What technique involves running untrusted code in an isolated environment to observe behavior safely?

Sandboxing is the technique of running untrusted code in an isolated environment to observe its behavior safely. By placing the code inside a containment boundary, the sandbox restricts what it can access—filesystem, network, processes, and system calls—so it can run and be watched without risking the host system. This setup lets analysts observe exactly what the code tries to do, such as which files it touches, which network destinations it contacts, or what external resources it attempts to use, while ensuring any potentially harmful actions are contained. In security operations, this approach is ideal for safely analyzing suspicious binaries or scripts, or testing untrusted software. Emulation focuses on mimicking a system or hardware to run code, which is a broader environment recreation rather than strict isolation. Dynamic analysis involves observing behavior during execution, which can occur inside a sandbox but isn’t limited to isolation. Static analysis, by contrast, examines code without running it.