Industry: Cybersecurity Incident Response

Streamlined Investigations

Company Overview

Blackpanda is Asia’s leading cybersecurity incident response firm, dedicated to making digital forensic and incident response (DFIR) expertise accessible to organizations across the region. It offers a subscription-based IR service, IR-1, that provides unlimited incident response support to businesses of all sizes, making high-quality cybersecurity accessible and affordable.

Founded in 2015, the company’s mission is to democratize cybersecurity resilience by providing affordable, high-quality incident response services tailored to the Asian market. This commitment to set a high-water mark in effective incident response has led the company to implement Binalyze’s Automated Investigation and Response (AIR) platform.

Challenges in Scaling Incident Response

As Blackpanda rapidly grew, it faced challenges in scaling its incident response operations to manage the increasing volume of ransomware cases, which represented the majority of the cases impacting their customers.

This was because traditional methods were proving too time-consuming and resource-intensive. The manual nature of evidence collection and analysis, often involving multiple tools and disparate systems, became a significant bottleneck. Investigations were time-consuming, and limited the number of cases the team could handle concurrently.

George Trikoilis, Director of Incident Response at Blackpanda, explains: “We were looking for a solution that would allow us to scale our operations irrespective of the number of systems we had to investigate. We needed to respond in a timely manner, no matter how large the scope of the incident.”

The team recognized the need for a solution that would enable them to scale their operations without sacrificing speed, and more importantly, quality. They wanted a platform that could streamline evidence acquisition and analysis, foster collaboration, and address the unique regulatory challenges of operating across different countries in Asia. Aligned with Blackpanda’s mission, the solution needed to be cost-effective and scalable to support their diverse client base, from small businesses to large enterprises. It also needed to be user-friendly, easy to learn and manage, so it did not only cater to the high-level technical experts within the organization.

George further emphasized the importance of finding a technological solution rather than merely expanding the workforce: “We started looking for solutions that did not just involve throwing more people at it. The right platform would facilitate incident response, because it does so many things for you. It highlights what you should look at and investigate first, significantly helping less experienced users to effectively support their organization.”

Adopting Binalyze AIR for Efficiency and Collaboration

Blackpanda turned to Binalyze AIR, an automated investigation and response platform powered by digital forensics, to address their scaling challenges. The team initially heard about AIR from an ex-employee who recommended the solution. They conducted a free trial and found AIR to be highly efficient in accelerating investigations.

In 2023, with the launch of its IR-1 model, Blackpanda evaluated Binalyze AIR along with two other solutions. The team conducted competitive analysis and proofs of concept (POCs) before deciding on Binalyze AIR, highlighting its comprehensive features across acquisition, processing, analysis, and collaboration as key factors in their decision.

AIR’s unified platform provided Blackpanda with a single pane of glass for evidence acquisition, analysis, and collaboration, streamlining their entire incident response investigation workflow.

Guo Yan, DFIR Specialist at Blackpanda, highlights the impact: Binalyze AIR’s automated evidence collection and analysis tools significantly accelerated investigations. Its collaboration features enhanced team communication and knowledge sharing, boosting overall efficiency.

“When it comes to collaborating or sharing findings, you need to hand over the work efficiently. Before having a solution that centralizes everything, you had to figure out how to transfer data between colleagues in different locations, like from Singapore to Hong Kong. With Binalyze AIR, everyone can access the same data without screen shares or waiting for colleagues to be available.” explained George Trikoilis.

The platform’s automation features further enhanced Blackpanda’s efficiency. By automating time-consuming tasks such as evidence collection and preliminary analysis, AIR freed up the team’s valuable time to focus on higher-level tasks, such as threat hunting and strategic decision-making.

The BlackPanda team can now quickly complete evidence collection directly rather than waiting for the client’s IT team, making for a faster and smoother process. Additionally, AIR’s ability to acquire a wider range of artifacts in a single pass significantly reduced the time and effort required for evidence gathering.

Most notably, AIR’s comprehensive coverage across Windows, Linux, and Mac OS platforms enabled Blackpanda to streamline their incident response processes, ensuring efficient and thorough investigations regardless of the operating system involved.

“When conducting our competitive analysis, we found that Binalyze AIR offered a more complete solution by providing support across Windows, Linux, and Mac OS platforms. This comprehensive coverage allowed us to tackle acquisition, processing, and analysis in a unified manner, unlike other tools that focused solely on Windows for example. The broad support ensured we could efficiently handle investigations across various operating systems, which was crucial for our diverse needs.” said George Trikoilis.

The solution also proved instrumental in meeting stringent cross-border data residency requirements, a crucial factor for Blackpanda’s operations in Asia. The platform’s flexible deployment options allowed them to comply with local regulations while maintaining the speed and efficiency of their investigations.

This alignment with regulatory requirements, combined with the platform’s scalability and cost-effectiveness, directly supported Blackpanda’s mission to democratize cybersecurity by making high- quality incident response services accessible to businesses of all sizes.

Conclusion


“The support and speed of action on feedback from the Binalyze team have been stellar.” says George. “The immediate support we get is exceptional, and the rapid implementation of our feedback into new releases has made a significant difference. These prompt responses have deepened our relationship, making Binalyze AIR an invaluable asset for our team.”

Blackpanda’s success with Binalyze AIR exemplifies how the platform can empower incident response teams to overcome scaling challenges, improve efficiency, and deliver high-quality cybersecurity services to a broader range of organizations.

Reduce Your Incident Response Time

Reduce Your Incident Response Time

From Alerts to Answers

Company Overview

SecureCyber is a U.S. based Managed Security Service Provider delivering managed detection and response, incident response, and proactive security services to small and mid market organizations across a range of industries. The company focuses on helping customers who lack dedicated in-house security teams improve visibility, respond to incidents quickly, and build long term cyber resilience.

This case study is based on an interview with Joe Tinney, Vice President of Cyber Operations at SecureCyber. Joe leads SecureCyber’s security operations and incident response services, bringing deep hands-on experience in digital forensics, threat investigation, and SOC enablement. He works directly with customers during high impact incidents and is responsible for designing scalable security services that work in real world environments.

The Challenges

Investigating complex incident in restricted and damaged environments

SecureCyber is often brought in to support organizations after a compromise has already occurred. In many cases, the environment is already heavily restricted to contain the threat.

In one investigation, the customer had fully isolated their systems from each other and from the internet. The domain controller was corrupted and could not reliably boot, new user accounts could not be created, and traditional live response methods were unavailable.

This created a situation where deploying tools remotely was impossible and continuing the investigation risked becoming slow, manual, and fragmented.

For an MSSP, these conditions pose serious challenges. Investigations stall, analyst effort increases, and confidence in findings can suffer at the exact moment clarity is most needed.

The Solution

Offline evidence collection and flexible investigation with Binalyze

To overcome these constraints, SecureCyber used Binalyze’s offline collection capabilities to continue the investigation without network connectivity.

Rather than relying on live access, evidence was collected by connecting directly to VMware virtual hosts and passing removable media through to the affected systems. In some cases, systems were booted using an alternative operating system to allow access to data where Windows could not be started.

Once collected, the evidence was transferred back into Binalyze and analyzed using the same investigation workflows used in live environments. This allowed the team to regain visibility, identify attacker activity, and understand the full scope of compromise despite the severely constrained conditions.

“The offline acquisition capability was critical. Without it, I would have been doing largely manual forensics.”

How Binalyze Is Used Today

A core platform for both reactive and proactive MSSP services.

Binalyze is now the primary forensic and investigation platform used across SecureCyber’s services.

During incident response, it is used when alerts from EDR or XDR tools are insufficient or inconclusive. Binalyze enables deeper investigation, validation of alerts, and forensic level visibility that complements existing detection tools.

Beyond reactive response, SecureCyber also offers a proactive compromise assessment service powered by Binalyze. Customers are scanned on a recurring basis, critical findings are reviewed monthly, and risks are systematically reduced over time.

Binalyze is also used internally to support analyst development. SOC analysts are trained using real investigation data, helping them understand what genuine malicious behavior looks like on an endpoint rather than relying only on alerts.

“They are blown away when they see what real malicious activity actually looks like on an endpoint.”

The Result

Faster investigations, higher confidence, and stronger service differentiation.

By standardizing on Binalyze, SecureCyber has significantly improved both operational efficiency and service quality. Investigations can continue even in disconnected or damaged environments. Analysts reach conclusions faster and with greater confidence. The team can handle more complex cases without relying on multiple forensic tools.

From a commercial perspective, Binalyze enables SecureCyber to offer higher tier services, extend engagements beyond incident response, and differentiate their MSSP offering in a competitive market.

‘We can investigate as far as EDR allows, but it does not pick up the same things that Binalyze does.’

Broader Impact

Turning investigations into education and long term value.

Binalyze has also helped how SecureCyber communicates with customers. Instead of presenting findings as abstract alerts or reports, investigations become collaborative and educational. Customers gain a clearer understanding of attacker behavior and why certain security policies matter.

This approach helps customers improve their own security practices and strengthens long term trust between the MSSP and the organization.

“When you show customers what attacker behavior actually looks like, the security controls suddenly make sense.”

Why Binalyze

Binalyze AIR has become a cornerstone of Blackpanda’s incident response operations. The platform’s efficiency gains, streamlined workflows, and collaborative features have enabled them to scale their operations effectively. Incidents now typically require just one responder each, enabling the team to handle a larger volume of cases while also delivering timely and comprehensive support to their clients.

The solution also proved instrumental in meeting stringent cross-border data residency requirements, a crucial factor for Blackpanda’s operations in Asia. The platform’s flexible deployment options allowed them to comply with local regulations while maintaining the speed and efficiency of their investigations. This alignment with regulatory requirements, combined with the platform’s scalability and cost-effectiveness, directly supported Blackpanda’s mission to democratize cybersecurity by making high-quality incident response services accessible to businesses of all sizes.

Recommendation

For security teams and MSSPs, real world investigations rarely happen in ideal conditions. Systems may be isolated, access may be limited, and time pressure is often high. In these moments, investigation capabilities need to remain effective even when traditional detection and live response tools fall short. SecureCyber’s experience reinforces the importance of flexibility, offline readiness, and deeper endpoint visibility to reach confident conclusions during complex incidents.

As Joe Tinney, Vice President of Cyber Operations at SecureCyber, puts it: ‘You’ve got to remain flexible in the face of adversity and use the tools that you have.’ This mindset underpins SecureCyber’s approach to incident response and long term investigation readiness.

Reduce Your Incident Response Time

Reduce Your Incident Response Time

Collaborative Speed

Company Overview


DigiFors is a respected German cybersecurity, digital forensics & incident response service provider that offers specially tailored services for public prosecutors, courts and other authorities, law firms and commercial organisations to increase data security or simplify the handling of data in connection with criminal or investigative proceedings.

Whilst delivering their services it is critical that DigiFors is able to investigate an incident, identify the nature of the breach, produce a professional and detailed report and communicate their findings to the customer as quickly and efficiently as possible.

“If it is a small case, just one computer, you call your client and ask them to send the computer for further investigations. But if the case is large, in some cases more than 1000 computers have been involved in a case, it is challenging to do the investigations and solve the case in a timely manner. This is one of the many reasons why we have implemented Binalyze AIR in the heart of our incident response activities.

Binalyze AIR provides us the speed and the granularity that we need in our day-to-day incident response activities at enterprise scale” states Christian Klaus, Head of Threat Detection and Response at DigiFors. Prior to partnering with Binalyze, DigiFors analysts and consultants had to travel to the client’s location to collect forensic disk images and extract data. Using legacy forensic solutions this was an extremely time-consuming, expensive and laborious task. Working in this way slowed down individual investigations and limited the case capacity of the business as a whole.

With Binalyze AIR this process has been streamlined and forensic data can be collected in just a few minutes, remotely from the DigiFors lab in most cases. Another pain point that DigiFors were experiencing was an inability to quickly identify which assets on the customers network have been affected by the breach being investigated. DigiFors ability to provide granular answers about suspicious activity or an active attack to an anxious customer was also being impacted by a lack of fast tools.

Solution

Collecting evidence from a high volume of endpoints and finding the footsteps in thousands of artifacts is a challenging task for incident response service providers like Digifors. Thanks to remote evidence acquisition and triage, the Digifors team collected and analyzed more than 260 evidence types quickly and did the necessary triage to eliminate false positives and deep dive into the cases needing further investigation.

Triage at scale


Binalyze AIR also performs triage at scale using YARA, Sigma and OSQuery directly on the endpoint asset. This has allowed DigiFors to easily widen the scope of an investigation and quickly perform compromise assessment to understand which assets are included in a breach, which require a deeper investigation or can be eliminated as a false positive. The remote triage at scale with Binalyze AIR has delivered increased efficiency and allows DigiFors to quickly take control of the investigation and put the customers mind at ease.

Improved Efficiency with Automation and Collaboration

During a case, the most important pressure on incident response teams is time. That is why Digifors is using automation to eliminate repetitive activities. Some cases need collaboration or escalation to more experienced team members. With Binalyze AIR, the Digifors team can work in harmony on the same case to investigate and come to a conclusion much faster than before. With Binalyze AIR’s automation and collaboration capabilities, the Digifors team is now able to investigate and cover cases 30% faster.

Decreased Education and Onboarding Times

Binalyze AIR has an easy-to-use interface that allows incident responders to quickly implement, configure and start using it for forensic and incident response needs in minutes. “I can say that onboarding and learning how to use Binalzye AIR takes less than 30 minutes, which is very important for us, because spending a lot of time learning and configuring a tool, instead of using it for what it is purchased for, is time-consuming and that is something we want to avoid. Our goal is to deliver high-quality service to our clients on time.”

Reduce Your Incident Response Time

Reduce Your Incident Response Time