Introducing Live Endpoint Explorer in Magnet Nexus: triage in minutes, collect data with precision

Every investigation starts with a decision

What artifacts do I collect? Where does the data reside? Do I have enough context to scope this incident?

In real-world DFIR investigations, incidents move fast, and teams are often piecing together answers from multiple, disparate tools. That fragmentation has a cost. Analysts spend time extracting, correlating, and context-switching instead of advancing the investigation, containing the threat, and restoring operations.

One of the most common bottlenecks arises at the outset of an escalated incident — when investigators lack quick visibility into the endpoint’s file system.

Without knowing what’s actually there before data collection, teams often:

• Over-collect data, increasing review time and storage costs
• Miss critical files and have to re‑collect
• Rely on multiple scripts, remote shells, or commercial tools to establish context 

Live Endpoint Explorer in Nexus removes that friction

Live Endpoint Explorer gives analysts immediate visibility into an endpoint’s file structure right inside Nexus. Analysts can determine which endpoints are in scope and prioritize collection all in one workflow, saving time and reducing storage costs.

Live Endpoint Explorer allows analysts to:

• View the file and folder structure of a live Windows endpoint from within Nexus (*Linux and macOS support coming soon).
• Select one or many files and folders for collection in a single workflow (in-product processing of data collected via Live Endpoint Explorer is coming soon).
• Combine this method of precise file collection with other collection methods already in Nexus, like artifact categories or memory collection.
• Maintain forensic integrity by preserving original metadata (including timestamps). 

See it in action in this short interactive demo:

Triage use cases with more context

Analysts are able to triage faster with Live Endpoint Explorer by gaining context in minutes by simplifying workflows — no scripts, tool switching, or legacy Enterprise DFIR solution expertise required. Junior analysts ramp up faster. Senior analysts stay focused on critical decisions and deep-dive analysis.

Here’s a few ways this new capability can support you during triage:

1. Persistence artifacts: confirm suspicious files exist in autorun paths that could indicate malware (Startup, AppData\Roaming, scheduled task XML) to guide deeper investigation.
2. Exfil staging: spot large archives in unusual locations (C:\Users\Public\, temp, recycle bin) with suspicious names/timestamps, which can be insightful even without the ability to preview the files.
3. Tool drop confirmation: validate IOCs (indicators of compromise) from filenames alone (mimikatz.exe, psexec.exe, nc.exe, SharpHound).
4. DLP (data loss prevention)/HSD (highly sensitive document) alert verification: A DLP platform alert showed that a user sent a potentially sensitive file outside of the organization. Using the explorer, you can navigate directly to that folder and file to collect it and validate whether it is in fact the document in question, or search within the filename column to locate it within the drive.

Combine with Magnet Axiom Cyber for deep dive analysis

Many teams already rely on Magnet Axiom Cyber for deep dive/root cause analysis and reporting.

Nexus complements Axiom Cyber by handling triage and targeted collection at scale. Collected data can then be exported for analysis in Axiom Cyber, and combined with all other data sources, when needed.

Together, teams get:

• Cloud‑based triage and data collection (targeted logical or full disk) with Nexus
• Powerful on‑prem analysis with Axiom Cyber, combining multiple data sources into one case for a complete view of an incident
• Flexibility to choose the right tool at each stage of the investigation, without redeploying agents

For teams coming from using legacy Enterprise DFIR tools, Live Endpoint Explorer brings a familiar capability into a modern, SaaS‑based workflow. Exploring the file system before deciding what data to collect has long been part of effective digital investigations. Nexus now delivers that experience in a way that’s faster and easier to use without the overhead of complex, legacy tooling or pivoting between several solutions.

More recent updates to Magnet Nexus

Auditability and compliance are critical for maintaining control, accountability, and defensibility when handling sensitive data in Nexus. To strengthen this, we’ve introduced:

• New user role “service account” — the new “service account” role in Nexus enables access to manage users and audit account activity in Nexus. An IT Manager could fulfill this role.
• New user audit report — Organization administrators can now generate a user audit report for a selected date range. This report provides visibility into user actions, including added users, roles changed, cases created, and endpoints collected.
• New AWS region – United Kingdom (UK): From the Region drop-down list in Nexus, the United Kingdom is now included as a supported AWS region.

Also, we’ve added the ability to process data in Nexus for pre-set targeted location collections, and the ability to queue up a collection of an offline endpoint. Set up the collection and as soon as the endpoint reconnects to a network, the collection starts.

See Magnet Nexus in action

Live Endpoint Explorer is available to all Nexus users now.

Learn more about this new capability and all of the benefits Nexus delivers in our upcoming webinar Inside Magnet Nexus for scalable remote endpoint investigations or talk to your Magnet sales representative to get a demo or free trial of Nexus today.