Instrumented Virtual Machine
A fully instrumented VM is prepared for each run, equipped with SentinelOne, ArmorX, Sysmon, and internal network taps. All components are synchronized to record precise timing and behavior across the system.
Malware Lab
Real malware, safely captured.
The Replay Malware Lab provides a fully isolated and instrumented environment where real malicious code can be executed, observed, and captured without any risk to production systems.
Each detonation generates a complete, time accurate record of system behavior across SentinelOne, ArmorX, Sysmon, and network sensors. After each run, the environment is destroyed and rebuilt, ensuring a clean and controlled workspace for every scenario.
How the Lab Works
Replay uses a sealed virtual environment positioned behind a containment firewall. No outbound communication is allowed except for the security agents that report telemetry.
This guarantees safe execution while capturing every observable action of the malware.
Supervised Malware Execution
Malicious code is introduced and executed under strict supervision. Containment checks, approval workflows, and execution controls ensure that the malware cannot escape the environment.
Full Spectrum Telemetry Capture
Every action generated by the malware is recorded. This includes endpoint telemetry, host level artifacts, EDR analytics, network traces, and system events. Replay collects and aligns these signals through the Fluency event pipeline.
Automated Sanitization and Packaging
Once execution is complete, the VM is destroyed. Captured telemetry is sanitized, masked, and packaged into a portable Replay scenario that can be replayed as often as needed.
What Malware Lab Scenarios Provide
Replay users gain access to authentic malicious behavior that reflects how real infections unfold.
These scenarios provide:
Realistic infection chains across multiple data sources
Correlated behaviors from endpoint, host, and network layers
A clear view of how different agents detect and interpret the same event
High quality training content for SOC onboarding and workshops
Demonstration material for partners and customer presentations
Reliable datasets for evaluating AI driven analysis tools
These captures produce more accurate learning and testing environments than synthetic samples or vendor provided demonstrations.
Correlation Inside Fluency
After packaging, each malware run behaves like a real incident inside Fluency.
Dashboards show aligned behavior across:
SentinelOne
Endpoint detection and response activity
Sysmon
System level processes, registry, and file operations
ArmorX
Advanced threat analysis and enrichment
Network Indicators
Flow data, connection attempts, and unusual traffic patterns
This correlation gives students and analysts a complete view of how a threat progresses and how each tool contributes to detection and response.
Growing Scenario Library
Every detonation becomes a new scenario available in Replay.
As the lab expands, the scenario library provides broader coverage of threat families and behaviors, including:
Ransomware
Credential theft
Persistence mechanisms
Lateral movement
Command and control communication
The library continues to grow as new samples and techniques are detonated, offering ever increasing depth and variety.
Replay Integration
All Malware Lab captures feed directly into Replay.
Each scenario preserves timing, sequencing, and behavior from the original run, allowing instructors and analysts to demonstrate how Fluency correlates multi source telemetry, replay attacks exactly as they occurred, build instructor led exercises and workbook sessions, and test new rules, detections, or AI workflows with consistent inputs.
Replay transforms each lab execution into a practical, reusable asset.
Coming Enhancements
Future updates will include visualization of the containment architecture, screenshots and environment views from inside the lab, request forms for custom malware runs, and curated scenario bundles organized by threat category.