A single-tenant DFIR platform. Self-hosted on a private appliance you control. Collect, ingest, process, analyse, and report. The whole investigation lifecycle, on evidence that never leaves your network.
Stand up M-Engine on a single VM in your environment. Generate a per-case collection agent. Run it as administrator on the host you are investigating. The engine ingests, processes, analyses, and writes the report.
Nothing leaves your network unless you choose to enrich with external threat intelligence using your own keys.
Most AI-driven investigation tools ask the model to do the forensics. That is the wrong shape. A registry hive does not need an opinion. It needs a parser the court will accept.
M-Engine inverts the relationship. Field-tested DFIR parsers do the forensics, deterministically. AI is layered on top: drafting reports, surfacing patterns across hundreds of artefacts, attributing tooling to known threat actors. Reproducibility where it matters. Intelligence where it adds value.
M-Engine processes the live memory of the host as a first-class artefact. That is the most recent activity on the box, the data that will be lost on reboot, the in-memory C2, the injection, the credential cache, the runtime configuration that has never touched the disk.
Most AI-led DFIR products quietly omit this. We do not. Volatility 3, custom YARA, our own runbooks, run automatically as part of every case.
Windows and Linux endpoints, end to end. Manual artefacts welcome.
Live memory. MFT and journal. Event logs. Registry hives. Prefetch, Shimcache, Amcache. Scheduled tasks. WMI persistence. Recycle Bin. Jump lists, LNK files. Browser artefacts (Chrome, Edge, Firefox, Brave, Vivaldi, Opera, Tor). SRUM, Thumbcache, RDP cache, OneDrive sync logs, Windows Error Reporting, Windows Timeline.
Live memory. Identity files. Auth logs, syslog, journald exports. Audit logs. Bash history. Cron and systemd units. SSH artefacts. Logon history (utmp / wtmp / btmp). Per-user browser profiles (Chrome, Chromium, Firefox, Brave, Vivaldi), including snap and flatpak variants.
Drop a single hive, an EVTX, or a memory dump into a case for ad-hoc analysis. Same parsers. Same workbench.
Generate a signed, per-case collection binary. Run it as administrator on the target host. It captures volatile state and at-rest artefacts in minutes, with full chain-of-custody hashing.
Windows agent and Linux agent. Same workflow.
The Linux agent acquires memory via AVML, walks the standard auth and journal paths, captures cron and systemd persistence, and bundles it all with chain-of-custody hashes. Snap and flatpak browser variants included.
Drop the collection zip into the case. Field-tested parsers extract structured evidence from every artefact category in parallel. Memory imaging runs in triage mode by default, deep mode when you need it.
Findings populate automatically as processing completes. Suspicious scheduled tasks, deleted executables in the Recycle Bin, persistence bindings, unusual logons, anti-forensic markers. The investigator opens the case to a starting position, not an empty page.
Ask questions of the parsed evidence in plain English. The AI reads the structured outputs, cites the specific files and line ranges it draws from, and records significant findings to the case as it goes.
Context survives across queries, sessions, and the final report.
Optional threat intelligence enrichment using your own keys. Reputation services queried on demand, not speculatively. The AI calls them when it needs context, then cites the result.
Two structured AI analyses per case, manually triggered. Each walks the evidence, reasons about timeline and tooling, and returns a confident assessment with citations, or an explicit "insufficient evidence" verdict. No manufactured narrative.
A formatted investigative document. Executive summary, methodology, findings, technical appendices, and a full citation chain back to source artefacts. The audit chain validates from collection through final report.
Mounts onto your own storage. Runs on a single VM. Auto-starts on boot. Discoverable on your LAN by hostname.
Nothing leaves your network unless you choose to enrich. Threat intelligence keys are yours.
Every action recorded. You can prove what happened, when, and by whom. End to end.
Single-tenant appliance. Mounts your storage. Starts on boot. No multi-tenant cloud.
M-Engine is for analysts who want AI that earns its place, not AI that replaces the workflow. The forensic foundation is rigorous because forensics demands rigour. The intelligence layer is AI-driven because synthesis at scale is what AI does well.
Use M-Engine when you need to produce a defensible investigation. Quickly. With your own analysts in the loop. On evidence that never leaves your control.
Demo against representative artefacts. We show you the pipeline, the workbench, and the audit chain.