The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PolySwarm engine spotlight: researcher-driven engines detecting new and emergent malware

Mar 30, 2020 1:18:27 PM / by PolySwarm Tech Team


To put it simply, there are some really cool threat detection technologies on the PolySwarm marketplace. As a recap, here at PolySwarm, we aggregate research-driven threat detection engines---both from AV companies and individual, specialized security experts---that compete in real-time to detect threats. Enterprises and individuals using PolySwarm benefit from deeper coverage of the malware landscape and unique threat intelligence from this aggregated network of engines. 

In addition to engaging with large, established anti-malware brands and products, we’ve made it easy for security experts and small teams to protect enterprises by codifying novel detection techniques as a PolySwarm engine. 

When engaging with the research community, we look for engines that are: 

  • Specialized, offering unique insight to particular malware types or families, for example by detecting malware on less-covered platforms like Android or macOS or detecting fast-moving target families like Emotet. 
  • R&D focused, nimble & quick to adapt to changes in the threat landscape.
  • First to detect previously unknown malware.

Today, there are nearly 40 microengines operating in PolySwarm. Below are a handful of PolySwarm engines that are employing novel detection techniques to identify malware early (and in some cases first) and that operate on the edge of what is traditionally detected by anti-malware solutions.

Concinnity Risks


Engine Name: Concinnity

Country: UK

Specialty: any file

Why it’s cool: Concinnity produces risk metrics for cyber insurance and underwriter companies in an innovative way--by tracking cryptocurrency addresses used for collecting illegally obtained funds, e.g. ransomware payment addresses.

What it’s doing on PolySwarm: The appearance of a cryptocurrency address used for illegal gain in a suspect artifact is a strong signal that the artifact is malicious. It’s likely that the artifact in question is ransomware, a phish or something similar. No engine on VirusTotal is focused on detecting malintent via this insight.



Engine Name: IRIS-H

Country: Ireland

Specialty: Microsoft Office, Open Office and PDF files

Why it’s cool: IRIS-H employs custom file format parsers that break supported files (Office, PDF) down into component parts and then conducts innovative constrained dynamic analysis over executable code found in those parts.

IRIS-H detected previously unknown malware inside of a Microsoft Excel file. They were the first to detect it on PolySwarm and it took about a week before any engines detected it on VirusTotal.

(Android) Judge


Engine Name: Judge

Country: US

Specialty: Android apps

Why it’s cool: Android Judge uses machine learning and advanced feature extraction including compiler fingerprinting to identify Android malware. 

Founder: Caleb Fenton, Head of Innovation at SentinelOne

(This engine is part of polyX, a free community that gives members the ability to collaborate, access malware samples and test new detection techniques. Join at


Ready to start consuming threat intel from the research-driven engines in PolySwarm?

Contact us here to start a free trial or get set up with a demo. 


Topics: PolySwarm, Product, Research, Partner

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts