Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

Variants & Sightings

Variants and sightings are two foundational concepts in Stairwell. Variants reveal what else looks like this file, and sightings reveal where and when this file appeared. Together, they give analysts the context needed to move from a single indicator to a complete understanding of scope.

What Are Variants

A variant is another file that Stairwell has determined to be closely related to a given object. Relationships are identified through shared signatures, import table similarity, code reuse, and other proprietary heuristics powered by Stairwell's Mal-Eval technology.

Stairwell compares every ingested file -- good, bad, or unknown -- against a global repository of over 630 million objects. This analysis runs entirely out of band, benefiting from unlimited compute and storage rather than being constrained by endpoint resources.

How Variant Discovery Works

Malware authors regularly modify their tools through versioning, obfuscation, encryption, packing, polymorphic code, and junk insertion to evade signature-based detection. Traditional analysis requires skilled reverse engineers to manually unpack and compare samples -- an approach that does not scale.

Stairwell automates this process by applying findings from static and dynamic analysis, file attributes, behavioral signals, detonation data, source code analysis, and over a million unique data points per object. The result is high-confidence variant relationships that would otherwise require extensive manual effort.

Why variant discovery matters for defenders:

  1. Out-of-band analysis -- Files are analyzed in Stairwell's cloud, not on the endpoint, so there are no resource trade-offs affecting detection depth.
  2. Proactive detection -- New files are compared against hundreds of millions of known objects, often identifying threats before public disclosure.
  3. Retroactive hunting -- When a new threat is published, Stairwell can retroactively identify variants that may have already been present in your environment.

API access:

GET /v1/objects/{SHA256}/variants

What Are Sightings

A sighting records a specific instance where an object was observed in a customer environment. Sightings are categorized as:

  • Actual sightings -- Files collected directly from an asset, typically via a forwarder or the Swell CLI.
  • Virtual sightings -- Files that Stairwell identifies by unpacking objects collected from client machines. For example, if an asset contains a zip file with a malicious executable inside, the zip is an actual sighting and the executable is a virtual sighting from the same asset.

Sightings provide rapid visibility into where and when a file appeared -- critical context during threat triage and incident response.

Note: Sighting counts do not equal asset counts. A single object may have multiple sightings across different assets and time windows.

API access:

GET /v1/objects/{SHA256}/sightings

Using Variants and Sightings in Investigations

In practice, analysts combine variants and sightings to answer key investigation questions:

  • Is this file part of a known family? Check the variants tab to see if the object is related to previously classified malware or grayware.
  • Where did this file land? Review sightings to identify every asset and environment where the object (or its variants) appeared.
  • What else came with it? Use Run-to-Ground to find other uncommon objects that arrived within 24 hours of any variant sighting.
  • Has this threat been here before? When new threat intelligence is published, search for variants of the reported hashes to check for historical presence in your environment.

Starting from a single hash, an analyst can follow variant chains and sighting timelines to map the full blast radius of an incident without writing a single YARA rule or manually correlating logs.

Updated 4 days ago