Burak Kaan Ozbek
Bringing Forensic-Driven Insights to Every Stage of the Investigation Workflow
In cybersecurity today, you can’t move without bumping into an “AI-powered” product. The problem? Too often, it’s little more than marketing a generic chatbot bolted onto a security platform.
At Binalyze, we believe AI for cybersecurity and incident response should make investigations faster, but also make them more accurate, more comprehensive, and easier to act on. We recently introduced Fleet AI – our multi-agent system designed to turn analyst intent into concrete investigative action, orchestrated by Blacklight, and grounded in AIR’s forensic data.
We’re building on our unique forensic-driven investigation capabilities to bring the depth and precision of DFIR into every investigation, early in the workflow. This approach doesn’t just accelerate the process, it raises the quality of decisions and outcomes. And it’s why we’ve taken a deliberate, considered path to AI: one that delivers value today, lays the groundwork for tomorrow, and avoids burning resources on the wrong things.
Principles That Shape Our AI Strategy
-
Context is King
A raw LLM, no matter how large, won’t produce relevant investigative answers without trusted, domain-specific context.
In AIR, every AI-driven action is:
-
Contextualized with evidence from our forensic-driven incident response platform
-
Enriched through proprietary detection engineering prompts and custom tools
-
Validated against investigative rules to reduce irrelevant noise
The result: answers you can act on confidently.
2. Leverage, Don’t Reinvent
Training a proprietary large language model from scratch isn’t just expensive, it’s inefficient and a distraction from where progress really happens. The best LLMs are already being built and improved by teams with that dedicated mission, and the model landscape changes too quickly to justify locking into one approach.
Our strategy is to focus investment where it drives outcomes: the forensic data platform, the enrichment and routing layers, the safety guardrails, and the integration logic that make AI reliable in investigations. By engineering these layers, we ensure that any suitable model can operate effectively in our environment.
This approach avoids the opportunity cost of maintaining base models — regression testing, patch cadence, inference scaling — and instead channels energy into what improves real outcomes: better evidence, stronger tools, and resilient workflows.
3. Choice Matters
AI strategy is never one-size-fits-all. Some organizations prefer cloud models, while others require on-premises deployments due to policy or security constraints. That’s why our architecture is deliberately model-agnostic — giving flexibility to customers and to us.
Customers can:
-
Use the LLM provided by Binalyze (today this is GPT-4o), or
-
Integrate their own API keys for models like Gemini, Claude, or a self-hosted Ollama deployment.
Either way, the outcome is the same: forensic integration, guardrails, and reliability.
But choice isn’t just a customer feature — it’s also a strategic principle for Binalyze. By avoiding lock-in, we can always adopt the best engine for speed, cost, or accuracy. This keeps our architecture future-proof in a fast-moving ecosystem and ensures our energy stays focused where it matters most: trusted context, resilient workflows, and reliable outcomes.
4. Own the Foundation, Engineer for Resilience
We control the unglamorous but critical parts that make AI reliable:
- Our own data platform to ensure trustworthy inputs
- Guardrails, observability, and fallback mechanisms to keep investigations moving even if a model call falters.
- Feedback loops to improve prompt strategies, tool usage, and output relevance over time
This is what separates a resilient AI product from a demo. We’re not just consuming AI, we're implementing it with ownership of the parts that matter.
A Multi-Agent System for Real Investigations
We’re building a multi-agent architecture where each AI agent is designed for a specific investigative role. At the center is Blacklight, an orchestrator that routes analyst prompts to the best-fit agent and manages execution. At the time of writing, AIR’s Fleet AI includes two production agents rule creation and detection engineering capabilities (YARA, Sigma, osquery) directly in AIR via the Detection Engineer, and the Scripting Agent, which converts human-readable instructions (“collect all processes from host X”) into InterACT/OS commands to execute in AIR. This will abstract away complex, OS-specific syntax so analysts can work faster and with fewer errors.
Next, we’ll introduce Report Writer, a reporting agent that assembles executive-level summaries from case findings and artifacts; highlighting scope, timeline, affected assets, key IOCs/artifacts, and recommended actions with evidence-linked citations back to AIR and export-ready outputs (e.g., PDF/Docx).
Each agent combines two capabilities that set us apart:
-
Proprietary prompt engineering tuned for DFIR workflows.
-
Custom tools that allow the LLM to act directly inside Binalyze AIR - pulling evidence, running tasks, and enriching cases - rather than relying on generic web search.
No-Code Orchestration for the SOC of the Future
AI agents won’t just act inside AIR, they’ll orchestrate across your security stack. That’s why we’re integrating with n8n, the open-source workflow automation platform.
AIR’s extensive open API already means that 70% of a SOC’s everyday tasks — acquiring evidence, running investigations, searching for IOCs, executing commands, remediating assets, creating and closing cases, assigning cases — are now available for any workflow.
That means you can:
-
Trigger an AIR node and receive its output directly into almost any of 1000+ other products, apps and services including n8n’s built-in AI features.
-
Chain forensic tasks with ticketing, threat intel, communication, and remediation tools — all in one visual workflow
-
Inject forensic visibility into any investigation, whether inside the Investigation Hub, through API, or via webhooks
With this integration, you can visually build workflows like:
-
Pull evidence from AIR
-
Run the Scripting Agent to perform targeted tasks
-
Store results in Google Drive
-
Send an automated Slack alert to the incident team
No code. No lock-in. Just flexibility — automation on your terms, powered by an open, extensible platform and a native multi-agent AI system.
Where This Differs From Other Vendors
AIR versus “AI-washing” vendors:Many slap GPT into a product, providing impressive summarization but lacking deep integration or meaningful forensic workflows.
AIR versus native AI companies: They may build sleek generalist models, but they lack deep hooks into enterprise DFIR workflows and the trusted forensic evidence that real investigations demand.
Our differentiator: Purpose-built forensic context + interoperability + future-proof architecture
Context is the fuel of AI agents, and Fleet AI runs on the most comprehensive DFIR evidence base in the industry: AIR. Unlike “connector” or “consolidation” tools that patch together fragmented external sources, our intelligence is rooted directly in AIR — ensuring accuracy, timeliness, and trust at every step. This forensic-first foundation means Fleet AI isn’t propped up by borrowed data; it’s powered by the same platform that countless other tools already depend on, making our approach uniquely reliable and effective.
Closing the Gap Between AI Hype and Investigation Reality
The promise of AI for investigation workflows is huge but only if it’s built with forensic context, operational relevance, and technical credibility.
That’s the path we’re on at Binalyze: delivering AI that works today, evolves rapidly, and is grounded in the realities of modern incident response.
