The Return of MCAP: Malware Analysis Built for SLTT Members

Malware remains one of the most persistent threats facing U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. Security teams are routinely asked to assess suspicious files and URLs and determine whether they pose real risk to their environments — often under time pressure and with limited resources.

At the same time, malware analysis can be difficult to perform safely in public sector settings. Manual workflows, specialized expertise requirements, and strict data handling considerations can slow investigations and complicate response efforts.

For many members of the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®), the Malicious Code Analysis Platform, or MCAP, helped address those challenges. Based on continued member feedback and operational need, the Center for Internet Security^® (CIS^®) has reintroduced MCAP as a CIS‑delivered capability designed specifically to support U.S. SLTT organizations today.

Addressing Malware Analysis Challenges in the Public Sector

Traditional malware analysis often requires analysts to manually execute files in isolated environments, gather indicators from multiple tools, and correlate activity to understand what occurred. These steps take time and can introduce risk if processes are rushed or incomplete.

Public sector teams must do this work while maintaining control over sensitive data and meeting governance and compliance requirements. For many organizations, that balance between speed, insight, and data protection is one of the hardest parts of malware analysis.

MCAP was designed to support that balance.

What MCAP Is and How It Supports SLTT Teams

MCAP is a web‑based sandbox that allows MS‑ISAC members to submit suspicious files and URLs for analysis in a controlled environment. Using Cisco Secure Malware Analytics, the platform observes how a sample behaves during execution and captures key activity that helps teams understand potential impact.

The analysis is automated, but the output is designed for practical use. Reports focus on observable behavior and indicators that support triage and response decisions without requiring teams to manually piece together context across multiple tools.

Learn more about MCAP’s capabilities and availability on the MCAP service page.

Clear Insight Without Giving Up Control

One of the most important aspects of MCAP is that members remain in control of their own data.

Organizations retain ownership of their submissions and can delete samples at any time. Using MCAP does not require sharing sensitive files beyond what members choose to submit, and it does not remove visibility into how data is handled. This approach allows teams to gain meaningful insight into suspicious files and URLs while maintaining governance, privacy, and trust.

Additional information about data handling, submission control, and privacy protections is addressed in the MCAP FAQs.

What Teams Gain From Using MCAP

In practice, MCAP provides teams with a secure and efficient way to investigate potential malware and support faster triage decisions.

Members can submit suspicious files and URLs as well as receive reports that highlight activity such as:

• Process execution and behavior
• File modifications and dropped artifacts
• Registry and persistence activity
• Network connections and traffic

These insights help teams validate incidents, determine whether escalation is needed, and prioritize response actions with greater confidence.

Curious to see how? Take a look at our sample MCAP report below.

 

Supporting Shared Defense Without Exposing Sensitive Data

While members retain control over their own submissions, MCAP also supports Collective Cyber Defense across the MS‑ISAC community.

Anonymized intelligence derived from file and URL analysis contributes to broader cyber threat awareness without exposing member data. This approach strengthens detection and response capabilities across the community while preserving privacy and trust at the individual organization level.

This balance reflects CIS’s mission to support collaboration while respecting the operational realities of public sector environments.

Backed by CIS Operational Expertise

MCAP is supported by the Cyber Threat Intelligence (CTI) team and Cyber Incident Response Team (CIRT) experts. In addition to automated analysis, members can request assistance interpreting reports or conducting deeper analysis when needed.

This combination of automation and human expertise helps ensure teams are not left to navigate complex findings on their own, particularly during active incidents.

Who MCAP Is Designed to Support

MCAP is intended for security operations teams, IT staff, incident responders, and analysts responsible for investigating suspicious activity and supporting response efforts.

Common use cases include analyzing phishing attachments, investigating suspicious URLs, validating alerts, and confirming whether an incident requires escalation. MCAP fits naturally into workflows where teams need timely insight without compromising control or trust.

A Community‑Driven Capability

MCAP’s return reflects continued collaboration between CIS and the MS‑ISAC community, with member input playing a key role in bringing this capability back in a form aligned to current U.S. SLTT needs.

MCAP is available now to U.S. SLTT MS‑ISAC members.

Interested in requesting access?