Threat Intel  ·  SOC Platform

Analyze threats.
Decide in seconds.

Mlab.sh is a security investigation platform for SOC analysts and incident responders. Upload files, search IOCs, map findings to MITRE ATT&CK, and coordinate response — all in one place.

Get Started Free
185.32.4.91 malicious IP a3f9...c2e1 sha256 / suspicious login.acme.tk phishing domain invoice.docm macro: VT 31/72 MLAB LIVE SCAN 4 IOCs in queue AVG RESPONSE < 5 seconds
50K+

Files Analyzed

100K+

IOCs Searched

20+

Analysis Tools

<5s

Avg. Response Time

( Indicators )

One platform, every indicator that matters.

Feed any IOC into Mlab and get enriched, correlated intelligence in seconds. Hashes are pivoted across sandboxes, IPs across passive DNS, domains across WHOIS and reputation feeds.

IP
IPv4 & IPv6 lookups
Domain
DNS / WHOIS / reputation
Hash
MD5 / SHA-1 / SHA-256
URL
Phishing & payload detection

Supported file types  ·  up to 25 MB

EXE DLL SYS PDF DOCX XLSX PPTX PNG JPG ZIP EML JS
( Toolbox )

20+ specialized analysis tools, one workflow.

Stop juggling tabs across CyberChef, VT, AnyRun and grep. Every tool is wired into the same investigation graph so pivots happen automatically.

TOOL / 01
JS Deobfuscator
Unpack obfuscated JavaScript from phishing pages and malicious docs.
TOOL / 02
PE / ELF Inspector
Strings, sections, imports and entropy for Windows and Linux binaries.
TOOL / 03
Macro Extractor
Pull VBA macros out of Office documents, surface IOCs and intent.
TOOL / 04
PDF Analyzer
Object tree, embedded JavaScript, URLs and exploit signatures.
TOOL / 05
YARA Runner
Run public and custom YARA rules against uploaded files.
TOOL / 06
Sandbox Pivots
Cross-reference hashes against multiple sandbox verdicts and IOCs.
TOOL / 07
Passive DNS
Historical IP / domain resolution to spot infrastructure pivots.
TOOL / 08
WHOIS & SSL
Registrant, age, certificate chain and SAN clustering.
TOOL / 09
URL Sandbox
Detonate suspect URLs and capture the redirect chain.
TOOL / 10
Email Analyzer
Header forensics, SPF / DKIM / DMARC checks, attachment triage.
TOOL / 11
Decoder Chain
Base64, hex, URL, ROT, XOR — chain decoders without leaving the case.
TOOL / 12
IOC Extractor
Pull IPs, domains, hashes and URLs out of any blob of text or report.
MITRE ATT&CK Mapping

Every finding mapped to a technique.

Mlab automatically classifies behaviors against MITRE ATT&CK tactics and techniques. Compare reports across investigations, spot recurring TTPs, and feed your detection-engineering backlog.

See It Live
ATT&CK MATRIX Coverage on this case INITIAL ACCESS EXECUTION PERSISTENCE C2 T1566 Phishing T1190 Public App T1078 Valid Accts T1059 PowerShell T1204 User Exec T1218 Signed Bin T1547 Boot T1053 Task T1543 Service T1071 T1573 T1090 CASE SUMMARY Phishing → PowerShell → Scheduled Task → HTTPS C2 8 / 12 techniques hit · severity HIGH
( Mlab IR )

From alert to resolution. On your infrastructure.

Mlab IR is a self-hosted incident response platform. Ingest alerts from any SIEM or EDR via API, triage them into cases, track observables across investigations, and close with a full audit trail.

Alert Ingest

Pipe alerts from SIEMs, EDRs and email gateways through a simple API. Auto-deduplicate and enrich.

Triage Routing

Severity scoring routes alerts to the right analyst, no shared inbox, no lost tickets.

Case Workspace

Escalate alerts into cases with evidence, observables, comments and timeline.

Observable Graph

Track IPs, domains, hashes and emails across cases — recurring indicators link automatically.

Activity Timeline

Every status change, comment and evidence attachment logged with timestamps. Full traceability.

100% Self-Hosted

Your data never leaves your infrastructure. Docker-compose deploy in under 5 minutes.

Two products. One workflow.

Use Mlab.sh for threat intel and analysis. Plug Mlab IR into your stack for end-to-end response.