Cybersecurity Researchers Set New Standards for Malware Sandbox Analysis to Boost Threat Intelligence Efficiency

Cybersecurity researchers find that 90% of threat intelligence is captured in the first 180 seconds of sandbox execution, optimizing resource use.

By: AXL Media

Published: Apr 25, 2026, 6:51 AM EDT

Source: Information for this report was sourced from EurekAlert!

The Pursuit of Optimal Malware Analysis Windows

Understanding the behavioral dynamics of cyber threats is essential for maintaining robust digital defenses in an increasingly complex landscape. For years, malware analysts have utilized sandbox environments—isolated virtual spaces—to observe the execution of suspicious programs. However, the industry has historically relied on arbitrary, fixed execution times that often lead to two significant problems: the premature termination of critical adversarial behaviors or the inefficient waste of resources on overlong analyses. Researchers from Nanjing University, Jiangsu University of Science and Technology, and Southeast University have now addressed this issue by quantifying the relationship between execution time and the quality of cyber threat intelligence (CTI).

Applying Extreme Value Theory to Threat Detection

To move beyond arbitrary thresholds, the research team introduced a novel empirical framework based on Extreme Value Theory (EVT). This statistical approach is typically used to understand rare but impactful events, making it a perfect fit for identifying the critical moments when malware reveals its most significant adversarial behaviors. By modeling the intelligence acquisition process through EVT, the team could dynamically predict the likelihood of gathering additional useful data as execution continues. This shift from preset intervals to a data-driven model provides a scientific foundation for the next generation of adaptive sandbox platforms.

Statistical Evidence for the Three Minute Rule

The scale of the study provided a massive data foundation, involving the analysis of 111,747 individual malware samples. The researchers tracked a variety of metrics, including system calls, code execution blocks, and data entry access patterns, mapping these behavioral traces into the standardized MITRE ATT&CK framework. The results were remarkably consistent: over 90% of all useful intelligence is extracted within the first three minutes of a sample's execution. This finding challenges the need for extended sandbox runs, as the probability of acquiring new, unique threat intelligence diminishes rapidly after this initial window.