AIR

· #291 most-used

Forensic evidence collected, triaged, and cased — automatically

AnalyticsSupportDeveloperSecurityAutomation

Binalyze AIR is an enterprise Digital Forensics & Incident Response platform that lets security teams collect evidence from remote endpoints, run triage scans, manage investigation cases, and execute live forensic commands — all without physical access. Connect AIR to Actionist and your agent can trigger acquisitions the moment an alert fires, pull triage results into your SOC dashboard, create and populate cases automatically, and run YARA hunts across your entire fleet while your analysts focus on decisions, not logistics.

Try AIR with Actionist Visit AIR

Average time saved

10 hours

per person · per month

≈ 1 workdays back

Eliminates manual work. AIR automation eliminates the manual steps of logging into the console to trigger acquisitions, polling for completion, downloading evidence files, and creating case records — each of which previously required an analyst's direct attention for every incident.

Schedule

What your AIR agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs

7Agents at work

24/7Always on

Agents

Wed–Fri

Wed

Thu

Fri

10a

11a

12p

Multi-app workflows

AIR × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows

9Apps spanned

~23 hrsSaved / week

6Personas served

For customer success

Featured4 apps

Breach alert to contained endpoint in 5 minutes

When a customer's security operations team emails the IR hotline about a suspected compromise, the agent reads the email, queries AIR for the named endpoint, triggers an immediate triage scan, and posts the first findings to Slack before the analyst has finished their coffee — then blocks the Google Calendar of the IR team for a two-hour response window so no conflicting meetings interrupt containment. By the time a human joins the Slack thread, the agent has already identified the highest-severity finding and flagged it for priority action.

~6 hrs

Time saved for your team — every week, on autopilot

The flow

Trigger·When a new email arrives in the IR hotline Gmail inbox reporting a suspected endpoint compromise

Trigger

Step 1

Gmail

Detect new security incident email in IR hotline inbox

read

Step 2

AIR

Start triage scan on reported endpoint

write

Step 3

AIR

Get triage results once scan completes

write

Step 4

Slack

Post triage findings summary to #incident-response channel

write

Step 5

Google Calendar

Block 2-hour response window for IR team

Result

Get triage results once scan completesPost triage findings summary to #incident-response channelBlock 2-hour response window for IR team

The win

Saved per run

45 min

Runs / week

~8×

First findings in 5 minutes, not 45

Driven byCustomer Support Agent

ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

Sales
18 min / week
Manual case metrics pull
Sales engineers export AIR case stats by hand each week to build proof-of-value reports for prospects.
Sales Agent
0 min
Agent delivers case metrics on demand
Agent queries AIR for closed cases, extracts MTTC and evidence counts, and formats a proof-of-value summary for each prospect meeting.
Marketing
13 min / week
Threat-data blog research
Content team manually requests anonymised incident data from the IR team each month to write data-backed blog posts.
Marketing Agent
0 min
Agent mines cases for content
Agent pulls anonymised triage findings from AIR, extracts threat-pattern stats, and drafts a data-backed article draft without involving the IR team.
Customer Support
18 min / week
Incident intake and routing
Support analysts manually read security incident emails, log them in AIR, and assign the case to the right IR engineer.
Customer Support Agent
0 min
Agent triages and routes instantly
Agent reads the incoming email, opens an AIR case, triggers a triage scan on the named endpoint, and pings the IR lead in Slack — all within 90 seconds.
Human Resources
7 min / week
Offboarding endpoint check
HR manually coordinates with IT to trigger an AIR triage scan on a departing employee's laptop before it is wiped.
Human Resources Agent
0 min
Agent runs offboarding scan automatically
Agent detects the offboarding flag in the HR system, triggers an AIR triage scan on the endpoint, and logs the result to the departing employee's record before IT wipes the device.
Finance
13 min / week
Incident cost data gathering
Finance team manually asks the IR team for acquisition counts and response hours after each incident to calculate cyber-insurance loss costs.
Finance Agent
0 min
Agent extracts IR cost data from cases
Agent reads closed AIR case data — acquisition count, evidence volume, timeline — and populates the incident cost model automatically after each case is closed.
Operations
25 min / week
Asset-to-policy reconciliation
Operations engineer manually compares the CMDB asset list against AIR-registered endpoints each quarter and applies missing policies one by one.
Operations Agent
0 min
Agent reconciles and applies policies
Agent compares the asset sheet against AIR registrations, applies the correct department policy to each new endpoint, and logs any gap to a Notion remediation backlog.
Legal
6 min / week
Evidence chain-of-custody prep
Legal team manually requests acquisition hashes and timestamps from the IR team before each litigation hold or regulatory submission.
Legal Agent
0 min
Agent builds chain-of-custody records
Agent reads completed acquisitions from the AIR case, computes evidence hashes, and outputs a formatted chain-of-custody document ready for legal review.

+ 100s of other AIR automations

Average monthly

10 hrs / person / month

Average monthly

10 hrs / person / month

Calculator

Calculate what your team saves

Team size

10 people

Hourly rate

$20 / hr

Hours saved / week

Hours saved / year

1,250

Annual ROI

$25,000

Based on AIR's typical team usage — the visible tasks plus a few other automations the agent runs: ~2.5 hrs / person / week of admin work automated.

Connect

How to plug AIR into Actionist

Pick the connection method that suits your environment.

The fastest path to your AIR estate. Actionist installs the Binalyze AIR MCP server and authenticates via your organisation's API token in a single flow — no manual credential rotation, and every AIR action the agent needs is immediately available.

Open the Apps tab

Find AIR in the Apps library and click Connect. MCP is selected by default.

Enter your AIR API token

In Binalyze AIR, navigate to Settings → API Tokens, generate a token with 'Read Cases', 'Write Acquisitions', and 'Manage Assets' scopes, and paste it into the Actionist prompt.

Test the connection

Actionist runs a read-only call to verify the handshake. You're ready.

Actions

15 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

7 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

Skills

Skills that pair with AIR

Reusable agent skills that work well alongside this app.

AI Persona OS

Gives the AIR-connected agent a configurable security analyst persona — useful for tuning how the agent communicates triage findings to different audiences from SOC analysts to executives.

QVeris Official

Discovers and calls real-time threat-intelligence APIs at runtime, letting the agent enrich AIR findings with live reputation data without hard-coding tool integrations.

Decision Trees

Structures the agent's containment and escalation decisions — for example, choosing between a triage scan and a full acquisition based on finding severity and endpoint criticality.

MCP servers

MCP servers that work with AIR

Connect Actionist to MCP servers built for or around this app.

UK Air Quality MCP Server from MCPBundles

Official

Provides real-time UK air quality sensor data — unrelated to Binalyze AIR but included as a name-collision disambiguation for teams building environmental monitoring workflows alongside their DFIR tooling.

air

Official

Compresses and optimises tool output from read, grep, diff, and bash commands — useful for reducing token overhead when the AIR agent processes large forensic text outputs.

airblackbox/air-blackbox-mcp

Official

Scans Python AI agent code against EU AI Act compliance requirements across 6 articles — helps security teams validate that their Actionist workflows meet regulatory obligations before deployment.

FAQs

Questions about AIR + Actionist

What credentials does Actionist need to connect to Binalyze AIR?

Actionist connects using a Binalyze AIR API token generated under Settings → API Tokens in your AIR console. Grant only the scopes your workflows require — for example 'cases:read' and 'acquisitions:write' for a triage-and-case workflow. The token is stored encrypted in Actionist's credential vault and is never logged.

Can the agent trigger acquisitions on any endpoint, or only ones I specify?

The agent triggers acquisitions only on endpoints you explicitly name in the workflow, either by hostname or asset ID pulled from your AIR asset list. It does not enumerate and sweep your entire estate unless you configure a step that reads the full asset list and iterates it — that decision stays with you, not the agent.

How do I avoid accidentally triggering duplicate acquisitions on the same endpoint?

Check for an existing 'running' acquisition on the target endpoint using the List acquisitions action before triggering a new one. If the agent finds an active job, it can wait for completion rather than stacking a second collection — add a conditional step that skips the trigger if any acquisition for that endpoint has status 'running' or 'queued'.

What evidence artefacts can the Download evidence file action retrieve?

Binalyze AIR can collect memory dumps, full or partial disk images, volatile-data packages (running processes, network connections, open files), event logs, browser artefacts, and custom acquisition profiles. The Download evidence file action retrieves whichever artefact type the acquisition profile captured — the available files are listed in the acquisition result before you call the download step.

Does running a triage scan affect endpoint performance?

Binalyze AIR is designed for low-impact remote collection and triage. The agent that runs on the endpoint uses a throttled I/O mode to avoid disrupting production workloads. That said, for memory-intensive acquisitions on database servers, schedule the collection during a maintenance window or use AIR's throttle-level setting — set it via the acquisition profile before the agent triggers the job.

Can I scope triage scans to a specific department or network segment?

Yes — use the Tag asset action to label endpoints by department or VLAN, then scope your triage scan to assets carrying that tag. The Start triage scan action accepts asset-filter parameters including tags, OS type, and last-seen window, so the agent never sweeps beyond the intended scope.

How are YARA rules managed when running a YARA scan via the agent?

YARA rules are stored and versioned in Binalyze AIR's rule library under the Threat Hunting section. When the agent calls Run YARA scan, it references a rule set by ID — create and test the rule in the AIR console first, then use its ID in the Actionist workflow. This keeps rule governance in the hands of your threat-intel team while the agent handles the execution and result routing.

What happens if an endpoint goes offline while the agent is waiting for an acquisition to complete?

If the endpoint disconnects mid-acquisition, AIR fires the 'Endpoint went offline mid-acquisition' trigger. Configure a handler workflow that downloads whatever evidence was already collected, hashes it, and flags the case with a 'partial collection' label. The agent can also alert the SOC channel with the percentage of evidence captured before the disconnect, helping the team decide whether to re-acquire or proceed with partial data.