remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Integrations
Enables querying and managing Linux-based endpoints in the Binalyze AIR forensics platform through natural language interactions.
Allows for management and forensic analysis of macOS endpoints within the Binalyze AIR platform through natural language queries.
Serves as the runtime environment for the MCP server, allowing the server to connect Binalyze AIR's digital forensics capabilities with language models.
Binalyze AIR MCP Server
A Node.js server implementing Model Context Protocol (MCP) for Binalyze AIR, enabling natural language interaction with AIR's digital forensics and incident response capabilities.
✨ Features
- Asset Management - List assets in your organization.
- Acquisition Profiles - List acquisition profiles.
- Organization Management - List organizations.
- Case Management - List cases in your organization.
- Policy Management - See security policies across your organization.
- Task Management - Track forensic collection tasks and their statuses.
- Triage Rules - View YARA, Osquery and Sigma rules for threat detection.
- User Management - List users in your organization.
- Drone Analyzers - View available drone analyzers with supported operating systems.
Overview
This MCP server creates a bridge between Large Language Models (LLMs) and Binalyze AIR, allowing interaction through natural language. Retrieve information about your digital forensics environment without writing code or learning complex APIs.
🔑 API Token Requirement
Important: An API token is required for authentication. Set it using the
AIR_API_TOKENenvironment variable.
📦 Installation
Local Development
Usage with Claude Desktop
Add the following configuration to your Claude Desktop config file:
Usage with Cursor
- Navigate to Cursor Settings > MCP
- Add new MCP server with the following configuration:Copy
🧩 Usage with Smithery
Note: Don't forget to activate Agent mode in your editor.
One-Line Installation Commands
Claude
Cursor
Windsurf
VSCode
Or use the Magic Link option in VSCode.
How to Use
In Claude Desktop, or any MCP Client, you can use natural language commands:
| Command | Description |
|---|---|
List all assets in the system | Shows all managed/unmanaged endpoints with OS, platform info |
List all acquisition profiles | Displays available acquisition profiles |
List all organizations | Shows all organizations in environments |
List all cases | Displays cases with status and creation time |
List all policies | Shows security and collection policies |
List all tasks | Lists all tasks with their statuses |
List all triage rules | Shows YARA, OSQuery and Sigma rules for threat detection |
List all users | Shows all users in the system with their details |
List all drone analyzers | Shows available drone analyzers with supported operating systems |
Filtering by Organization
You can filter results by organization ID:
Response Example
Found 3 triage rules: corewebshell_detection: core.webshell_detection (Engine: yara, Search In: both) fireeye-sunburst-countermeasures: FireEye Sunburst Countermeasures (Engine: yara, Search In: both) fireeye-red-team-tools-countermeasures: FireEye Red Team Tools Countermeasures (Engine: yara, Search In: both)
Found 20 drone analyzers: bha: Browser History Analyzer (Supported OS: Windows, Default Enabled: Yes) wsa: Generic WebShell Analyzer (Supported OS: Windows, Linux, macOS, Default Enabled: Yes)
You must be authenticated.
A Node.js server implementing Model Context Protocol (MCP) that enables natural language interaction with Binalyze AIR's digital forensics and incident response capabilities.