DRONE analysis on previously or newly collected evidence files — Analysts can now initiate DRONE analysis directly from the Investigation Hub on any existing evidence file, whether or not it was previously analyzed by a responder. This enables rapid reassessment after rule updates and supports first-time analysis of evidence returned without prior DRONE processing, streamlining forensic validation and re-evaluation workflows.
RelayPro — A major milestone introducing the new secure, authenticated HTTPS relay server that replaces the legacy relay implementation. RelayPro enhances secure responder-to-console communication with JWT-based two-step authentication, independent deployment, manual administrative control, and improved reliability. RelayPro provides stronger assurance of data integrity and traceable asset communications within restrictive or segmented environments.
Bulk User Import via Email List or CSV Upload — Simplifies large-scale onboarding by allowing administrators to import users in bulk with role and group metadata. This improvement accelerates enterprise deployments and ensures consistent privilege configurations for security operations teams.
macOS Evidence Expansion — The responder now supports the collection of previously missing raw evidence sets from macOS systems, including SSH, Launchd, etc. configuration, Crashes, Apple System Logs, Gatekeeper data, and others — offering deeper asset visibility during Apple ecosystem investigations.
The module renaming improves concept alignment with forensic workflows, emphasizing proactive hunting and triage analysis capabilities from within the same interface. It helps analysts better associate the feature with rule-based anomaly detection and evidence interrogation.
A new mandatory name field has been added to Hunt/Triage rules, improving identification and readability across detection configurations. Analysts can now assign descriptive titles in addition to detailed descriptions, with character limits introduced for better data management.
Support for rule tagging during creation or update has been implemented, making it easier to categorize and organize triage logic based on tactics, data sources, or operational context. Deleting tags is also now fully supported, empowering analysts to maintain a focused and updated ruleset with minimal clutter.
Hunt/Triage tags can now be easily deleted, making management of categorization structures more flexible. Analysts can reorganize or clean up unused rule tags efficiently, helping maintain clarity within growing rule repositories.
Users can conduct bulk deletions for several feature sets—hunt/triage rules, acquisition profiles, auto asset tags, interACT command snippets, search profiles, tokens, and subscriptions. This feature removes redundant configuration data en masse, simplifying maintenance of forensic configurations and automation objects.
This enhancement introduces the ability to import multiple users simultaneously by uploading a CSV file or a list of email addresses. Optional metadata, such as organization, role, or group, can be included in the data for automatic assignment. A preview step allows validation before applying changes. For large enterprise security operations teams, this feature expedites onboarding, reduces human error, and maintains consistent access structures across operational environments.
Backup management now incorporates version tagging directly into .abf file names, allowing teams to easily identify the AIR version linked to each backup. This improvement minimizes confusion during recovery and helps investigators quickly restore environments corresponding to specific builds for testing or audit verification.
Complementing the re-analysis capability, the Investigation Hub interface now includes a DRONE Analysis progress section under task details. security operations team can monitor DRONE analysis states, view running or completed analyses, and access outcomes within the same case environment. This improvement reduces the need for separate logs or external monitoring and ensures transparency during longer-running forensic evaluations.
New evidence collectors have been introduced for macOS systems, covering areas previously unavailable for collection. Analysts can now acquire SSH configuration files, Launchd and Cron job definitions, ETC system files, Installed Applications, Apple System and Crash logs, Chromium extensions, Gatekeeper configurations, and Startup Hook artifacts such as Re-Opened Apps and Login/Logout Hooks. Each data source enhances visibility into execution persistence and system-level behaviors familiar to macOS adversarial techniques, enabling more complete cross-platform forensic baselines.
A full, OS-specific listing is available in the Knowledge Base, showing which evidence and artifact items appear in the Investigation Hub, whether their source files are collected, and which artifacts provide parsed data or raw file collections.
A new collector has been introduced to capture Chrome Quick Assist artifacts, providing visibility into remote support session activity.
This evidence will help investigators trace legitimate remote help sessions and identify instances where adversaries may leverage trusted remote access tools for persistence or lateral movement.
RelayPro represents a fundamental architectural evolution in secure relay operations. It implements a fully authenticated HTTPS proxy with JWT-based two-step verification for responders connecting through constrained networks. Unlike the previous SOCKS5 relays, RelayPro separates its deployment from endpoint agents, reducing attack surface and aligning with best security practices. Configuration is registered via the AIR Console to ensure only validated relays can relay traffic.
Each connection between a responder and RelayPro is authenticated, logged, and validated, providing end-to-end integrity and accountability for every command or evidence transfer. Logging has been modernized with JSON formatting accessible only from local administration, removing remote exposure risks. For DFIR specialists, RelayPro ensures traceable network intermediary communication and hardens AIR deployments in heavily segmented infrastructures or zero-trust environments.
The new DRONE Analysis Task introduces the capability to execute re-analysis on previously collected evidence directly on the AIR Console. Analysts can initiate this task on any case assignment, asset, or task detail page via the Run DRONE Analysis action. The feature operates entirely on the server side, leveraging existing DRONE processors to analyze already collected evidence without requiring endpoint connectivity. This advancement is crucial for post-incident investigations where analysts must validate updated threat intelligence or rule sets against archived evidence.
For responders working offline, analysis can also be triggered on evidence missing DRONE packages, ensuring full diagnostic coverage. Re-analysis results are written seamlessly into existing cases, preserving investigative continuity. DRONE-based re-analysis significantly enhances investigation agility by enabling rapid re-correlations and retrospective detection within both online and air-gapped scenarios.
DRONE analysis on existing evidence files
The new DRONE Analysis task introduces the ability to run or re-run analysis on any previously or newly collected evidence directly from the AIR Console. Analysts can initiate this task from any case, asset, or task detail page using the Run DRONE Analysis action.
This process runs entirely on the server side, using existing DRONE processors to analyze evidence without requiring asset connectivity. It is particularly valuable for post-incident investigations where analysts need to validate updated threat intelligence or newly added detection rules against previously collected evidence.
It is important to note that not all DRONE analyses can be performed server-side. Certain analysis modules — such as MITRE ATT&CK mapping and other context-aware detections — rely on the live asset for responder-side execution. When DRONE is run on collected evidence, these responder-dependent analyses are unavailable, but all compatible server-side rules and detections will execute as normal.
For responders working in offline or air-gapped environments, DRONE analysis can also be triggered on evidence that was collected without an embedded DRONE package, ensuring complete diagnostic coverage. Results are written directly into the originating case, maintaining full investigative continuity.
By allowing retrospective analysis and re-correlation within both connected and isolated environments, DRONE analysis enhances investigation agility and supports forensic-level validation across all collected evidence.
Investigation Hub – MITRE Tactic Interaction: Fixed an issue where only the first tactic or technique link was clickable when multiple MITRE mappings were shown. All mapped tactics now open correctly, supporting complete navigation for threat correlation.
SMB Event Parsing: Addressed a decoding issue where SMB hex-formatted address strings appeared incorrectly escaped or truncated in DRONE databases. The updated converter preserves valid hexadecimal strings precisely.
Search in Sigma Hunt/Triage Event Records: Resolved a blocker where no results appeared for searches within Sigma Hunt/Triage records. Filtering and search now operate consistently across all evidence tables, improving investigative efficiency.
The Dynamo Analyzer has been upgraded with more comprehensive detection coverage across Windows, macOS, and Linux. It now identifies hacker and remote monitoring tools, suspicious commands, and relevant MITRE ATT&CK associations across numerous data types, including PowerShell logs, registry artifacts, scheduled tasks, and browser data. A new Browser Downloads Analyzer extends behavioral insight into potential malware delivery mechanisms through download patterns and referrers. The Amcache module has been retitled “Amcache Program Analyzer” to clarify its operational focus.
Additional refinements improve matching accuracy, introduce SRUM data enrichment, and enhance temporal context tracking for process analysis—significantly improving clarity and forensic reconstruction of attacker actions.
YARA-based detections have gained multiple new signatures identifying RATs, backdoors, and malicious utilities such as PipeMagic, Veeamp, Cloudflare Tunnel (cloudflared), Kazuar, and credential dumpers leveraging the WerfaultSecure binary. Extended rules also improve recognition of encoded PowerShell execution, credential access attempts, and exploitation of vulnerable drivers for privilege escalation. These updates deliver sharper threat visibility aligned with evolving ATT&CK techniques.
The DRONE integration now includes the newest Sigma rule sets from both SigmaHQ and Hayabusa repositories. This ensures ongoing alignment with community threat intelligence and expands pattern coverage for Windows and Sysmon event sources while maintaining backward compatibility with prior Sigma rule definitions.