Mlab.sh is a security investigation platform that lets you upload files, search IPs, domains, and hashes, then get structured, actionable intelligence in seconds. Built for SOC analysts, incident responders, blue teams, and security researchers who need fast, reliable threat analysis.
With 20+ specialized analysis tools, MITRE ATT&CK mapping, and a JavaScript deobfuscator built in, Mlab.sh centralizes your investigations so you can reduce manual correlation work and focus on what actually matters.
Files Analyzed
IOCs Searched
Analysis Tools
Average Response Time
Feed Mlab with IPs, domains, hashes, or upload suspicious files (PNG, JPG, PDF, DOCX, XLSX, PPTX, EXE, DLL, SYS, up to 25 MB).
Mlab runs the data through 20+ specialized tools including MITRE ATT&CK mapping and JS deobfuscation to extract deep intelligence.
Indicators are cross-referenced automatically to reveal hidden patterns, relationships, and attack chains.
Get structured, human-readable results with no noise and no clutter. Everything you need to understand the threat at a glance.
Make informed decisions based on reliable intelligence. Integrate findings into your incident response workflow.
Search and enrich IPs, domains, and file hashes instantly. Cross-reference indicators across multiple intelligence sources.
Upload and analyze suspicious files. Supports executables (EXE, DLL, SYS), documents (PDF, DOCX, XLSX, PPTX), and images (PNG, JPG).
Automatically map findings to MITRE ATT&CK techniques and tactics for standardized threat classification.
Decode obfuscated JavaScript found in phishing pages, malicious documents, and web-based attacks.
Self-hosted IR solution to coordinate and manage security incidents from detection to resolution.
Most teams still manage incidents with shared docs, Slack threads and email chains. Mlab IR is a self-hosted incident response platform that turns security alerts into structured investigations, from triage to resolution, without relying on expensive enterprise SOAR solutions.
Collect alerts from SIEMs, EDRs, email gateways, or any security tool via API integration.
Prioritize, deduplicate, and assign alerts with severity routing to the right analyst.
Escalate alerts into cases. Attach evidence, track observables, and build investigation timelines.
Document findings, close cases, generate reports, and capture lessons learned for future incidents.
Ingest alerts from any source via API. Auto-deduplicate, enrich with context, assign severity, and route to the right analyst.
Structure investigations with analyst assignment, priority tracking, and full audit trails from creation through closure.
Track IPs, domains, hashes, and emails across investigations. Identify recurring indicators and link related cases automatically.
Every action logged with timestamps. Complete traceability of status changes, comments, and evidence attachments.
Role-based access control with granular permissions for admins, analysts, and read-only viewers.
Your data never leaves your infrastructure. No SaaS dependency, no vendor lock-in. Deploy in under 5 minutes.