DFIR Catalog
Every routable page in the DFIR / security-toolkit area - 130 pages across 20 hubs. Search by name, route, or keyword, or filter by category. New pages are added to the home page and the sidebar automatically.
?q=...&cat=...Overview- 2
Catalog and entry points for the DFIR / security toolkit area.
IOC Triage- 6
Check, extract, and track indicators across 24+ sources - IP, domain, URL, hash pivots with cross-source consensus.
IOC Investigator
Cross-source investigation hub — paste any indicator type and pivot across all sources.
/dfir/ioc-investigateopenIOC Extractor
Pull IOCs from any text blob — refang-aware.
/dfir/extractopenIOC Lifecycle
Track an IOC from collection to enrichment to retirement.
/dfir/ioc-lifecycleopenCertificate Transparency Monitor
Watch CT logs for new certificates matching your watchlist.
/dfir/ct-monitoropenAbuse Reputation
Cross-source reputation: AbuseIPDB, Spamhaus, OTX, URLhaus.
/dfir/abuse-repopen- new
X-VERDIKT Multi-Source Verdict
Streaming verdicts from X (Twitter) intelligence feeds.
/dfir/x-verdiktopen
Malware Analysis- 3
Triage, parse, and deobfuscate samples - stealer logs, packed binaries, malicious documents, and PCAPs.
Malware Analyzer
PE / ELF / Mach-O static analysis with import hashing + section entropy.
/dfir/malware-analyzeropenInfostealer Log Parser
Parse RedLine / Raccoon / Vidar / LummaC stealer logs — credentials, system, browser data.
/dfir/stealer-parseropenBloom Filter Lookup
Membership-test against a corpus of known-bad indicators.
/dfir/bloomopen
File & Binary Analysis- 10
Decode, hash, and inspect binaries, encoded payloads, and document formats - runs entirely in the browser.
Decoder
base64 — hex — url — rot13 — zlib — gzip — chained auto-detection.
/dfir/decodeopenEncoder
Reverse of Decoder — encode any text to any of the supported formats.
/dfir/encoderopenHash Calculator
MD5 — SHA1 — SHA256 — SHA512 — SSDEEP — TLSH — drag a file in.
/dfir/hash-calcopenTimestamp Converter
Epoch — Windows FILETIME — Unix — human — bidirectional.
/dfir/timestampopenPE Static Analyzer Lite
Sections, imports, exports, version info — 0x12 lite profile.
/dfir/peopenAPK Analyzer
Manifest + permissions + signing certs + native libs.
/dfir/apk-analyzeropenEXIF / Metadata Parser
EXIF — IPTC — XMP — MakerNotes — camera, GPS, software fingerprints.
/dfir/exifopenPlist & Protobuf Decoder
Apple binary plist + protobuf human-readable view.
/dfir/plist-protobufopenPunycode / Homoglyph Viewer
Visualise IDN homograph attacks — Cyrillic vs Latin lookalikes.
/dfir/punycodeopenPowerShell Deobfuscator
Unroll encoded / base64 / invoke-expression chains — step by step.
/dfir/powershell-deobfopen
Artifact Parsers- 8
Endpoint forensic artifacts - PCAP, registry, EVTX, SQLite, browser, mobile, and web logs.
PCAP Triage
Protocol breakdown — top talkers — DNS / HTTP / TLS summaries.
/dfir/pcap-triageopenRegistry Hive Explorer
Browse — search — diff Windows registry hives offline.
/dfir/registry-hiveopenEVTX Parser Lite
Parse Windows Event Log files — event IDs, channels, time-range filter.
/dfir/evtxopenSQLite Artifact Explorer
Browser profile — chat history — mobile backups — query in-browser via WASM.
/dfir/sqliteopeniOS Backup Explorer
Manifest.db — plists — SQLite artifacts from a local iTunes backup.
/dfir/ios-backupopenWeb Server Log Analyzer
Apache — nginx — IIS access logs — anomaly detection + pivots.
/dfir/web-logopenPrefetch Analyzer Lite
Parse Windows Prefetch files — execution evidence, run count, last run time.
/dfir/prefetchopen- new
REGSCOPE Registry Analyzer
Multi-hive registry scope: persistence, autoruns, services, scheduled tasks.
/dfir/regscopeopen
Domain & Network- 10
WHOIS, DNS, reputation, certificates, and infrastructure pivots - passive reconnaissance, no active scanning.
Domain Investigator
Cross-source domain investigation hub — 6 aliases route here (domain-rep, webcheck, etc.).
/dfir/domain-investigatoropenWHOIS History Explorer
Historical WHOIS pivots — registrant, nameserver, status changes.
/dfir/whois-historyopenASN Lookup
ASN details — prefix ranges — peer relationships.
/dfir/asnopenCertificate Search
crt.sh-style CT log search for a domain — subdomains — cert chain.
/dfir/cert-searchopenSubdomain Takeover
Detect dangling DNS records vulnerable to subdomain takeover.
/dfir/takeoveropen- new
DNSCOPE Infrastructure Map
Graph view of a domain's nameservers, mail servers, and cross-delegations
/dfir/dnscopeopen Host Graph
Graph of related domains, IPs, and ASNs for a target.
/dfir/host-graphopenWayback Machine
Search historical snapshots for a URL — changes over time.
/dfir/waybackopenIP Geolocation
IP — country / city / ASN / org / hosting type.
/dfir/ip-geoopen- new
Passive DNS
Historical DNS resolution data for infrastructure tracking — migrations + fast-flux detection.
/dfir/passive-dnsopen
Asset & Attack Surface- 4
Exposed-host analysis, asset intelligence, and web vulnerability scanning - see what an attacker would see.
Asset Intelligence
Aggregate asset inventory — domains, subdomains, services, certificates.
/dfir/asset-intelopenExposed Host
Per-host exposure score and evidence — services, versions, CVEs.
/dfir/exposed-hostopenOpen Directory Scanner
Detect misconfigured web servers exposing file listings.
/dfir/open-directoryopenURL Preview
Safe, sandboxed preview of a URL — headers, redirects, screenshot.
/dfir/url-previewopen
Email Security- 9
Phishing analysis, BEC defense, and email authentication audits - SPF / DKIM / DMARC / BIMI without sending data off-host.
Email Defense
SPF / DKIM / DMARC / BIMI audit with failure modes called out.
/dfir/email-defenseopenPhishing Analyzer
URL + sender + header analysis with risk score.
/dfir/phishingopenDMARC Analyzer
Parse a DMARC aggregate report (RUA) — alignment, volume, failures.
/dfir/dmarc-analyzeropenEML Extractor
Headers — body — attachments — URL / hash extraction from a .eml file.
/dfir/emlopenEmail Deliverability Tester
Paste or upload a raw .eml to get spam score, SPF/DKIM/DMARC alignment, and inbox-placement suggestions.
/dfir/email-deliverabilityopenEmail Reputation
Sender domain + IP reputation with deliverability signals.
/dfir/email-repopenPhishBook
Curated playbook of phishing patterns, lures, and IOCs.
/dfir/phishbookopenPHISHOPS
Phishing-as-a-service operator catalog and tracking.
/dfir/phishopsopenURL Reputation
Cross-source URL reputation — PhishTank, OpenPhish, Google Safe Browsing.
/dfir/url-repopen
Identity & OSINT- 10
Username, email, phone, image, and social reconnaissance - cross-platform pivots for a single subject.
Username Investigator (alias)
Alias of /dfir/username — the canonical page.
/dfir/username-investigatoropenPhone OSINT
Phone number — carrier, country, line type, breach presence.
/dfir/phone-osintopenWeather OSINT
Reverse geocoding + historical weather for a timestamp + coordinates.
/dfir/weather-osintopenSOCMINT
Social-media intelligence — X / Reddit / Telegram / Mastodon pivots.
/dfir/socmintopenOSINT Mapper
Build a mind-map of an investigation — nodes are entities, edges are pivots.
/dfir/osint-mapperopenBreach Lookup
Email / username / domain — cross-correlate public breach corpora.
/dfir/breachopenReverse Image Search
Multi-engine reverse image — Google, Yandex, TinEye, Bing.
/dfir/reverse-imageopenBrand Impersonation
Detect typosquats / look-alike domains targeting your brand.
/dfir/brand-impersonationopenImage Fingerprint
Perceptual hash (pHash, dHash) for image clustering & de-duplication.
/dfir/image-fingerprintopenScreenshot Intel
Extract text + URLs + indicators from a screenshot — OCR pipeline.
/dfir/screenshot-intelopen
Vulnerabilities- 4
CVE lookup, prioritisation, exploit intel, and dependency scanning - know what to patch first.
CVE Lookup
Single-CVE detail — NVD, KEV, EPSS, exploit availability.
/dfir/cveopenCVE Prioritizer
CVSS + EPSS + KEV + ransomware-use — single patch-priority call.
/dfir/cve-prioritizeropenCVE Resources Catalog
Curated list of CVE databases, exploit trackers, vendor PSIRTs.
/dfir/vuln-toolkitopenOSV Dependency Scan
Paste a manifest.json / package-lock / requirements.txt — known vulns.
/dfir/osv-scanopen
Detection Engineering- 10
Author, convert, and test detection rules - Sigma, KQL, SPL, YARA, ATT&CK mapping, hunting queries.
Rule Converter
Sigma — KQL — SPL — YARA via one canonical IR.
/dfir/rule-converteropenYARA Workbench
Collaborative YARA editor with malware test corpus.
/dfir/yara-workbenchopenThreat Graph
Indicator — relationship graph — visual pivot from any node.
/dfir/threat-graphopen- new
ATTMAP-AI
AI-assisted mapping of detection rules to ATT&CK techniques.
/dfir/attmap-aiopen Hunting Query Generator
AI-assisted KQL / SPL / Lucene generation from a hypothesis.
/dfir/hunting-query-generatoropenAI Rule Generator
Generate a Sigma/YARA rule from a natural-language description.
/dfir/ai-rule-generatoropenFP Lens
False-positive analyst — score a detection against historical FPs.
/dfir/fp-lensopenIR Playbooks
Step-by-step playbooks for common incident types.
/dfir/ir-playbooksopenTools About
About the DFIR toolkit — principles, design, and feature flags.
/dfir/tools/aboutopen- new
TRACERULES
Trace a rule back to its source intel — coverage and lineage.
/dfir/tracerulesopen
STIX / TAXII- 1
STIX 2.1 bundle builder, TAXII server, and viewable graph - interoperable CTI artefacts.
Cloud Security- 9
IAM, network, secrets, and configuration analysis for AWS, GCP, Azure, and Kubernetes.
AWS IAM Analyzer
Parse a downloaded IAM policy — find privilege escalation paths.
/dfir/iam-analyzeropenGCP IAM Analyzer
GCP IAM policy + role analyzer.
/dfir/gcp-iamopenAzure RBAC Analyzer
Azure RBAC role assignments — least-privilege check.
/dfir/azure-rbacopenSecurity Group Analyzer
AWS security group visualizer — 0.0.0.0/0 + port exposure heatmap.
/dfir/sg-analyzeropenCloudTrail Triage
Filter CloudTrail logs for an incident timeframe — IAM, EC2, S3, KMS.
/dfir/cloudtrail-triageopenK8s RBAC Analyzer
Kubernetes Role/ClusterRole analyzer — risky verbs, secrets access.
/dfir/k8s-rbacopenTerraform Scanner
Static analysis of HCL — misconfigurations + drift.
/dfir/terraform-scanopenNon-Human Identity (NHI)
Catalogue service accounts, API keys, OAuth grants.
/dfir/nhiopenZero-Trust AI Agents
Verify identity + intent for autonomous agent actions.
/dfir/zero-trust-ai-agentsopen
AI Security- 9
LLM red-teaming, prompt-injection defense, MCP audit, and agent attack-surface analysis.
Prompt Injection
Test a prompt against a curated set of injection payloads.
/dfir/prompt-injectionopenMCP Audit
Audit a Model Context Protocol server for tool-poisoning vectors.
/dfir/mcp-auditopenAgent Investigator
Investigate an autonomous agent — tool calls, prompt history, exfil.
/dfir/agentopenAgent Map
Visualise an agent's reachable tools and data sources
/dfir/agent-mapopenINSIGHT-AI
AI-assisted incident summarisation and pattern detection.
/dfir/insight-aiopenQUERYCRAFT-AI
AI-assisted KQL / SPL / Lucene generation.
/dfir/querycraft-aiopenCHRONO-AI
AI-assisted timeline reconstruction from logs + reports.
/dfir/chrono-aiopenMALBRIEF-AI
AI-assisted malware family briefing from sample + sandbox output.
/dfir/malbrief-aiopenVERDIKT-AI
AI-assisted IOC verdict — explain cross-source disagreement.
/dfir/verdikt-aiopen
API & Application Security- 8
OpenAPI, GraphQL, JWT, secrets, and headers - application-layer security analysis.
OpenAPI Auditor
Lint an OpenAPI spec — missing auth, schema issues, PII exposure.
/dfir/openapi-auditopenGraphQL Auditor
Introspection + query depth/complexity + authz analysis.
/dfir/graphql-auditopenJWT Inspector
Decode — verify — alg-confusion check — claim analysis.
/dfir/jwtopenSecurity Headers Analyzer
CORS — CSP — HSTS — X-Frame-Options — graded report.
/dfir/sec-headersopenLive Security Headers
Third-party live HSTS/CSP/X-Frame-Options scan via IntoDNS.ai with ready-to-paste Nginx/Apache/Caddy/Cloudflare configs.
/dfir/sec-headers-liveopenSecret Scanner
Scan a text blob / repo for API keys, tokens, private keys.
/dfir/secret-scanopenGoogle Dorks Builder
Compose a Google dork for a target — site:, inurl:, filetype:.
/dfir/google-dorksopenLog Parser
Generic log parser — pattern detection + anomaly highlighting.
/dfir/log-parseropen
AI Copilot & Investigation- 6
Conversational copilots and AI-assisted investigation workbenches - natural-language pivots.
DFIR Copilot
Conversational copilot — ask in plain English, get a runbook.
/dfir/copilotopenMulti-Search
Query 30+ intel sources in parallel — paste an IOC or entity.
/dfir/multi-searchopenTRACER
Cross-chain transaction tracer for AML and ransomware investigations.
/dfir/traceropenTRACEPULSE
Real-time crypto flow monitor — alerts on suspicious wallet activity.
/dfir/tracepulseopenQUICKTRACE
Quick lookup for a crypto address or transaction hash.
/dfir/quicktraceopenPIVEX
Pivot explorer — graph-style pivots from any entity.
/dfir/pivexopen
Reports & Export- 4
Draft investigation reports, ingest external reports, and export IOCs to any standard format.
Report Analyzer
AI summary — IOC extraction — MITRE TTP mapping — STIX bundle.
/dfir/report-analyzeropenReport Composer
Cover — summary — findings — IOCs — sources — TLP — export to PDF/DOCX.
/dfir/report-composeropenExport Hub
Export IOCs to STIX 2.1, MISP, Sigma, YARA, Snort, Suricata, CSV.
/dfir/export-hubopenBlocklist Export
Generate network blocklists (pfSense, MikroTik, Cisco) from IOCs.
/dfir/blocklistsopen
Dark Web & Privacy- 3
PGP, Tor, and dark-web workbench - the on-ramp and off-ramp tooling for sensitive investigations.
GRC & Posture- 7
Compliance, maturity, tabletop exercises, and reference frameworks - policy and posture.
GRC Toolkit
Control mapping — risk register — vendor assessment.
/dfir/grcopenLOLBins
Living-off-the-land binaries — search by binary or behaviour.
/dfir/lolbinsopenData Classification
Tag data with sensitivity + handling requirements.
/dfir/data-classificationopenPrivacy Hub
GDPR / CCPA references, DPIA templates, privacy notice generator.
/dfir/privacy-hubopenPersonal Security
OPSEC checklist — threat-modelling for individuals.
/dfir/personal-securityopenDLP Scan
Data-loss-prevention scan for files + clipboard + screenshots.
/dfir/dlp-scanopenLinux IR Triage
Bash one-liners for live Linux incident response.
/dfir/linux-triageopen
Frameworks & Models- 7
Reference frameworks, attack models, and visual matrices analysts use to structure intrusions and security programs.
ATT&CK Navigator
Layered ATT&CK matrix — coverage heatmap, gap analysis.
/dfir/attack-navigatoropenAttack Chain
Visualise a multi-stage attack as a connected kill-chain.
/dfir/attack-chainopenCyber Kill Chain
Lockheed Martin 7-phase kill chain with ATT&CK cross-links.
/dfir/kill-chainopenDiamond Model
Adversary — capability — infrastructure — victim — reference.
/dfir/diamondopenOWASP Top 10
Web 2021 — API 2023 — LLM 2025 reference + checklist.
/dfir/owaspopenMITRE Matrix
Static reference view of the MITRE ATT&CK matrix with tactic/technique lookup.
/dfir/mitre-matrixopenTabletop Exercises
Scenario-driven tabletop exercises — pick a scenario, run it.
/dfir/tabletopopen