True Bare Metal (TBMTM) Cloud Sandbox

Many automated malware analysis sandboxes exist on the market today, but they all suffer from the fundamental flaw of being based on virtualization or emulation. Because they differ from ordinary computers, malware can detect their presence and change their behavior. Some solutions go to great lengths to attempt to hide the fact that they are not real computers, but they cannot be perfect and are often playing a game of catch-up to keep up with the latest evasion techniques. With Binary Guard's TBMTM Sandboxes, there is nothing to hide because our sandboxes are real computers.

It only takes one sophisticated malware to sneak past your defenses to wreak havoc. Don't settle for false negatives. Add TBMTM Cloud Sandbox to your malware analysis arsenal.

Ease of use

TBMTM Cloud Sandbox is very easy to use. Simply log in to our web portal and upload your sample to be analyzed. A report will be ready within minutes.

Need to automate? We've got you covered. Our REST API allows you to submit samples for processing and retrieve the same data seen in the interactive reports (see below) in easily parsed JSON.


  • Absolute immunity to all known and unknown anti-VM and anti-emulation techniques
  • Easy to use: Just upload a sample via the web portal or REST API
  • Fast: Reports are available within minutes
  • Efficient: bare-metal analysis without rebuilding your sandbox between each analysis
  • Support for numerous file types:
    • Windows executables
    • Microsoft Office (Word, Excel, PowerPoint, Access, Outlook, etc...)
    • PDFs
    • JARs
    • VBEs
    • Media files (images, audio, videos)
    • HTML
    • JScript
    • URLs
    • and more!
  • Advanced options let you fine-tune your analysis session (session duration, applications launched, etc...)
  • Custom Windows sandbox images to match your target environment
  • Interactive web reports (see below for more details)
  • Survives system reboots

Interactive Reports

TBMTM Cloud Sandbox's comprehensive, interactive reports provide the most important information up front so you don't have to dig through pages of data to find the data you are looking for. But detail is important too, so we made very detailed data easily accessible through interactive expansions and searches. Here are some highlights from our reports.


Our large and growing database of indicators contains signatures of suspicious and malicious behaviors that we automatically detect, score, and categorize into a single view for quick triage. We add new indicators almost daily.

API Hooks

Zero in on API hooks down to the trampoline and detour. You can even download the injected code and load it right into your favorite disassembler.


We include process information based on both dynamic and static analysis. Interactive process trees allow you to navigate through all processes that ran during the analysis session. See threads created, registry accesses, DLLs loaded, and files accessed without having to jump into another view.


See a list of every file accessed during the session. Files can be downloaded and viewed. For PEs created by the sample, we also provide YARA and static analyses.


View and search all registry accesses and modifications.


We take screenshots so you can see if the malware did anything visible to the user.


A high-level network activity report includes a list of URLs visited, hosts/domains contacted, and a list of all connections and open ports. Network indicators highlight especially suspicious activity like downloads of executables and use of Domain Generation Algorithms (DGAs). If you want even more detail, download a PCAP file of the analysis session.


Each report also includes static analysis to provide a well-rounded analysis of the sample.

File Explorer

View or download every file created or deleted by the sample. Download other ancillary files such as PCAPs.


See all device drivers loaded in one view.

A Version for Every Use Case

Whether you are a hobbyist researcher, a Managed Security Service Provider (MSSP), or something in between, there is a version of TBM Cloud Sandbox for you.
Feature TBM Basic BETA TBM Pro TBM Corporate
Analyze files (executables, documents, etc.) Yes Yes Yes
Support for compressed/passworded files Yes Yes Yes
Analyze URLs for drive-by attacks Yes Yes Yes
Easy-to-understand Indicators Limited Yes Yes
Video of session Yes Yes Yes
Screenshots Yes Yes Yes
Interactive tree of sample-related processes Yes Yes Yes
Static analysis on the sample analyzed Yes Yes Yes
Network activity report Yes Yes Yes
Machine-learning maliciousness score - Yes Yes
Private submissions - Yes Yes
Configurable analysis duration - Yes Yes
Download/view dropped/deleted files - Yes Yes
Static analysis on dropped/deleted files - Yes Yes
List of running processes - Yes Yes
Process injection report - Yes Yes
Mutant report - Yes Yes
Network ports opened - Yes Yes
Downloadable PCAP - Yes Yes
Searchable/sortable list of all registry actions - Yes Yes
Searchable/sortable list of all filesystem actions - Yes Yes
Device driver report - Yes Yes
Change or disable Internet connectivity - Yes Yes
REST API - - Yes
Custom OS images - - Yes
Multiple user accounts - - Yes
Customizable interface branding - - Yes
Terms of Service Non-commercial use only Conditional commercial use1 Unlimited commercial use
Support Email Email Priority Phone/Email
Pricing Free (register now) Contact us or
request free trial
Contact us or
request free trial
1 Requires that you visibly indicate that your service/product/project is powered by TBMTM. Monthly volumes are limited. Contact us for more details.

Get started!

Register for a free TBM Basic account now or request a trial of TBM Pro or TBM Corporate.