Here is a suggestion for the sandbox. Sorry if it was suggested yet.
The sandbox would be much more interesting if it generates a log file telling all the blocked/virtualized operations the process made.
Even better: at the end (when the sandboxed process terminates), CIS could automatically generate a security strategy sheet in Defense+, with all operations listed as rules. So we know all a process tried to do, and decide what we will accept or block in the future.
The goal is to not limit the sandbox to a simple uninformative try, but to see what really does a process.