FAQs
General
Section titled “General”What is Fleet?
Section titled “What is Fleet?”Fleet is an AI-powered SOC Analyst developed by Binalyze. It assists security professionals with threat hunting, detection engineering, digital forensics, incident response, malware analysis, and threat intelligence. Fleet provides a conversational interface where you can upload evidence, ask questions, and receive structured analysis results.
Who is Fleet designed for?
Section titled “Who is Fleet designed for?”Fleet is built for SOC analysts, incident responders, threat hunters, detection engineers, and forensic investigators. Anyone who works with security operations and has a Fleet license can use it.
What AI model does Fleet use?
Section titled “What AI model does Fleet use?”Fleet uses advanced large language models to power its conversational interface and analytical reasoning. The specific model may be updated over time to provide the best results. Binalyze manages the AI infrastructure, and all communication is routed through Binalyze-managed secure endpoints.
How does Fleet differ from a general-purpose AI chatbot?
Section titled “How does Fleet differ from a general-purpose AI chatbot?”Fleet is a specialized security analyst, not a general-purpose chatbot. It runs real DFIR tools, produces verifiable outputs (detection rules that compile, analysis reports with hashes and timestamps, STIX bundles that conform to the standard), and integrates directly with AIR for endpoint operations. When Fleet analyzes a binary, it performs actual static analysis with industry-standard tools. When it generates a YARA rule, it validates that the rule compiles and can scan files with it.
Security and Privacy
Section titled “Security and Privacy”Is my data sent to third parties?
Section titled “Is my data sent to third parties?”No customer evidence data is stored or shared externally. All analysis runs in a secure, isolated environment managed by Binalyze. AI communication is routed through Binalyze-managed secure endpoints. No customer data is used to train AI models.
Are my API keys safe?
Section titled “Are my API keys safe?”Yes. API keys and credentials configured for AIR integration are encrypted at rest and in transit. They are handled by a secure gateway that is architecturally separate from the AI agent. The AI agent never sees, handles, or has access to your actual API keys. See Security for full details.
Can Fleet access my production systems?
Section titled “Can Fleet access my production systems?”Fleet operates in an isolated environment and cannot directly access your network, endpoints, or internal systems. It can interact with AIR endpoints only through the authenticated API integration you configure. All endpoint operations go through AIR’s standard API with your configured permissions.
Does Fleet retain data between sessions?
Section titled “Does Fleet retain data between sessions?”No. All data (files, analysis results, conversation history) exists only for the duration of the session. Fleet does not retain memory across separate conversations and does not store customer data persistently.
Capabilities
Section titled “Capabilities”What file types can I upload to Fleet?
Section titled “What file types can I upload to Fleet?”Fleet accepts any file type. Common formats include:
- Executables: PE (.exe, .dll), ELF, .NET assemblies, shellcode
- Documents: PDF, Word (.doc, .docx, .docm), Excel, PowerPoint, RTF, OLE
- Archives: ZIP, 7z, RAR, TAR, GZ (including password-protected)
- Network captures: PCAP, PCAPNG
- Event logs: EVTX, JSON, JSONL
- Detection rules: YARA (.yar), Sigma (.yml), osquery (.sql), Suricata (.rules)
- Images: PNG, JPG, GIF, BMP
- Text: TXT, CSV, MD, JSON, XML, HTML
- Disk images: RAW, E01, VMDK, VHD/VHDX
- Memory dumps: Raw memory dump files
What detection rule formats does Fleet support?
Section titled “What detection rule formats does Fleet support?”Fleet supports four detection rule formats:
| Format | Capabilities |
|---|---|
| YARA | Generate, validate, fix, scan files |
| Sigma | Generate, validate, convert to Splunk SPL and Microsoft Sentinel KQL, test against EVTX and JSONL logs |
| osquery | Generate, validate syntax and column references |
| Suricata | Validate rule syntax |
Can Fleet deploy detection rules to my endpoints?
Section titled “Can Fleet deploy detection rules to my endpoints?”Yes, when connected to AIR through the API integration. Fleet can deploy YARA, Sigma, and osquery rules to managed endpoints via AIR’s triage feature. See AIR Integration for details.
What operating systems can Fleet analyze artifacts from?
Section titled “What operating systems can Fleet analyze artifacts from?”Fleet can analyze artifacts from Windows, macOS, Linux, ChromeOS, and ESXi. The analysis environment itself runs Linux, but it includes tools capable of analyzing artifacts from all these platforms (PE analysis for Windows, plist parsing for macOS, ELF analysis for Linux, etc.).
Can Fleet analyze password-protected archives?
Section titled “Can Fleet analyze password-protected archives?”Yes. Fleet automatically tries common malware analysis passwords (infected, malware, virus) when encountering password-protected archives. You can also provide the password in your prompt, or Fleet will ask you for it if the common passwords do not work.
What threat intelligence outputs does Fleet produce?
Section titled “What threat intelligence outputs does Fleet produce?”Fleet produces threat intelligence in multiple formats:
- Markdown reports — human-readable reports with observables organized by type, enrichment results, and risk scores
- Text reports — flat lists sorted by risk score for quick triage
- STIX 2.1 bundles — machine-readable structured intelligence with full enrichment data, importable into SIEM and TIP platforms
- YARA rules — detection rules generated directly from enriched observables
AIR Integration
Section titled “AIR Integration”How do I connect Fleet to my AIR deployment?
Section titled “How do I connect Fleet to my AIR deployment?”In Fleet’s settings, locate the AIR integration section and provide your AIR API key. Fleet validates the connection and confirms access. Once configured, Fleet can perform endpoint management, evidence acquisition, triage, interACT, and investigation operations.
What AIR operations can Fleet perform?
Section titled “What AIR operations can Fleet perform?”Fleet can perform the following operations through AIR:
- Endpoint management — list, search, isolate, remove isolation, tag, reboot
- Case management — create, update, close cases
- Evidence acquisition — trigger collection using built-in or custom acquisition profiles
- Triage — deploy YARA, Sigma, and osquery rules to endpoints
- interACT — execute remote commands, transfer files
- Investigation — browse evidence, view DRONE findings, access Investigation Hub data
Does Fleet respect AIR’s role-based access control?
Section titled “Does Fleet respect AIR’s role-based access control?”Yes. Fleet inherits the user’s AIR session authentication and respects role-based access control. Users can only perform AIR operations that their assigned role permits.
Can I use Fleet offline?
Section titled “Can I use Fleet offline?”No. Fleet requires an active internet connection and is available only in online mode.
Is there a usage limit?
Section titled “Is there a usage limit?”Usage is subject to monthly token limits that can be configured by your organization administrator. When the limit is reached, Fleet becomes unavailable until the next billing cycle or until the administrator increases the limit.
What AIR version is required?
Section titled “What AIR version is required?”Fleet requires AIR version 4.41 or later.
Do I need a separate license for Fleet?
Section titled “Do I need a separate license for Fleet?”Fleet is licensed separately. Contact Binalyze sales or your account representative for licensing details.
How do I access Fleet?
Section titled “How do I access Fleet?”Fleet is a standalone web application. Log in at your organization’s Fleet URL with your credentials. No additional software installation is required.
Can multiple users use Fleet simultaneously?
Section titled “Can multiple users use Fleet simultaneously?”Yes. Each user gets their own isolated Fleet session. Multiple users can use Fleet concurrently without interfering with each other’s work.