more? 

• Request a free trial
• Read product documentation (customers only)
• Watch a demo