Redesigned Timeline in Investigation Hub: The Timeline has been rebuilt for speed, precision, and interactivity. Analysts can now run high-performance attribute-based searches, apply advanced evidence-specific filters, and visualize events, findings, and flags in zoomable charts. Infinite-scroll tables with enriched metadata enable direct flagging, note-taking, and pivoting between timeline and evidence views. Exports to CSV (with optional detailed evidence context) streamline reporting, compliance, and collaborative workflows.
New Timeline applies only to cases created after the 5.0 release.The previous timeline views will still be available temporarily for historical cases, but they will be deprecated with the 5.2 release.
Enhanced Case Management with Insights & Customization: The Cases module now includes visual task and disk usage metrics, member highlights, and a case overview panel for instant situational awareness. A redesigned Kanban board supports fully customizable tags and categories, allowing teams to organize, prioritize, and triage cases by type, severity, or workflow with greater flexibility.
Fleet AI – Multi-Agent DFIR Assistance with BYOAI Support: Fleet AI transforms natural language into expert-level technical outputs, enabling DFIR teams to generate threat hunting rules, scripts, and answers to investigative questions instantly. New in 5.0, BYOAI support allows connection to OpenAI GPT, Anthropic Claude, Google Gemini, and self-hosted Ollama models—empowering teams with customizable, privacy-focused AI capabilities.
The Timeline feature has been completely overhauled and integrated directly into the Investigation Hub. This enables analysts to gain insights into events, flags, and findings across investigations with fine-grained temporal resolution. The timeline supports multiple time granularities (hour/day/month/year), interactive zooming, and a cursor with contextual highlights. Users can scroll, filter, and annotate time-ranged events, making it a powerful visual engagement point for time-based forensic analysis.
A redesigned Timeline table now lists all timeline events. Analysts can use it to inspect metadata, assign flags, create notes, or promote timeline events to confirmed findings. All changes to flags and notes are fully synchronized across the platform. The interface supports infinite scrolling, detailed expandable panels, and a high level of visual fidelity in representing time-correlated data. It complements the event bars to streamline root cause identification during incidents.
The Advanced Filters interface has been enhanced to allow filtering not only on standard investigation fields, but also using evidence-category specific attributes. You can now apply filters based on IP addresses, paths, user IDs and other fields unique to different types of forensic artifacts (e.g., unified audit logs, process lists, file systems). Highlighted fields explain why certain events were captured, with options to add these filters on click. This brings precision and depth to timeline data searches without visual clutter.
The timeline header view supports interactive zoom (keyboard/mouse), cursor locking, indicator visuals for out-of-view time slots, flags and findings overlays, and state persistence. Toggle switches allow showing or hiding flagged or finding-related events. Navigation is seamless via UI or keyboard shortcuts, all providing the forensics analyst with a fluid way to scale investigations over time.
Flagging and finding operations have been extended across all views. Actions taken on timeline events will reflect in evidence and findings as well, ensuring consistent views regardless where the action originates. This bi-directional synchronization helps ensure analytical steps are fully traceable and consistent across modules.
A mini-map below the timeline shows full activity distributions across your investigation. Users can select viewports, scroll horizontally, or apply zoom-in ranges directly from the mini-map view. This provides an immediate awareness of data density over time and supports analysts in exploring large ranges effectively without visual fatigue.
Global filters—such as dates, assets, finding types, and evidence categories—are now persistent and actively constrain visible ranges on the timeline. Disabled range regions visually communicate current filters. Additionally, if views are out of bounds, informative warnings ensure analysts are never misled by partial evidence renders.
The timeline bar supports multiple layout and display options. Users can switch between bar or line chart views, choose to display or hide empty ranges for compact timelines, and toggle cursor visibility. These preferences let analysts adapt views for complex investigations or high-volume triage needs.
Each evidence item now can optionally show where and how its data appears on the Timeline. Analysts can click on a timestamp in evidence detail panel to jump directly to the timeline segment, or use context filters to see only timeline events from a particular artifact. This cross-linking streamlines correlation and root cause analysis.
New toggle controls allow selective viewing of flags and finding indicators across the Timeline. This improves clarity during large or long-running investigations and supports focused drill-down during follow-ups or collaborative analysis.
Users now have the ability to export Timeline event tables to CSV—either with UTC/Z timestamps or local time. A toggle allows export of associated evidence metadata in JSON format. This export mechanism can assist investigations that require importing timeline artifacts into external case systems, or for cross-organization communication and auditing.
Timeline Table and Bar Chart Synchronization
A toggle has been introduced to synchronize focus between the timeline bar chart and the corresponding data table. When enabled, any zoom, pan, or date range selection in the chart view will reflect in the table below. Activated by default, this synchronization ensures investigators focus exclusively on relevant time-bound events with no manual toggling between context layers.
Findings and evidence tables can now be sorted by Flag status. This enhancement is crucial for post-incident reviews, allowing analysts to immediately focus on findings previously marked during investigations. Analysts can leverage this to return to prioritized artifacts without re-filtering large datasets.
The case overview page has been revitalized to present key investigation metrics such as total assets, task distribution by type and status, team members, disk usage, and case notes. A new metrics overview panel offers aggregated views of case counts by status, asset volumes, disk usage, and task types over time, helping coordinators monitor throughput and resource allocation. A fixed insights pane provides a persistent at-a-glance summary of case activity, asset counts, and disk usage directly from the Cases page.
Clicking on a case now opens an expanded view or details drawer containing complete metadata, including tasks, assigned members, tags, notes, and disk usage. Ownership can be assigned directly, and collaborative note-taking with tagging and mentions is supported. Visual task breakdowns make it easy for managers to assess the scope, progress, and contributions of each team member.
The Kanban interface has been modernized with full drag-and-drop support for case cards and dynamic column updates. Cards display enriched metadata, including tags, categories, and assignments, for quick identification of high-priority cases. User-specific layout preferences for grouping by status, tag, or category are saved for a seamless experience.
A new tag and category model enables analysts to classify cases with visual labels such as Malware or Phishing, and workflow categories such as For Review or Escalated. Cases can be grouped dynamically by status, tag, or category to reflect organizational priorities, with grouping logic respecting organizational scope for real-time workload segmentation.
The case insights panel aggregates investigation statistics and timelines into a single view for DFIR leads, integrating task metrics, disk usage tracking, and asset counts to support data-driven prioritization and escalation decisions.
Task data downloading from repositories has been improved to detect and handle interrupted or incomplete archive writes. This enhancement prevents partial evidence archives from silently corrupting post-processing and improves forensic traceability.
Terminating an interACT remote shell session using the UI close action now ensures task status is correctly marked as completed. Additionally, controls for minimizing and exiting fullscreen are now fully visible, even after layout changes—addressing analyst UX complaints in remote operations.
Initiating acquisition tasks with DRONE analyzers now includes an improved UX flow—allowing users to select a single option and enable all related analysis logic. This simplification accelerates task creation, especially in time-sensitive breach scenarios.
Fleet AI is Binalyze’s next-generation multi-agent intelligence platform built to provide SOC and response teams with on-demand, expert-level assistance. It transforms natural language prompts into actionable, technical outputs—removing complexity and speeding up every stage of the investigative workflow.
Fleet AI hosts specialized agents capable of handling different DFIR-related tasks:
Detection Engineer Agent: Converts investigative objectives into professional-grade threat hunting rules.
Scripting Agent: Translates plain English into interACT commands.
These agents operate collaboratively to produce contextual, precise outputs that are ready for immediate use.
Analysts can describe investigative needs in everyday language—Fleet AI handles the translation into technical rules, queries, and commands.
Eliminates the need to memorize syntax, consult documentation, or wait for specialist input.
Supports complex multi-step requests by breaking them down and generating results for each stage.
Fleet AI now allows customers to connect their own AI models or accounts for enhanced flexibility and privacy:
OpenAI GPT
Anthropic Claude
Google Gemini
Ollama
BYOAI ensures sensitive investigative data can remain within customer-controlled environments.
AWS Bedrock integration is planned for a future release.
Authentication & Security: JWT-based authentication supports secure integration with enterprise identity systems.
Speech-to-Text: Converts verbal queries into Fleet AI prompts, enabling faster hands-free interactions.
Deployment Options: Embedded directly in the Binalyze AIR UI for a seamless investigative environment.
Backend: FastAPI for high-performance, scalable processing.
Frontend: Next.js chat interface for smooth, real-time interaction.
Modes: Iframe-embedded deployments without additional dependencies.
Optimized for responsiveness and low-latency communication with AI models.
Fleet AI is designed to integrate directly into investigation workflows inside AIR:
Suggests relevant interACT commands while reviewing evidence.
Generates threat hunting rules based on findings.
Produces technical documentation and investigation reports without manual drafting.
By embedding expertise directly into the platform, Fleet AI reduces time-to-insight and helps standardize investigative output quality.
The update user API now supports both role IDs and role tags (e.g., "l1_l2_analyst") to simplify automation workflows, especially when integrating with external identity and provisioning systems.
Case task query APIs now include metadata about acquisition profiles and custom task types. This allows sorting, filtering, and reporting based on which methodology was used per task—critical for consolidating analytical evidence and profiling collection behaviors.
The serial number generation logic for internal SSL certificates has been hardened for increased cryptographic entropy and compatibility with key management tools.
User update endpoints now support passing role names in addition to role IDs, improving human readability and automation compatibility across identity tooling pipelines.
Repository Explorer – Processor Not Found Error: Addressed a production-level UI/backend inconsistency where users received a "Processor Not Found" error in repository contexts. This situation prevented effective file browsing and strained case loading efforts during live investigations.
SSO User Group Persistence: Resolved an issue in which SSO-linked users were being unintentionally removed from user groups. This bug mostly affected teams operating large-scale environments with regulated access control schemes.
Improved IIS Autotag Rule Logic: Updated the auto asset tagging heuristic to avoid falsely identifying Windows 11 endpoints as IIS servers due to the presence of the default /inetpub directory. This misclassification could otherwise affect triage flows and policy assignments.
Case Import Stability: Fixed an issue in which SaaS users experienced incomplete task data within Investigation Hub due to intermittent failures in temporary file downloads during import. This was caused by unflushed disk writes that rendered archives unreadable. The fix improves reliability for case-based evidence visibility when operating in S3-backed environments.
Export Accuracy Fixes for Asset Lists: Resolved a reported bug in which the “Managed” status field displayed incorrect values in exported asset data.
UI Improvements for interACT: interACT task windows now close correctly when terminated via the 'x' button, resolving an issue where tasks were stuck in “processing” state. Additionally, window sessions and maximize/close UI controls are now rendered correctly in all resolution settings.
A wave of crucial updates enhances detection capabilities across multiple malware categories. New signatures now identify RustyClaw, a Rust-based downloader; SnipBot (RomCom 5.0), which exhibits data exfiltration and post-exploitation capabilities; and Mythic C2 based malware leveraging recent WinRAR vulnerabilities. Additionally, detection covers obfuscated VBScript, heartCrypt packers, and variants used by threat groups like UAT-5647 and UAT-7237. Improvements were also made in identifying Cobalt Strike strings and LNK file padding exploits targeting known CVEs.
Detection logic now identifies high-frequency scheduled tasks, which are often signs of automated persistence or malware propagation mechanisms. Naming detection of known hacker tools across evidence further assists DFIR analysts in quickly determining adversarial toolkit usage during triage and deeper investigations.
The embedded Sigma engine has been updated to include advanced detections for PowerShell-based data collection and newly contributed rules from Hayabusa and SigmaHQ, increasing its efficacy in recognizing attacker behavior patterns across logs and endpoint activities.
Alongside your regular check-ins with your Customer Account Director, we have two upcoming opportunities to connect and learn:
Public Launch Webinar – September 10, 2025
Join Lee Sult, Binalyze’s Chief Investigator, for a high-level overview of AIR and its latest capabilities, including the redesigned Timeline feature. While aimed at those less familiar with AIR, customers are very welcome to attend.
Register here →
Quarterly Customer Webinar – September 17, 2025
Our first customer-only session, hosted by the Binalyze CERT team, will dive into workflow best practices — starting with how to leverage AIR 5.0’s API for supercharged workflow automation.
Save the date and bring your questions! Save your seat now →
Best regards,
Binalyze Team