Cuckoo Sandbox

What is Cuckoo Sandbox?

In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Why should you use it?

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they work and what they would do/did on your systems when deployed and understand the context, the motivations and the goals of a breach.

In this way you are able to more effectively understand the incident, respond to it and protect yourself for the future.

There are infinite other contexts where you might need to deploy a sandbox internally, from analyzing an internal breach to proactively scouting wildly distributed threats, collect actionable data and analyzing the ones actively targeting your infrastructure or products.

In any of these cases you'll find Cuckoo to be perfectly suitable, incredibly customizable and well... free!

What does it produce?

Cuckoo generates a handful of different raw data which include:

  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Full memory dump of the analysis machine
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

  • JSON report
  • HTML report
  • MAEC report
  • MongoDB interface
  • HPFeeds interface

Even more interestingly, thanks to Cuckoo's extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Following are a few videos exhibiting example executions of Cuckoo Sandbox for the different versions released so far.

The Cuckoo Sandbox Developers Team is an elite squad of selected hackers spending their nights drinking caffeine derivates, hacking the Gibson and committing code. For press purposes, a group picture is available here.

Claudio nex Guarnieri

Creator & Lead Developer

Claudio is our Willy Wonka, the undisputed dictator of the project. He writes code that doesn't work and he expects others to fix it. He also pretends to be doing something as a core member of The Honeynet Project and to be saving the world with The Shadowserver Foundation. He likes long walks on the beach, reading a good book and messing with cybercrooks.

Alessandro jekil Tanasi

Core Developer

Alessandro is our grumpy old master craftsman. He sleeps with a paper roll printout of our issue tracker and he's determined to keep our code decent. He created HostMap, contributes to sqlmap and runs SecDocs. He firmly believes that his death will be caused by an overdose of exception handling.

Jurriaan skier Bremer

Core Developer

Jurriaan is the youngest conscript of the group. He develops Cuckoo's Windows analysis core, dreams of JMPs and PUSH RETs and blogs about new ways of subverting systems. He can occasionally be found spreading terror with the rest of the De Eindbazen team. Rumours abound that he may have a girlfriend.

Mark rep Schloesser

Core Developer

Mark is our German coding machine. He sees the Matrix, he thinks it sucks and he's probably gonna re-implement it in Python. On his way to rewrite the world, he still fights for German hackers' supremacy with his team 0ldEur0pe. Also a core member of Honeynet. His motto is "less talk, more code".

Following are the experiences of companies and organizations actively adopting Cuckoo Sandbox. If you want to appear on this list please contact us!

Ever since VirusToal was created we wanted to have our own sandbox, we made a couple of attempts at this, including the creation of an in-house technology. When we heard about Cuckoo Sandbox we tried it out and we were delighted with the results, we no longer had to worry about API hooking, virtualization issues, sample queuing, report formatting, etc. It was time to focus on what really mattered, mining the behavioural information. Cuckoo is an amazingly polished solution, its code is clear and easy to follow and its analysis packages are awesome for customizing the dissection of certain malware families. We recommend Cuckoo to anyone intending to deploy their own sandboxing environment, there is no need to reinvent the wheel.

Emiliano Martinez, VirusTotal

THREAT STREAM provides cyber threat intelligence to large enterprise and government organizations. We have used many open source and commercial sandbox technologies and Cuckoo Sandbox with its active community and rapid development is simply the gold standard in dynamic malware analysis. We now use it exclusively for our sandbox farm, it's fast and very easy to add your own features.

Greg Martin, Threat Stream


In2sec is responsible for the security of thousands of companies, and malware is a reality in the day-by-day basis of our customers. Looking for a trust and solid platform to use as malware analysis sandbox, we've met Cuckoo. For sure it is the most interesting and complete interface to generate a quick and secure malware analysis and help us to understand better how to fight back, and improve security research in this field.

Anderson Tamborin, In2sec

A major part of the ITES Project includes the research of new system monitors to be used in a distributed environment to protect virtualized systems against malware attacks. Cuckoo Sandbox enables us to run thousands of malware samples each day to test our theories. This will finally lead us to a system where risky processes will run in virtual containers. Isolated from valuable data and closely monitored.

Thorsten Sick, ITES Project