AERIE
threat hunting from Hawk Eye
The Complete User Manual

Welcome to the Hawk Eye Family

Everything you need to hunt threats, understand what they do, build living detection, and put your security tools to the test — together.

A word from the creator

Why I built Aerie

I've spent years living in the world of malware analysis, endpoint defence, and the endless back-and-forth of "is this thing actually dangerous?" And along the way I kept running into the same wall: the tools were scattered, the answers were noisy, and the whole thing felt like a solo grind. You'd paste a hash into one site, a URL into another, squint at fifty conflicting labels, and still not have a clear answer — let alone a way to act on it or share it with the people next to you.

I built Aerie to fix that. I wanted a place where you drop in a file, a link, or a hash and get one clear, plain-English answer — is it a threat, what does it do, and do you need to look closer. I wanted the behavioural side, the "what does this actually do on a machine," to be front and centre and readable, not buried in a wall of JSON. And I wanted testing your security products to feel like a team sport instead of a lonely spreadsheet.

Most of all, I wanted threat hunting and AV testing to be three things they rarely are: easier, more collaborative, and honestly — more fun. That's the whole idea behind Hawk Eye. If Aerie saves you time, sharpens a verdict, or makes a hunt feel a little more like the craft it should be, then it's doing its job.

So welcome. You're part of the family now. Go hunt something.

Boris Vasilev signature
Boris Vasilev
Founder & builder, Hawk Eye Analysis

01Getting started

Aerie runs entirely in your browser — there's nothing to install. Everything works on desktop and mobile.

Create your account

  1. Open the Aerie login page and choose Create account.
  2. Pick a display name and a password. Your password is stored only as an irreversible cryptographic hash — it can never be read back, even by us.
  3. The very first account created on a fresh instance becomes the administrator. Everyone after that is a standard hunter with full access to analysis, feeds, watchlists, rules, and testing.
  4. You'll land on your Deck — your home base.
Tip: Sessions stay signed in for a week. Use the Sign out button in the top bar when you're on a shared machine.

02The interface at a glance

Aerie has a consistent layout on every page: a top bar, a navigation rail, and the main workspace.

Top barYour hawk brand (click it to return to the Deck), a live Scans icon, your role and name, and Sign out.
The Scans iconTop-right. Shows a badge count and a spinning ring whenever an analysis is running. Click it for a popover tracking every scan with live progress — even across page changes.
Navigation railDeck · Phishing · Malware · Checks · Watchlist · Rules · Solutions · Testing · Settings. Each has its own animated icon.
WorkspaceWhere reports, feeds, and tools render. Most lists have a search box, a sort dropdown, and filter chips.
PageWhat it's for
DeckYour landing page and quick jumping-off point.
PhishingA live, continuously-updated feed of phishing URLs.
MalwareRecent confirmed malware samples and malicious URLs, filterable by file type.
ChecksThe heart of Aerie — analyse any indicator and see the full report.
WatchlistIndicators you've pinned for automatic re-checking.
RulesThe Helios behavioural rule database (HNP:BS signatures).
SolutionsThe catalog of security products you can line up for testing.
TestingCollaborative AV-testing campaigns.
SettingsYour access key, password, and account.

03Settings & your access key

To unlock the deepest analysis — full multi-engine detections and the behavioural report — Aerie uses a personal analysis key that you provide. It's the one piece of setup worth doing first.

Adding your analysis key

  1. Get a free VirusTotal API key by registering at virustotal.com and copying the key from your profile.
  2. In Aerie, open Settings and paste your key into the analysis-key field, then save.
  3. That's it. Your key lives only in your own browser and is sent along transiently, only on the requests that need it — it is never stored on our side.
🔑
What the key unlocks: engine-by-engine detections, family identification, and the rich behavioural report. Without it, Aerie still works — you'll get feed data, community and curated matches, and sandbox detonation — but the engine detail will be limited.

Account management

04Analysing an indicator

This is the core of Aerie. Head to Checks, and you can analyse any of:

A URL A domain An IP address A file (upload) A hash (SHA-256 / SHA-1 / MD5)

Aerie auto-detects what you've pasted and shows the type. Press Analyse and it runs everything at once.

One button, the whole picture

The single Analyse action replaces the old "check it" and "detonate it" split. When you analyse a hash or a URL, Aerie simultaneously:

Shortcut: On the Phishing and Malware feeds, every row has a Check button and clicking a row opens its details — you never have to copy-paste an indicator out of a feed.

Live progress

Detonation and deep analysis take a little time. Aerie shows a live progress ring right in the report with the current stage ("Detonating in sandbox", "Analysing"), elapsed time, and your position in the queue. It never sits frozen, and if the connection blips it reconnects automatically. If you close the view mid-run, the analysis keeps going — you'll find it in your Scans popover and in Recent checks, and reopening it resumes the live view.

05Reading the verdict

Every report opens with a threat ring — a 0-to-100 score — and a headline verdict. Here's what each verdict means:

Malicious Suspicious PUA No threat Unknown Analysing…
VerdictMeaning
MaliciousThe evidence is strong. When it's marked final, no further checks are needed.
SuspiciousSomething's off, but it isn't conclusive on its own. Worth a closer look or a detonation.
PUAPotentially unwanted — adware, bundlers, and grey-area software rather than outright malware.
No threatNothing malicious found across the sources consulted.
UnknownToo little information to decide — often a brand-new or never-seen indicator.
Analysing…A detonation or deep scan is still in flight; the verdict will firm up when it lands.

Alongside the verdict you'll see a confidence percentage — how sure Aerie is — and, where known, the malware family.

06The Aerie interpretation

This is what sets Aerie apart. Rather than dumping raw detections on you, Aerie reasons about them and explains itself in plain language.

The panel gives you:

  • A verdict and confidence — weighed across every source, not a raw count.
  • A plain-English summary — what this thing appears to be and why.
  • A recommendation — whether it's settled or worth confirming.
  • The reasons — the specific evidence, spelled out: which reputable engines named a family, whether the behaviour itself is damning, whether independent sandboxes agree, and any disagreements worth knowing about.

How it weighs the evidence

Aerie treats sources with the nuance they deserve. A wall of low-quality detections doesn't move it much; a couple of top-tier engines, or unmistakable behavioural tradecraft, does. Some highlights of its judgement:

The "why" is the point. If you only read one part of a report, read the interpretation. It's designed so you can act with confidence in seconds.

07Understanding the sources

Under the verdict, each source card shows one opinion. Green means it flagged something, grey means clean or not seen, and an animated pulse means it's still working. Here's who's in the room:

SourceWhat it contributes
Multi-engine reputationVerdicts from a large panel of reputable security engines, with per-engine detail and family names.
Detonation sandboxRuns the sample or URL in an isolated environment and reports how it behaves. The "Open full report" link takes you to the sandbox's own detailed page.
Second sandboxAn independent behavioural verdict and threat score, used as corroboration.
Community malware repositoryWhether a matching sample has been shared by the wider community — a real signal, treated cautiously.
Curated threat-intel feedsWhether the indicator appears in vetted lists of known-malicious URLs, domains, and IPs.
Helios Behavioural RulesWhether the indicator matches a signature Aerie built from your own past analyses. (More in section 12.)

A source card may also say unavailable (that source doesn't apply to this indicator type) or error (it couldn't be reached this time) — Aerie always tells you which, rather than silently pretending everything's clean.

08The behavioural report

When a sample has been detonated, Aerie renders a full behavioural report — the story of what it did — split into clear, scrollable sections.

Network activity

Host activity

Sandbox signatures & MITRE ATT&CK

Below the raw activity, Aerie lists the behavioural signatures the sandbox matched (e.g. "executes direct syscalls to evade security tooling") and maps the sample's techniques onto the MITRE ATT&CK framework. Each technique shows its official name and tactic and links straight to the ATT&CK page, so you can go from "what it did" to "what that's called" in one click.

Every box scrolls. Long lists — dozens of dropped files, hundreds of registry keys — stay tidy inside their own scrollable panels with a branded scrollbar, so the report never becomes an endless wall.

09Report actions toolbar

At the top of every report sits a toolbar. The buttons that appear depend on what the report contains.

Export JSONThe complete report as a data file — perfect for feeding into your own tooling or sending to me to interpret.
Export PDFA clean, printable report with the verdict, sources, detections, and behavioural report — great for records or handing to a colleague.
Share linkCreates a read-only link to the report and copies it to your clipboard. Anyone with the link can view it — no account needed — and it expires after 90 days.
WatchAdds the indicator to your Watchlist for automatic re-checking (section 11).
EnrichFor URLs, domains, and IPs: pulls registration age, registrar, hosting/ASN, and certificate history. A domain registered in the last month is a loud phishing signal — and Aerie flags it.
PivotTakes the observed infrastructure and searches the threat feeds for related campaigns. Each related indicator is one click away from its own analysis — one sample becomes a cluster.
Enrich for triage: when you're staring at a suspected phishing domain, Enrich first. Domain age alone often settles it.

10Detection & removal generation

When a report has behavioural data, three more buttons appear — turning analysis into something you can deploy.

Sigma & YARA rules

One click each generates a ready-to-tune Sigma detection rule (built from the network, file, and registry indicators) and a YARA rule (built from strings and infrastructure). Both open in a copyable, downloadable panel.

Always review generated rules before deploying them to production. They're an excellent starting point, not a finished detection — validate against known-good data to avoid false positives.

PowerShell removal script

For a malicious sample, Aerie generates a remediation script that removes what the malware did on a machine:

Paths are automatically made portable — sandbox environment variables and user placeholders are resolved to their live equivalents, so the script works on a real machine and against any user account rather than only the one the sample happened to run under.

Read every line first. The script is built to require administrator rights and is meant for an isolated incident-response context. Understand what each command does before you run it — remediation scripts are powerful by design.

11The Watchlist

Some verdicts aren't final — a fresh sample might be clean today and flagged next week. The Watchlist turns Aerie from a lookup tool into a monitoring one.

  1. Hit Watch on any report, or add an indicator directly from the Watchlist page.
  2. Aerie re-checks watched items automatically on a schedule, keeping a full history of every verdict over time.
  3. When a verdict changes, the item is flagged — it floats to the top with a "changed" badge, so you never have to keep looking.
  4. Open a flagged item to see the latest report, Acknowledge the change to clear the flag, or Stop watching to remove it.
The natural home for "check again later." Any time a report says a verdict is borderline, Watch it — Aerie will do the re-checking for you and shout when something moves.

12Behavioural Rules — the Helios ruleset

This is Aerie's living memory. Whenever you analyse something and its behaviour is judged malicious, Aerie automatically distils it into a permanent behavioural signature and stores it. Each one gets a stable identifier:

HNP:BS!000123

Helios Nano Power · Behavioural System · sequential ID

What a rule captures

Each signature records the threat's C2 domains and IPs, dropped and written files, registry persistence, mutexes and services, MITRE techniques, and the file's metadata — along with the interpreter's plain-English summary of why it's malicious. Everyday benign infrastructure is filtered out, so a rule only contains signal, never noise.

It gets smarter with every hunt

Managing the ruleset

The Rules page lists every signature, searchable and filterable by severity. Open one to see all its indicators grouped, its MITRE techniques with links, hit count, and provenance. From there you can export it as JSON or a Sigma rule, disable it (keeps it but stops it matching), or delete it.

13Live threat feeds

Aerie keeps continuously-updated feeds so you're always hunting today's threats. All three support search, sorting, and source/type filters, and every entry is one click from a full analysis.

Phishing

A live, de-duplicated stream of phishing URLs pulled from several reputable sources and merged so no single source dominates — the freshest indicators surface at the top.

Malware URLs

Malicious URLs split into Phishing and Malware-distribution divisions, sorted newest-first.

Malware samples

Recent confirmed malware, filterable by file type: Executables, Documents, Scripts, Archives, Linux, Android, macOS, and Web/email. Choosing a category pulls real, current samples of that type — so "Documents" gives you genuine document-borne malware, not whatever happened to be in the last batch. Each sample can be looked up, detonated, downloaded, or added to a test basket.

Live malware is live. Downloaded samples are real and dangerous. Only handle them in an isolated, non-production environment, and treat every file with the appropriate caution.

14AV testing & campaigns

This is where Aerie turns testing your security products into a team sport. A campaign lets you line up a set of samples and record, side by side, exactly what each product caught.

Building a test set — the basket

As you browse the malware feed or analyse samples, add the interesting ones to your test basket with "I will use this for the test." When you're ready, start a campaign from the basket in one step.

Running a campaign

  1. Create the campaign and give it a name. You become its lead.
  2. Add samples — from your basket or by pasting hashes.
  3. Invite the team. Other hunters can join; as lead you approve who participates. (Leads and admins are auto-approved, and can test alongside everyone.)
  4. Everyone records their verdicts — each participant marks, for each sample, whether their product detected it.
  5. Read the matrix. Aerie lays out a side-by-side comparison so you can see at a glance which product caught what.

As lead you can manage participants, remove samples, and open or close the campaign. It's the difference between a lonely spreadsheet and a shared, living scoreboard.

15The solutions catalog

The Solutions page is a catalog of security products — the contenders you can line up in a campaign. Browse and filter the built-in list, and add your own products if something you test isn't there yet. It keeps your testing consistent: everyone's comparing the same named solutions.

16History & sharing

Recent checks

Everything you analyse is saved to your account and stays there across sessions, on the Checks page. Search it, sort it (newest, highest threat, name), and filter by verdict. A still-running detonation shows as Analysing… — click it and the live view resumes exactly where it left off, even after a page reload.

Sharing a finding

Use Share link on any report for a clean, read-only page anyone can open without an account. It shows the full report — verdict, sources, and behaviour — with the interactive controls stripped, and expires automatically. Perfect for "look at this" without exporting a file.

17Best practices & safety

  • Add your analysis key first. It unlocks the detections and behaviour that make everything else sing.
  • Read the interpretation before the raw data. It's the fastest path to a confident decision.
  • Trust behaviour over a thin verdict. Injection, evasion, and persistence are hard to fake — a clean sandbox next to that pattern usually means the sample dodged analysis.
  • Enrich suspected phishing early. Domain age is one of the strongest quick signals there is.
  • Watch the borderline ones. Let Aerie do the re-checking instead of setting a reminder.
  • Handle live samples only in isolation. Downloaded malware is real; treat it that way.
  • Review generated rules and scripts before deploying. They're a strong head start, not a finished artefact.

18Glossary

TermMeaning
Indicator (IOC)A piece of evidence you can check: a URL, domain, IP, file, or hash.
HashA fixed-length fingerprint of a file (SHA-256, SHA-1, or MD5). Two identical files share a hash.
DetonationRunning a sample in an isolated sandbox to observe its behaviour safely.
Behavioural reportThe record of what a sample did when detonated — network, files, registry, and more.
C2Command-and-control — the infrastructure malware calls home to.
PersistenceHow malware survives a reboot — commonly Run keys, scheduled tasks, or services.
MITRE ATT&CKA standard framework naming adversary techniques (e.g. T1055 Process Injection).
FamilyThe named malware strain a sample belongs to.
PUAPotentially unwanted application — adware and grey-area software.
Sigma / YARARule formats for detecting threats in logs (Sigma) and files (YARA).
HNP:BSHelios Nano Power · Behavioural System — Aerie's auto-generated behavioural rule namespace.