A brief overview of AIR terminology

Acquisition Profile

A group of evidence types, application artifacts, and custom content items. There are acquisition profiles provided 'out-of-box' but you can also create additional ones by visiting "Integrations" in the Main Menu.

AIR Console

Web-based management interface which lets you manage your assets and assign tasks.


In Binalyze AIR, an asset is defined as any entity, whether a device or system, physical or virtual, that operates on a supported operating system such as Windows, macOS, Linux, Chrome, IBM AIX, and ESXi. Assets are the foundational elements on which Binalyze AIR performs various actions, including evidence collection and task execution, crucial for responding to and hunting cyber threats. Examples of assets encompass computers, servers, hosts, cloud accounts, and disk images.

An Asset can be either one of 2 states:

  1. Managed: The asset's responder has been successfully deployed to the device and is ready to collect tasking assignments from the console.

  2. Unmanaged: The asset is discovered by enumerating Active Directory but does not have the AIR responder deployed.

The Assets Summary window on the home page can also report the asset as:

  1. Off-Network: The Asset has supplied data to the console via an Off-Network Acquisition or Triage task.

  2. Unreachable: The asset's responder is currently unreachable.

  3. Update Required: The responder on the asset requires an update to function correctly.

  4. Update Advised: The responder is still functional but for full functionality, an update is recommended.

  5. Isolated: The asset is currently isolated from the network apart from communication with the AIR console only.

Evidence Item or Artifact?

Evidence Item:

In the context of Binalyze AIR and cybersecurity generally, an evidence item refers to data extracted from various components of a computer operating system and associated system areas crucial for recording, managing, or operating the system. These items often produce digital evidence that can be analyzed to uncover details of user activity and potential security incidents or anomalies.


On the other hand, in Binalyze AIR, artifacts are files produced by applications during their execution. These files contain valuable information about the activities performed by the application, including logs, configuration files, temporary files, and other artifacts of potential interest for forensic analysis and investigation.

Evidence Repository

A remote location for saving evidence collected as the result of an AIR tasking. These include:

  1. SMB

  2. SFTP

  3. FTPS

  4. Amazon S3

  5. Azure Blob

  6. Network Shares

To create a New Repository go to Settings in the Main Menu and select Evidence Repositories from the secondary Menu. From the window 'New Repository' complete the mandatory fields and select the type of repository you wish to add.

Read more details about Evidence Repositories here.


The AIR responder is a streamlined 40MB standalone package that brings the expertise of level 3 and 4 analysts directly to your digital assets.

Unlike 'agents' that constantly monitor systems and consume significant resources, AIR responders only activate to perform precise, user-defined DFIR tasks on demand. This approach allows for deploying thousands of virtual responders across your IT ecosystem, ready to execute proactive and reactive incident response activities such as evidence collection, threat hunting, and forensic-level analysis as needed. Binalyze's approach prioritizes efficient security enhancement, marrying minimal asset impact with maximum readiness and incident response capability.


Operations that are assigned to the assets by the AIR console either manually or automatically via a trigger.

Tasks could be either:

  1. Manual: Assigned manually by users,

  2. Scheduled: Created by users to start in the future. Scheduled tasks could either be one-time or recurring (daily/weekly/monthly).

  3. Triggered: Assigned to as the assets as a response to a trigger request which is sent by a SIEM/SOAR/EDR solution.

Triggers (Webhooks)

Triggers are the main extensibility mechanism for AIR to receive alerts from other security suites such as SIEM/SOAR/EDRs.

A trigger is the combination of a parser, an acquisition profile, and a destination for saving the collected evidence (either local or remote).

Binalyze AIR takes this to the next level by allowing the trigger to further automate the post-acquisition analysis by leveraging DRONE and MITRE&CK scanners. So in effect, the alert from your security tools can launch AIR into the collection of relevant forensic data, the analysis of that data, and the delivery of any DFIR findings into the Intelligence Hub with no analyst intervention whatsoever.


Searching for pieces of evidence such as a file hash, process, or malicious domain at scale. AIR provides you with 'out-of-box' examples for YARA, Sigma, and osquery, making it fast and easy to start sweeping your environment.

Last updated