Architecture
Overview
Section titled “Overview”Fleet is designed around three core architectural principles: isolation, security, and integration. Every analysis Fleet performs runs in a secure, isolated environment that is completely separate from your AIR deployment, your network, and your endpoints. This ensures that evidence analysis cannot affect production systems, and that sensitive data remains protected throughout the process.
How Fleet Processes Requests
Section titled “How Fleet Processes Requests”When you send a request to Fleet, the following sequence occurs:
- Request routing — your message and any attached files are sent from Fleet’s web interface to the secure analysis environment through an encrypted channel.
- Analysis execution — Fleet selects the appropriate tools and techniques, then performs the analysis entirely within its isolated environment. This environment includes a full suite of industry-standard DFIR tools for forensics, reverse engineering, detection engineering, and threat intelligence.
- Result streaming — as Fleet works, results stream back to your browser in real time. You can observe Fleet’s reasoning process, see tool outputs, and review findings as they are produced.
- Output persistence — all generated files (reports, detection rules, IOC tables, STIX bundles) are saved to your workspace for download and further use.
Isolation Model
Section titled “Isolation Model”Fleet’s analysis environment is fully isolated:
- No direct network access — Fleet cannot reach your internal network, production systems, or endpoints. It operates exclusively within its own secure boundary.
- AIR API access only — when you configure AIR integration, Fleet communicates with your AIR deployment through authenticated, encrypted API channels. This is the only path through which Fleet can interact with your infrastructure.
- Ephemeral sessions — each Fleet session runs in its own environment. Session data does not persist after the session ends, and no customer data is retained between sessions.
- Separate from AIR — Fleet’s analysis environment is architecturally separate from your AIR deployment. A compromise of the analysis environment cannot affect AIR, and vice versa.
Credential Protection
Section titled “Credential Protection”Fleet implements a strict credential separation model:
- Encrypted credential storage — API keys and credentials you configure for AIR integration are encrypted at rest and in transit. They are never exposed to the AI agent in plaintext.
- Secure gateway — all external API calls (threat intelligence lookups, web searches, AIR operations) are routed through a secure gateway that handles authentication independently. The AI agent sends requests through the gateway, which attaches the appropriate credentials on the other side. This means the AI never sees, handles, or has access to your actual API keys.
- No credential leakage — even if the AI agent were to attempt to extract credentials (which it is designed not to do), the architecture prevents it. Credentials exist only within the secure gateway layer, outside the AI’s execution boundary.
External Service Access
Section titled “External Service Access”Fleet can access external services for threat intelligence enrichment and web research. All external access is mediated:
- Threat intelligence — reputation lookups, domain popularity checks, known-good software identification, and vulnerability databases are accessed through the secure gateway.
- Web search — Fleet can search the internet for threat advisories, CVE details, and security research. All web requests route through the secure gateway.
- Browser automation — Fleet can control a remote browser for interacting with web content. The browser runs in its own isolated environment, separate from both Fleet’s analysis environment and your network.
AIR Integration
Section titled “AIR Integration”Fleet connects to AIR through a secure, authenticated API:
- Authentication — Fleet uses its own authentication system. Users log in with their organization credentials.
- API integration — to enable Fleet to perform operations on your AIR deployment (endpoint management, evidence acquisition, triage, interACT), you configure an API key in Fleet’s settings. This key is encrypted and handled exclusively by the secure gateway.
- Supported operations — endpoint listing and search, asset isolation, case management, evidence acquisition, triage rule deployment, interACT command execution, and investigation result browsing.
AI Model
Section titled “AI Model”Fleet uses advanced large language models to power its conversational interface and analytical reasoning. The specific model may be updated over time to provide the best results. All AI communication is routed through Binalyze-managed secure endpoints. No customer data is sent to third-party AI providers outside of the secure processing pipeline.
Availability
Section titled “Availability”Fleet requires an active internet connection and is available only in online mode. It is included in the AIR subscription for licensed environments running version 4.41 or later.