Region: US

From Alerts to Answers

Company Overview

SecureCyber is a U.S. based Managed Security Service Provider delivering managed detection and response, incident response, and proactive security services to small and mid market organizations across a range of industries. The company focuses on helping customers who lack dedicated in-house security teams improve visibility, respond to incidents quickly, and build long term cyber resilience.

This case study is based on an interview with Joe Tinney, Vice President of Cyber Operations at SecureCyber. Joe leads SecureCyber’s security operations and incident response services, bringing deep hands-on experience in digital forensics, threat investigation, and SOC enablement. He works directly with customers during high impact incidents and is responsible for designing scalable security services that work in real world environments.

The Challenges

Investigating complex incident in restricted and damaged environments

SecureCyber is often brought in to support organizations after a compromise has already occurred. In many cases, the environment is already heavily restricted to contain the threat.

In one investigation, the customer had fully isolated their systems from each other and from the internet. The domain controller was corrupted and could not reliably boot, new user accounts could not be created, and traditional live response methods were unavailable.

This created a situation where deploying tools remotely was impossible and continuing the investigation risked becoming slow, manual, and fragmented.

For an MSSP, these conditions pose serious challenges. Investigations stall, analyst effort increases, and confidence in findings can suffer at the exact moment clarity is most needed.

The Solution

Offline evidence collection and flexible investigation with Binalyze

To overcome these constraints, SecureCyber used Binalyze’s offline collection capabilities to continue the investigation without network connectivity.

Rather than relying on live access, evidence was collected by connecting directly to VMware virtual hosts and passing removable media through to the affected systems. In some cases, systems were booted using an alternative operating system to allow access to data where Windows could not be started.

Once collected, the evidence was transferred back into Binalyze and analyzed using the same investigation workflows used in live environments. This allowed the team to regain visibility, identify attacker activity, and understand the full scope of compromise despite the severely constrained conditions.

“The offline acquisition capability was critical. Without it, I would have been doing largely manual forensics.”

How Binalyze Is Used Today

A core platform for both reactive and proactive MSSP services.

Binalyze is now the primary forensic and investigation platform used across SecureCyber’s services.

During incident response, it is used when alerts from EDR or XDR tools are insufficient or inconclusive. Binalyze enables deeper investigation, validation of alerts, and forensic level visibility that complements existing detection tools.

Beyond reactive response, SecureCyber also offers a proactive compromise assessment service powered by Binalyze. Customers are scanned on a recurring basis, critical findings are reviewed monthly, and risks are systematically reduced over time.

Binalyze is also used internally to support analyst development. SOC analysts are trained using real investigation data, helping them understand what genuine malicious behavior looks like on an endpoint rather than relying only on alerts.

“They are blown away when they see what real malicious activity actually looks like on an endpoint.”

The Result

Faster investigations, higher confidence, and stronger service differentiation.

By standardizing on Binalyze, SecureCyber has significantly improved both operational efficiency and service quality. Investigations can continue even in disconnected or damaged environments. Analysts reach conclusions faster and with greater confidence. The team can handle more complex cases without relying on multiple forensic tools.

From a commercial perspective, Binalyze enables SecureCyber to offer higher tier services, extend engagements beyond incident response, and differentiate their MSSP offering in a competitive market.

‘We can investigate as far as EDR allows, but it does not pick up the same things that Binalyze does.’

Broader Impact

Turning investigations into education and long term value.

Binalyze has also helped how SecureCyber communicates with customers. Instead of presenting findings as abstract alerts or reports, investigations become collaborative and educational. Customers gain a clearer understanding of attacker behavior and why certain security policies matter.

This approach helps customers improve their own security practices and strengthens long term trust between the MSSP and the organization.

“When you show customers what attacker behavior actually looks like, the security controls suddenly make sense.”

Why Binalyze

Binalyze AIR has become a cornerstone of Blackpanda’s incident response operations. The platform’s efficiency gains, streamlined workflows, and collaborative features have enabled them to scale their operations effectively. Incidents now typically require just one responder each, enabling the team to handle a larger volume of cases while also delivering timely and comprehensive support to their clients.

The solution also proved instrumental in meeting stringent cross-border data residency requirements, a crucial factor for Blackpanda’s operations in Asia. The platform’s flexible deployment options allowed them to comply with local regulations while maintaining the speed and efficiency of their investigations. This alignment with regulatory requirements, combined with the platform’s scalability and cost-effectiveness, directly supported Blackpanda’s mission to democratize cybersecurity by making high-quality incident response services accessible to businesses of all sizes.

Recommendation

For security teams and MSSPs, real world investigations rarely happen in ideal conditions. Systems may be isolated, access may be limited, and time pressure is often high. In these moments, investigation capabilities need to remain effective even when traditional detection and live response tools fall short. SecureCyber’s experience reinforces the importance of flexibility, offline readiness, and deeper endpoint visibility to reach confident conclusions during complex incidents.

As Joe Tinney, Vice President of Cyber Operations at SecureCyber, puts it: ‘You’ve got to remain flexible in the face of adversity and use the tools that you have.’ This mindset underpins SecureCyber’s approach to incident response and long term investigation readiness.

Reduce Your Incident Response Time

Reduce Your Incident Response Time

Consolidated Clarity

Company Overview


Novawatch is a U.S.-based Managed Detection and Response (MDR) provider offering 24/7/365 monitoring, investigation, and threat detection services through a vendor-flexible approach.

Their MXDR model is built to extend the reach of security operations across networks, endpoints, and cloud infrastructure—supporting organizations that may not have large internal security teams but still expect high-touch support and rapid response.

Scaling investigations, not complexity

As Novawatch’s client base expanded and incident volumes surged, the pressure on their investigation workflow mounted. The team needed to go beyond alerting and detection—to deliver fast, forensic-backed answers, consistently and at scale.

While EDR and SIEM tools remained central to detection and correlation, they weren’t built for investigations. “We’d know a command ran—but not whether it completed successfully, what else was happening on the host, or who else was logged in at the time,” says Andrew Haslett, Director of Security Services. “It raised more questions than it answered.”

This lack of context beyond the alert made it difficult to confidently advise customers on what to do next. “We’d escalate and they’d ask, ‘Should we activate our IR retainer?’ Sometimes we couldn’t say for sure. We just didn’t have the depth of visibility.”

Attempting to close those gaps manually was both time-consuming and unsustainable. Analysts had to run one-off scripts, collect logs, and piece together fragments of information across systems. “It could take four to six hours per endpoint just to gather the right data—and that was before we even started the analysis. It became exponentially time-consuming with every new system,” Andrew recalls.

Compounding the issue was internal capacity. As customer numbers grew, the number of escalations followed. When a significant incident required deep investigation, it tied up senior analysts for days, leaving the team stretched and unable to fully support additional cases that came in during that time.

Junior analysts, while capable, didn’t have the tools or experience to independently support those investigations. The result: more pressure on the top tier, slower turnaround, and the constant risk of bottlenecks.

With growing scale, increasing investigation volume, and the expectation of quick, conclusive answers, Novawatch needed to rethink how they approached investigations.

The solution: AIR in Action


To overcome these challenges, Novawatch deployed Binalyze AIR—bringing structure, scale, and speed to their investigation workflow.

“With AIR, when an incident happens, we get the answers.
It’s as simple as that,” says Andrew Haslett.”

For each client, Novawatch can either pre-deploy or rapidly activate AIR’s lightweight Responder, a standalone package that acts like a virtual incident responder.

The Responder connects to the AIR platform to execute targeted forensic collection and investigative tasks including triage and analysis, providing wide coverage with minimal resource use.

Once active, AIR enables rapid, targeted and remote collection of forensic data across an organization’s assets.

Investigations typically begin with AIR’s automated Compromise Assessment capability— powered by DRONE and supported by built-in evidence analyzers.

This feature helps Novawatch quickly surface indicators of suspicious activity and automatically prioritizes findings, guiding analysts to the most relevant investigative leads.

If deeper analysis is required, Novawatch can also initiate full disk and memory imaging remotely, with evidence uploaded directly to their S3 bucket.

This eliminates the need to walk clients through downloading tools, managing large file transfers, or handling forensic maging manually.

“Before, you’d spend hours just figuring out what to collect and where to look,” says Andrew. “Now, with AIR’s acquisition capabilities and Investigation Hub, we have everything we need in a single case view— organized, timestamped, and accessible.”

AIR’s timeline analysis gives analysts a clear, navigable view of host activity, with tagging, filtering, and bookmarking that accelerates both triage and reporting.

“Being able to pull all that data and look through a specific time frame of what actually happened, tag and save the results—that’s been huge.”

Advanced features like InterACT, AIR’s live command line interface, and integrated osquery and YARA scanning give Novawatch even more control and context during investigations.

“Among other endpoint tools we’ve worked with, AIR offers a uniquely comprehensive level of investigative functionality,” Andrew says. “I’m a big fan of the osquery and YARA rule integration.”

Critically, AIR has enabled junior analysts to play a larger role in early-stage investigations. This relieves pressure on senior staff and improves overall capacity. “Instead of having to explain every step, we just say, ‘Use AIR.’

It gets us what we need, quickly and accurately.” For Novawatch, AIR has transformed investigations from a bottleneck into a business enabler—one that scales with them.

Use case: Investigating a Zero-Day

When an admin account at a client’s satellite office logged in from the Netherlands, Novawatch flagged the activity.

The client confirmed it was unexpected. A zero-day affecting their VPN, combined with shared AD credentials, left the door open—and visibility at that location was minimal.

Novawatch used AIR to gather forensic evidence and quickly assess for malicious activity. A full disk and memory acquisition followed, enabling the team to piece together what happened, what was accessed, and whether the attacker was still present.

“We used AIR to figure out what happened, what was taken, and whether the attacker was still active,” says Andrew. “We were able to answer all the key questions—fast.”

Raising the bar for MDR

Since adopting Binalyze AIR, Novawatch has significantly enhanced the quality and responsiveness of its investigations.

Novawatch now delivers same-day answers at scale, thanks to up to 70% time savings on data collection and 40% time-saving on time to insights, without compromising on depth or accuracy.

What started as alerting and escalation has evolved into a more responsive service. “AIR gives us the ability to dive much deeper into the forensic artifacts, pull them at scale, and investigate our clients’ environments faster,” Andrew explains.

Previously fragmented and manual, the investigation workflow is now structured, repeatable, and ready to scale.

Analysts can focus on the most relevant leads, deliver faster answers, and provide clear next steps—elevating Novawatch’s role from alert triage to trusted investigation partner.

In high-stakes moments, AIR helps validate threats and guide action. “We’ve used it many times to either prove or disprove that something is in our clients’ environment—and we’ve needed to act fast,” says Andrew.

The impact goes beyond the SOC. “We’re not just throwing alerts over the fence. AIR lets us deliver clarity. That’s powerful in sales conversations—and even more powerful in incidents.”

Conclusion

With AIR, Novawatch has strengthened both the substance and perception of its MDR service. The ability to deliver fast, forensic backed answers—along with clear, actionable recommendations— has become a meaningful differentiator and a driver of lasting client relationships.

Reduce Your Incident Response Time

Reduce Your Incident Response Time