Stairwell Variant Discovery is a malware analysis tool that expands a single file hash into full visibility of an entire malware family. It analyzes file structure, behavior, and content to identify related malware variants that share code-level similarity, even when surface-level attributes such as hashes, packers, or signatures have been changed by attackers. All files — executables, scripts, and artifacts — are stored in a private, encrypted vault specific to each organization. This vault is not a public crowdsourced pool, meaning files, analyses, and verdicts are not exposed externally. Every file ingested remains searchable indefinitely and is not subject to log pipeline expiration. Rather than relying on hash-based detection, Variant Discovery examines underlying file structure, code sections, imports, and relationships to group files that share common DNA. This approach surfaces clusters of variants tied to a single campaign or toolset. The tool maps the malware family tree within an organization's environment, showing how variants evolved over time, which hosts and users were affected, and across which time windows. From a single IOC, analysts can pivot to the full spread of related artifacts and infrastructure. As new threat intelligence, YARA rules, and IOCs become available, Variant Discovery reanalyzes the entire historical file corpus against the updated intel, surfacing previously hidden variants. No YARA authoring is required by the analyst to initiate discovery. Variant Discovery integrates into Stairwell's broader investigation workflow, supporting containment verification by identifying where variants did and did not land across the environment.