Everything you need to hunt threats, understand what they do, build living detection, and put your security tools to the test — together.
I've spent years living in the world of malware analysis, endpoint defence, and the endless back-and-forth of "is this thing actually dangerous?" And along the way I kept running into the same wall: the tools were scattered, the answers were noisy, and the whole thing felt like a solo grind. You'd paste a hash into one site, a URL into another, squint at fifty conflicting labels, and still not have a clear answer — let alone a way to act on it or share it with the people next to you.
I built Aerie to fix that. I wanted a place where you drop in a file, a link, or a hash and get one clear, plain-English answer — is it a threat, what does it do, and do you need to look closer. I wanted the behavioural side, the "what does this actually do on a machine," to be front and centre and readable, not buried in a wall of JSON. And I wanted testing your security products to feel like a team sport instead of a lonely spreadsheet.
Most of all, I wanted threat hunting and AV testing to be three things they rarely are: easier, more collaborative, and honestly — more fun. That's the whole idea behind Hawk Eye. If Aerie saves you time, sharpens a verdict, or makes a hunt feel a little more like the craft it should be, then it's doing its job.
So welcome. You're part of the family now. Go hunt something.
Aerie runs entirely in your browser — there's nothing to install. Everything works on desktop and mobile.
Aerie has a consistent layout on every page: a top bar, a navigation rail, and the main workspace.
| Page | What it's for |
|---|---|
| Deck | Your landing page and quick jumping-off point. |
| Phishing | A live, continuously-updated feed of phishing URLs. |
| Malware | Recent confirmed malware samples and malicious URLs, filterable by file type. |
| Checks | The heart of Aerie — analyse any indicator and see the full report. |
| Watchlist | Indicators you've pinned for automatic re-checking. |
| Rules | The Helios behavioural rule database (HNP:BS signatures). |
| Solutions | The catalog of security products you can line up for testing. |
| Testing | Collaborative AV-testing campaigns. |
| Settings | Your access key, password, and account. |
To unlock the deepest analysis — full multi-engine detections and the behavioural report — Aerie uses a personal analysis key that you provide. It's the one piece of setup worth doing first.
This is the core of Aerie. Head to Checks, and you can analyse any of:
Aerie auto-detects what you've pasted and shows the type. Press Analyse and it runs everything at once.
The single Analyse action replaces the old "check it" and "detonate it" split. When you analyse a hash or a URL, Aerie simultaneously:
Detonation and deep analysis take a little time. Aerie shows a live progress ring right in the report with the current stage ("Detonating in sandbox", "Analysing"), elapsed time, and your position in the queue. It never sits frozen, and if the connection blips it reconnects automatically. If you close the view mid-run, the analysis keeps going — you'll find it in your Scans popover and in Recent checks, and reopening it resumes the live view.
Every report opens with a threat ring — a 0-to-100 score — and a headline verdict. Here's what each verdict means:
| Verdict | Meaning |
|---|---|
| Malicious | The evidence is strong. When it's marked final, no further checks are needed. |
| Suspicious | Something's off, but it isn't conclusive on its own. Worth a closer look or a detonation. |
| PUA | Potentially unwanted — adware, bundlers, and grey-area software rather than outright malware. |
| No threat | Nothing malicious found across the sources consulted. |
| Unknown | Too little information to decide — often a brand-new or never-seen indicator. |
| Analysing… | A detonation or deep scan is still in flight; the verdict will firm up when it lands. |
Alongside the verdict you'll see a confidence percentage — how sure Aerie is — and, where known, the malware family.
This is what sets Aerie apart. Rather than dumping raw detections on you, Aerie reasons about them and explains itself in plain language.
Aerie treats sources with the nuance they deserve. A wall of low-quality detections doesn't move it much; a couple of top-tier engines, or unmistakable behavioural tradecraft, does. Some highlights of its judgement:
Under the verdict, each source card shows one opinion. Green means it flagged something, grey means clean or not seen, and an animated pulse means it's still working. Here's who's in the room:
| Source | What it contributes |
|---|---|
| Multi-engine reputation | Verdicts from a large panel of reputable security engines, with per-engine detail and family names. |
| Detonation sandbox | Runs the sample or URL in an isolated environment and reports how it behaves. The "Open full report" link takes you to the sandbox's own detailed page. |
| Second sandbox | An independent behavioural verdict and threat score, used as corroboration. |
| Community malware repository | Whether a matching sample has been shared by the wider community — a real signal, treated cautiously. |
| Curated threat-intel feeds | Whether the indicator appears in vetted lists of known-malicious URLs, domains, and IPs. |
| Helios Behavioural Rules | Whether the indicator matches a signature Aerie built from your own past analyses. (More in section 12.) |
A source card may also say unavailable (that source doesn't apply to this indicator type) or error (it couldn't be reached this time) — Aerie always tells you which, rather than silently pretending everything's clean.
When a sample has been detonated, Aerie renders a full behavioural report — the story of what it did — split into clear, scrollable sections.
Below the raw activity, Aerie lists the behavioural signatures the sandbox matched (e.g. "executes direct syscalls to evade security tooling") and maps the sample's techniques onto the MITRE ATT&CK framework. Each technique shows its official name and tactic and links straight to the ATT&CK page, so you can go from "what it did" to "what that's called" in one click.
At the top of every report sits a toolbar. The buttons that appear depend on what the report contains.
When a report has behavioural data, three more buttons appear — turning analysis into something you can deploy.
One click each generates a ready-to-tune Sigma detection rule (built from the network, file, and registry indicators) and a YARA rule (built from strings and infrastructure). Both open in a copyable, downloadable panel.
For a malicious sample, Aerie generates a remediation script that removes what the malware did on a machine:
Paths are automatically made portable — sandbox environment variables and user placeholders are resolved to their live equivalents, so the script works on a real machine and against any user account rather than only the one the sample happened to run under.
Some verdicts aren't final — a fresh sample might be clean today and flagged next week. The Watchlist turns Aerie from a lookup tool into a monitoring one.
This is Aerie's living memory. Whenever you analyse something and its behaviour is judged malicious, Aerie automatically distils it into a permanent behavioural signature and stores it. Each one gets a stable identifier:
HNP:BS!000123
Helios Nano Power · Behavioural System · sequential ID
Each signature records the threat's C2 domains and IPs, dropped and written files, registry persistence, mutexes and services, MITRE techniques, and the file's metadata — along with the interpreter's plain-English summary of why it's malicious. Everyday benign infrastructure is filtered out, so a rule only contains signal, never noise.
The Rules page lists every signature, searchable and filterable by severity. Open one to see all its indicators grouped, its MITRE techniques with links, hit count, and provenance. From there you can export it as JSON or a Sigma rule, disable it (keeps it but stops it matching), or delete it.
Aerie keeps continuously-updated feeds so you're always hunting today's threats. All three support search, sorting, and source/type filters, and every entry is one click from a full analysis.
A live, de-duplicated stream of phishing URLs pulled from several reputable sources and merged so no single source dominates — the freshest indicators surface at the top.
Malicious URLs split into Phishing and Malware-distribution divisions, sorted newest-first.
Recent confirmed malware, filterable by file type: Executables, Documents, Scripts, Archives, Linux, Android, macOS, and Web/email. Choosing a category pulls real, current samples of that type — so "Documents" gives you genuine document-borne malware, not whatever happened to be in the last batch. Each sample can be looked up, detonated, downloaded, or added to a test basket.
This is where Aerie turns testing your security products into a team sport. A campaign lets you line up a set of samples and record, side by side, exactly what each product caught.
As you browse the malware feed or analyse samples, add the interesting ones to your test basket with "I will use this for the test." When you're ready, start a campaign from the basket in one step.
As lead you can manage participants, remove samples, and open or close the campaign. It's the difference between a lonely spreadsheet and a shared, living scoreboard.
The Solutions page is a catalog of security products — the contenders you can line up in a campaign. Browse and filter the built-in list, and add your own products if something you test isn't there yet. It keeps your testing consistent: everyone's comparing the same named solutions.
Everything you analyse is saved to your account and stays there across sessions, on the Checks page. Search it, sort it (newest, highest threat, name), and filter by verdict. A still-running detonation shows as Analysing… — click it and the live view resumes exactly where it left off, even after a page reload.
Use Share link on any report for a clean, read-only page anyone can open without an account. It shows the full report — verdict, sources, and behaviour — with the interactive controls stripped, and expires automatically. Perfect for "look at this" without exporting a file.
| Term | Meaning |
|---|---|
| Indicator (IOC) | A piece of evidence you can check: a URL, domain, IP, file, or hash. |
| Hash | A fixed-length fingerprint of a file (SHA-256, SHA-1, or MD5). Two identical files share a hash. |
| Detonation | Running a sample in an isolated sandbox to observe its behaviour safely. |
| Behavioural report | The record of what a sample did when detonated — network, files, registry, and more. |
| C2 | Command-and-control — the infrastructure malware calls home to. |
| Persistence | How malware survives a reboot — commonly Run keys, scheduled tasks, or services. |
| MITRE ATT&CK | A standard framework naming adversary techniques (e.g. T1055 Process Injection). |
| Family | The named malware strain a sample belongs to. |
| PUA | Potentially unwanted application — adware and grey-area software. |
| Sigma / YARA | Rule formats for detecting threats in logs (Sigma) and files (YARA). |
| HNP:BS | Helios Nano Power · Behavioural System — Aerie's auto-generated behavioural rule namespace. |