Cybersecurity News and Blog | BitLyft

BitLyft AIR® v1.28: From Detection to Decision With Case Investigations

Written by Hannah Bennett | Jun 30, 2026 1:00:08 PM

BitLyft AIR® v1.28 is the biggest release we've ever shipped. For years, security teams have been working toward the same goal: spend less time figuring out what an alert means, and more time deciding what to do about it. Detection has never really been the hard part. Everything after detection is. Pulling logs, building context, retracing the user's day, deciding whether activity is normal or something to act on. Every case starts as a blank page.

As our AI SOC platform continues to evolve, AIR® now investigates every new case the moment it's created, delivers a clear verdict, and shows you exactly how it got there. Cases no longer start as a blank page. They start as a conclusion you can verify.

Building on the foundation of Ask Noah and Behavior Insights, Case Investigations (Beta) is the next step in our agent-driven approach to security operations. v1.28 also expands the BitLyft AIR® ecosystem with 12 new integrations, extending Custom Policies, Ask Noah, and Case Investigations across even more of your environment.

Case Investigations: Every Case Starts With a Verdict

BitLyft AIR® already centralizes detection, context, and response in cases. With v1.28, AIR® takes the next step. The moment a case is created, Case Investigations automatically reviews it, builds the behavioral context your team would normally have to gather by hand, and delivers a verdict backed by evidence.

For every investigated case, AIR® will:

  • Investigate the case automatically, with no analyst action required
  • Deliver a clear verdict: Benign, Malicious, or Inconclusive
  • Assign a confidence level to every verdict
  • Surface the behavioral context, evidence, and step-by-step reasoning behind each conclusion
  • Display verdicts and confidence directly in the Case Management list for at-a-glance triage

A New Behavioral Insights View

Investigated cases now open on a new Behavioral Insights view. Instead of leading with raw logs, AIR® leads with what happened and whether it's normal for the user, device, or IP involved.

Behavioral Insights organize context into clear signals:

  • Actor behavior: is this activity expected for this user or account?
  • Source behavior: is this IP or source consistent with known patterns?
  • Temporal behavior: does the timing look like automated or human activity?
  • Cross-case patterns: has AIR® seen and resolved similar cases before?

Each signal includes a plain-English finding and a "why it matters" explanation, followed by the key findings that drove the verdict. Context is built on demand and scoped to the case, so investigations stay fast and easy to explain.

Verdicts With Confidence

Every investigated case gets a verdict and a confidence level. AIR® also shows why it is confident, what raises confidence, what it could not confirm from the available data, and suggested steps to validate before closing.

Severity doesn't change how deeply a case is investigated. Every investigated case gets the same consistent, documented review.

Evidence and Investigation Steps

Two new tabs make every conclusion transparent and auditable:

  • Evidence shows every item AIR® collected to reach its verdict. Related cases, event references, and query results, each tagged as AI-Investigated and linkable to the case timeline.
  • Investigation Steps shows the full, ordered trail of what AIR® did, including behavioral baselines, source and identity footprints, escalation checks, and cross-case lookups. Every step is timestamped and linked to supporting evidence.

Nothing is asserted without something an analyst can inspect.

Insights vs. Full Report

A simple toggle switches between Insights, the structured and scannable view of the investigation, and a Full Report, a complete narrative write-up. Use Insights for triage. Use the Full Report for documentation, escalation, or sharing with a customer.

You Stay in Control

Case Investigations is decision support, not an execution engine. In this release, AIR® does not run remediation actions and does not close cases on its own. Analysts review the evidence, agree or disagree with the verdict, and add their own notes. Disagreement is fully supported and never blocks an investigation. Analyst feedback during the Beta directly shapes the full release.

And Ask Noah is still right there in the case for any follow-up questions.

Twelve New Integrations

v1.28 also expands the BitLyft AIR® ecosystem with twelve new integrations. Once connected, each one brings its activity into AIR®, where your team can:

  • Create Custom Policies that detect the security-relevant activity that matters most for that source
  • Use Ask Noah to search its logs in plain English
  • Have new cases automatically investigated by Case Investigations during the Beta

The new integrations:

  • 1Password
  • Admin By Request
  • Automox
  • AWS CloudTrail
  • AWS GuardDuty
  • AWS Load Balancer
  • Bitdefender
  • Claude
  • Constellix
  • Kandji
  • Medrio
  • OpenAI

About the Beta

Case Investigations is launching as a Beta so we can refine it using real-world cases and customer feedback before the full release.

  • Beta period: June 30, 2026 through August 25, 2026
  • Scope: the first 10 cases created per day, per tenant, are automatically investigated. Cases beyond the daily limit will not receive an automatic investigation during the Beta.
  • After the Beta: Case Investigations will be turned off at the end of the Beta period. Everything we learn will be applied to the full release, and the capability will return as part of a future version of BitLyft AIR®.

This is early access to an evolving feature, so expect it to keep getting better throughout the Beta. Want to join the Beta?

From Detection to Decision

v1.28 is the biggest release we've ever shipped. It moves BitLyft AIR® from a platform that helps your team investigate cases faster to a platform that does the first investigation for them, with full transparency and the analyst always in control.

Combined with twelve new integrations, the result is broader coverage, faster decisions, and less manual investigation work on every case.

BitLyft AIR® v1.28 is our biggest step yet from detection to decision.

Availability

Case Investigations (Beta) is available to participating tenants beginning June 30, 2026 for users with the appropriate permissions, and runs through August 25, 2026.

Learn More

To see Case Investigations in action and explore the new integrations in your environment, book a 15-minute walkthrough.

Book a Demo
View full post