Binalyze AIR v5.18

AIR v5.18 focuses on faster investigation workflows, stronger large-environment scalability, improved responder communication, expanded MITRE ATT&CK database management, and more flexible isolation controls. This release helps cybersecurity and investigation teams work across large asset estates with greater confidence, while giving administrators more control over authentication, evidence repositories, policies, and operational visibility.

What’s New?

• Redesigned Visit Architecture: AIR now reduces the amount of repeated responder data exchanged with the Console by using change detection for configuration and state. Analysts benefit from more reliable task delivery and asset status updates in large environments, while administrators gain better platform stability during high-volume operations.

• Controlled MITRE Analyzer Database Update Management: AIR now supports versioned MITRE ATT&CK database delivery, release notes, manual version selection per asset, automatic update settings, and responder-side update tasks. This helps analysts keep Hunt/Triage activity aligned with known rule versions and improves consistency across investigations.

• More flexible and operationally safe isolation policies: Isolation policy controls now support broader real-world allow-listing scenarios, including FQDNs, CIDR ranges, optional ports, process matching improvements, DNS and DHCP controls, and bulk allow-list entry handling. These improvements help teams isolate assets while preserving required investigation and security operations connectivity.

• SSO (Single Sign-On) Infrastructure Overhaul: Multi-Provider Support with OIDC & SAML 2.0: AIR introduces a more flexible SSO provider model with OIDC and SAML 2.0 support, claim mapping, dynamic login buttons, and improved administrator workflows such as Personal Access Token management and faster 2FA reset access.

• Console Performance & Stability at Scale Optimizations: Asset, task, case, audit log, statistics, and cache-heavy workflows have been optimized to reduce memory pressure and unnecessary background work. This improves daily usability for customers managing high amount of assets.

• Investigation Toolbox: A floating, draggable, resizable toolbox widget accessible from within Investigation Hub. It contains 8 purpose-built analysis tools, auto-detects the type of input, and routes the user to the most relevant tool.

New Features & Improvements

Asset & Task Management

Redesigned Visit Architecture

AIR now includes a lightweight heartbeat flow for responders. Instead of sending full state and configuration data on every high-frequency check-in, responders can use change indicators to determine whether a full update is required.

This improves responder–Console communication at scale. For analysts, asset availability and pending task delivery remain responsive even in large environments. For administrators, the platform performs less repeated work during routine responder polling.

The new state and configuration flows support separate update paths for asset identity, hardware, network, operating system, security capabilities, and configuration data. Responders only send or request full data when the relevant change indicator differs.

A dedicated metrics flow also allows responders to report frequently changing operational data, such as CPU, memory, and disk availability, without increasing the size of regular heartbeat traffic. This keeps asset telemetry available while reducing the load on high-frequency communication paths.

Console Performance & Stability at Scale Optimizations

Task assignment and delivery have been optimized for large asset groups. AIR now handles multi-asset assignment using batch-oriented processing, reducing repeated work when a task is assigned to many assets.

This is especially valuable during incident response operations where analysts may need to run acquisition, Hunt/Triage, isolation across high amount of assets. AIR now reduces duplicate task data handling and improves task queue reliability under large assignments.

Task assignment counting and duplicate prevention have also been improved. AIR now reduces repeated counting work during large task fan-out operations and prevents duplicate assignment records for the same task and asset combination.

Responders now sort received tasks by assignment time. This protects expected execution order when multiple tasks are waiting for the same asset and improves consistency after platform-side task delivery optimizations.

Controlled MITRE ATT&CK Analyzer Database Update Management

AIR now provides expanded MITRE ATT&CK database version management for Hunt/Triage workflows. Administrators can configure whether assets automatically use the latest available MITRE ATT&CK version or whether versions are managed manually across assets.

When manual management is enabled, users can select specific MITRE ATT&CK database versions for individual assets or asset groups. The asset list can show installed and demanded versions, allowing analysts to confirm which version is active on each responder before running investigation tasks.

AIR can now create MITRE ATT&CK database update tasks when responders check in. This helps align responders with the requested database version without requiring analysts to manually coordinate every update cycle.

Responders can download MITRE ATT&CK database artifacts through a CDN-first workflow when available, with fallback behavior controlled by the Console. This improves download reliability and reduces Console bandwidth usage in SaaS environments.

Responders also keep two local MITRE ATT&CK database versions to avoid unnecessary re-downloads when versions change quickly or when configuration changes cause a version switch. This improves resilience in environments with frequent update testing or staged rollouts.

AIR now displays release notes for MITRE ATT&CK database versions. Users can view release details from system settings and from notifications when new versions are available.

This helps analysts understand what changed before applying a new database version to assets. It also gives administrators clearer context when deciding whether to use automatic updates or manage versions manually.

Asset Network Interface Visibility

The asset list now supports richer network visibility. Optional columns can expose IPv4 addresses, IPv6 addresses, MAC addresses, and interface names from all network interfaces reported by the asset.

This improves investigation correlation with firewall logs, network captures, SIEM records, and asset inventory data. Analysts can inspect values in compact or expanded form and access full interface details when needed.

Dedicated filtering by IPv4 address, IPv6 address, MAC address, and interface name helps teams narrow asset lists during investigations without relying on a single resolved IP address.

Bulk Responder Log Collection

AIR now supports more efficient responder log collection across multiple assets. Administrators and support teams can collect logs from several assets at once instead of repeating the action per asset.

This is useful when multiple assets experience similar task failures or connectivity issues. Bulk collection reduces troubleshooting time and helps teams gather diagnostic data during large-scale response operations.

Auto-Refresh Control for Data Grids

Data grids can now expose an optional auto-refresh control. When enabled for a screen, users can turn live data refresh on or off based on their workflow.

This gives analysts more control during active investigations. They can pause automatic refresh while reviewing selected rows, copying values, or comparing evidence, then re-enable it when they want the latest data.

Investigation Hub & Cases

Investigation Toolbox

Investigation Hub now includes an in-hub toolbox for common analysis tasks. Analysts can open selected values in a floating toolbox without leaving the investigation context.

The toolbox supports string analysis, Base64 decoding and encoding, URL decoding and encoding, hexadecimal and ASCII conversion, timestamp conversion, hash and IOC lookup links, defang and refang operations, and Windows registry key reference.

AIR can automatically detect common value types, such as hashes, IP addresses, domains, timestamps, registry paths, encoded strings, and defanged indicators. This helps analysts move from evidence review to enrichment or conversion faster.

Bulk Notes for Findings and Evidence

Investigation Hub now supports applying the same note to multiple selected flagged findings or evidence items in a single action.

This reduces repetitive work during reporting and review. Analysts can annotate groups of related findings consistently, improving investigation documentation quality and speeding up case preparation.

Bulk Send to Case

AIR now supports bulk workflows for sending multiple task assignments or task results into a case. Instead of sending each result individually, analysts can select multiple items and add them to the relevant case in a single operation.

This improves investigation consolidation after broad Hunt/Triage or acquisition activity. Teams can quickly bring evidence from many assets into the correct case and continue analysis in Investigation Hub.

User-Specific Date and Time Preferences

Users can now configure how dates and times are displayed and exported. Preferences include display mode, date pattern, time pattern, and timezone.

CSV export workflows can provide UTC, formatted output with timezone, or formatted output without timezone. This gives analysts more readable exports while preserving the existing UTC format for integrations that depend on it.

Investigation Hub exports continue to respect the investigation timezone while applying the user’s preferred date and time pattern. This preserves investigation context while improving readability.

Isolation & Response

Expanded Isolation Policy Controls

Isolation policies now support more flexible allow-listing for real customer environments. Policy configuration can include FQDN allow lists, system DNS selection, custom DNS servers, CIDR ranges, optional ports, and process matching improvements.

These controls help investigation teams isolate assets while preserving required connectivity for approved tools, responder communication, and essential security visibility.

FQDN handling has also been extended across supported platforms, including platform-specific handling for host and resolver files. When the Console address is a hostname, AIR can include it in the relevant allow list so responder communication remains available during isolation.

Bulk Import for Isolation Allow Lists

Isolation policy configuration now supports bulk entry handling for IP, port, and process allow lists.

Administrators can add many allow-list entries more efficiently instead of creating each row one at a time. This is useful when policies must include jump hosts, investigation tools, log collection systems, or approved response utilities.

Improved Isolation Failure Visibility

AIR now surfaces clearer notification and event information when isolation restart or unisolation-related activity fails.

This helps analysts understand whether an asset is still isolated, whether a transition was attempted, and why a response action did not complete as expected.

Per-Policy Enable and Disable Control

Policies can now be temporarily disabled without deleting their configuration.

This helps administrators suspend a policy during an investigation or configuration change while preserving filters, allow lists, compression settings, and other policy details for later reuse.

Authentication, Access & Administration

Multi-Provider SSO with OIDC and SAML 2.0

AIR now introduces a more flexible SSO provider architecture. Administrators can configure multiple identity providers and protocols, including OIDC and SAML 2.0, through a unified provider management experience.

The SSO configuration supports Microsoft Entra ID, Microsoft ADFS, Okta, FortiAuthenticator, Google Workspace, and custom providers depending on protocol compatibility.

Administrators can define claim mappings for email, first name, last name, and groups. This improves compatibility with identity providers that use custom attribute names and reduces the need for environment-specific changes.

The login page now displays SSO buttons dynamically based on enabled providers. Provider audit events are also generated when SSO providers are created, updated, enabled, disabled, or deleted.

Personal Access Token Management

AIR now includes management screens and APIs for Personal Access Tokens.

This gives administrators a clearer way to manage token-based access for integrations and automation while improving visibility into token lifecycle operations.

Reset 2FA from the Users List

Administrators can now reset a user’s 2FA directly from the Users list actions menu when 2FA is enabled for that user.

This reduces operational friction when a user loses access to their authenticator device, especially in environments where 2FA enforcement is enabled.

Evidence Repository Flexibility

Evidence Repository configuration can now be saved without successful Console-side verification when the environment intentionally blocks Console-to-repository connectivity.

This supports architectures where responders upload evidence directly to repositories such as SFTP, FTPS, SMB, Azure Storage, Amazon S3, while the Console is not permitted to connect to the repository directly.

Performance, Scale & Operational Reliability

Large Asset Estate Optimizations

AIR v5.18 includes multiple improvements for environments with very large asset counts. Asset statistics, asset list rendering, deployment state checks, offline status processing, and background calculations have been optimized to avoid loading unnecessary data into application memory.

These changes improve stability for tenants with high amount of assets and reduce the risk of slow page loads or memory pressure when multiple users open asset-heavy pages.

Audit Log Search Improvements

Audit log filtering and indexing behavior has been improved for large environments.

This helps administrators search operational history more reliably when the platform contains a high number of assets and events.

Responder Resource Usage Controls

Responder-launched child processes now run with a lower scheduling priority where supported. This helps reduce the likelihood that acquisition, analysis, or query operations interfere with other processes running on the asset.

The default CPU limit for new deployments and default policies is now 50%. Administrators can still configure values above or below this threshold based on their environment and investigation requirements.

Note: Existing customer environments will automatically receive the new 50% default CPU limit configuration. Customers who want to use a different CPU limit value can update the relevant policy settings after the upgrade.

Bug Fixes

• interACT connection experience improved. AIR now provides clearer connection progress states, elapsed time information, and better expectation setting when a session is waiting for a responder check-in. This reduces confusion in environments without a real-time responder connection.

• interACT terminal focus behavior fixed. Returning to an interACT terminal now restores focus more reliably, including after navigating away, switching sessions, or reopening the terminal view.

• interACT copy behavior fixed. Pressing Ctrl+C with selected terminal output now allows the browser copy action instead of always treating the shortcut as an interrupt command.

• interACT session limit behavior made consistent. Starting interACT from the asset page now aligns more closely with the expected multi-session behavior available through Quick Start.

• Investigation Hub findings filtering corrected. Finding detail views now apply the same finding type context as dashboard selections, reducing mismatches between summary counts and listed rows.

• Investigation Hub live activity hiding fixed. Hiding live activities now dismisses visible activity notifications and avoids immediately showing another confirmation notification that could make the action appear unsuccessful.

• Case import recovery improved. AIR improves recovery behavior for task assignment imports that are interrupted by service restarts, reducing the chance that imports remain indefinitely pending.

• Findings CSV export performance improved. Large Investigation Hub exports now avoid several repeated processing bottlenecks that could cause exports to take minutes or fail.

• DRONE cancellation data preservation improved. DRONE logs and finding detail metadata are now persisted more incrementally so cancelled or force-stopped analysis is less likely to produce reports with missing context.

• Acquisition failure messaging clarified. Acquisition tasks that cannot produce partial results now provide clearer failure details, reducing confusion when disk space or compression conditions prevent a partially completed result.

• License refresh behavior improved. SaaS license refresh actions now use the correct refresh path and improve how licensing changes propagate to the UI and registration workflows.

• Failed registration notification details improved. The Notifications page now includes asset name context for failed registration notifications where available.

• Evidence repository save workflow improved. Repository configurations can be saved in restricted network environments even when Console-side verification is not possible, with appropriate user awareness.

• Backup workflow reliability improved. AIR backup handling has been improved for large backup scenarios where the Console backup process could appear stalled or fail to complete.

• Responder task data delivery corrected. AIR fixed cases where task data for multiple assignments could be sent incorrectly or where top-priority tasks were not delivered as expected during update-related states.

• Responder and Console state compatibility fixed. AIR corrected MITRE ATT&CK database version field handling between responder state updates and Console persistence.

• Duplicate assignment risk reduced. AIR now enforces stronger uniqueness for task assignments by task and asset, reducing duplicate records during retries or large assignments.

• UI performance issues investigated and improved. AIR includes fixes and optimizations addressing intermittent Console UI slowness reported in customer environments.