Ready to investigate smarter?
AI eyes on your evidence. Open source. On your machine. Your conclusions.
AI that investigates with you — turning screenshots and artifacts into a forensic timeline, findings, IOCs, attacker path, and reports. First responder speed, on your machine.
The "so what" layer — not another detection engine.
Your detection tools (Velociraptor, Security Onion, Chainsaw, Hayabusa, THOR, EDR/SIEM) already find the hits. DFIR Companion ingests their verdicts, correlates them across tools into one forensic timeline, and synthesizes the findings, attacker path, IOCs, and report. The value is in the correlation and narrative, not re-deriving alerts.
For each case the AI constructs and maintains a complete investigation state from your evidence.
Real incident events with true timestamps from artifacts — process creation, logons, network connections, file MAC times. Not the capture log.
cross-source correlationPer-technique analytic conclusions with severity, MITRE mapping, and AI confidence score (0–100). Color-coded badges: green ≥80, yellow 50–79, red <50. Filter by min confidence.
confidence-scoredIndicators with enrichment verdicts (VirusTotal, MISP, YETI, AbuseIPDB, CrowdStrike, Hunting.ch). Push IOCs + MITRE to MISP. Full kill-chain narrative.
enriched + MISP exportInteractive graph showing which indicators touched each compromised host, account, or service. Drag nodes to reposition. Zoom, fullscreen, multiple layouts.
interactive + dragCausal attack graph: process trees + lateral movement + file lineage + network flows. Trace the full path end to end — spawned, lateral-move, ran-on, wrote-file, executed-file, network edges with confidence levels.
deterministic — no AIFree-form Q&A grounded in the evidence: "was data exfiltrated?", "was a USB connected?". If unknown, tells you what to collect next.
evidence-groundedFull incident report following the AnttiKurittu template. Executive summary, BIA, timelines, conclusions. One-click PDF. Push to DFIR-IRIS, Timesketch, and MISP.
exportableFrom any event or IOC, generate ready-to-run queries: Velociraptor VQL, KQL, SPL, Sigma, YARA, Suricata, Elastic ES|QL. Zero AI cost — deterministic templates.
7 platformsCheck victim org domains & emails against LeakCheck, HIBP, DeHashed, and Shodan. Strict customer boundary — adversary IOCs never queried. No raw passwords stored.
v0.11 — credential leak checkHand-label any entity with triage tags (confirmed-malicious, false-positive, key-evidence…). Star important events. Multi-select bulk actions. Tags survive re-synthesis.
v0.11 — analyst-drivenMV3 extension: timer + event-driven (navigation, tab switch, click). Ctrl+Shift+S hotkey. Offline queue. Per-case attach. Evidence-first persistence.
lossless PNGReversibly tokenizes internal IPs, usernames, hostnames before the LLM sees them. Adversary IOCs preserved. Per-case toggle. Default on.
OPSEC-firstGroups timeline events into bursts by time gaps — initial access, persistence, lateral movement, exfil. Each phase labeled with dominant ATT&CK tactic. No AI, purely algorithmic.
v0.14 — temporal clusteringAll configuration in one place: investigator name, AI provider/model/keys, enrichment & exposure provider keys, integrations (IRIS, Timesketch, Velociraptor, MISP), and section visibility — drag-reorderable.
v0.14Per-case scratchpad for hypotheses, notes, and open questions. Typed entries (hypothesis/note/question) with colored badges. Survives re-synthesis. Included in reports.
v0.14 — AI-awareProse story-mode view of the incident for management and non-technical stakeholders. AI-generated, editable, included in reports §3.2.
v0.14 — story modeStart new cases pre-loaded with investigation questions: Ransomware, BEC, Insider Threat, Web App Intrusion, General Malware. Custom templates supported.
v0.14 — workflowRename, add, or suppress assets and manually link assets to IOCs. Overrides persist per case, survive re-synthesis. Full audit trail in the asset graph.
v0.14 — graph editingAI-generated checklist from Critical/High findings + next steps. Optional IR-template expansion. Push to DFIR-IRIS or ClickUp. Tasks get stable short IDs (T001, T002…).
v0.16 — IR workflowGenerate VQL hunts from findings with rationale — one-click deploy across all endpoints. Dedicated AI model for VQL. Collection results pulled inline.
v0.19 — AI-suggested huntsPer playbook task, suggest a Velociraptor hunt. Endpoint-tied tasks deploy as single-client collections; others as fleet hunts. Suggestions persist, only new/changed tasks re-generated.
v0.19 — per-task VQLInstallable read-only PWA — case status, worst findings, recent timeline, IOC verdicts. Quick glances during IR from your phone. Navigate to /mobile.
v0.19 — on-the-goVolatility 3 + Rekall importer: process trees, network connections, injected code (T1055), services, modules. Zero AI — pure parsing.
v0.19 — memory analysisauditd, journald JSON, sysdig/Falco alerts + events — auto-detected by Import button. Full Linux IR alongside Windows.
v0.19 — Linux IRPhishing & BEC triage: SPF/DKIM/DMARC checks, spoof heuristics, IOC harvesting. MITRE T1566 mapping.
v0.18 — phishing triageKnown ATT&CK groups ranked by technique overlap — sub-technique-aware scoring. Not attribution, but narrows the landscape. Dashboard panel + report.
v0.18 — sub-technique awareExport STIX bundles to any TIP. Navigator layer JSON — techniques colored by severity. MISP push + Notion export.
v0.18 — multi-format exportShareable ZIP for external parties: IPs/hosts/users tokenized to ANON_*, secrets redacted, screenshot EXIF stripped + PII blurred. No AI keys included.
v0.19 — safe sharingExport/import one JSON — timeline, findings, IOCs, graph, analyst decisions. Restore on another machine. No AI keys or machine config.
v0.19 — cross-machineFull-coverage theme toggle. Follows OS preference by default, manual choice persists. Every panel, graph, canvas themed. Night-mode DFIR.
v0.19 — theme persistenceSlack / MS Teams webhooks + SMTP email for findings, playbook updates, milestones. Per-channel severity thresholds. Opt-in.
v0.19 — Slack/Teams/EmailAuto-mark matching events + IOCs legitimate on import. Flat hash set or direct query the full ~160GB NSRL RDS SQLite DB — never loaded into memory.
v0.19 — false positive reductionBranded layouts — accent colour, cover, running header/footer with placeholder interpolation. Built-ins editable in place, selected per case.
v0.19 — branded reportsInteractive asset/time chart with selection, scope-to-view, and PNG/SVG export. See which host was active when — at a glance.
v0.17 — visual timelineDrop any file. The server sniffs the structure and routes it to the right importer. Most are deterministic — zero AI calls, zero cost.
Cheap vision extraction per screenshot batch → forensic timeline. One strong text-only synthesis → findings, attacker path, conclusions.
Browser extension screenshots your investigation. Import any artifact file — auto-detected, zero config.
→Deterministic parsers + cheap AI vision extract forensic events. Cross-source deduplication. Evidence stays on disk.
→One strong model call: findings, IOCs, MITRE, attacker path, key questions. Markdown + HTML + PDF + push to IRIS/Timesketch.
Every design decision favors local-first, evidence-stays-on-box, your-AI-your-choice.
Binds 127.0.0.1. Evidence on disk. AI provider is yours to choose — OpenAI, Ollama, local LiteLLM, Gemini. Nothing phone-home.
Internal IPs, usernames, hostnames reversibly tokenized before the LLM. Adversary IOCs preserved. Per-case toggle, default on.
Local sources (your MISP/YETI) by default. External (VirusTotal, AbuseIPDB) opt-in with confirm. Reachability gate — down servers skip, not fail.
No install. Unzip, double-click, dashboard opens. Built with Node SEA — single portable binary with dashboard assets embedded.
One command: docker compose up. Localhost-only by design (Compose maps port back to 127.0.0.1). Evidence persists on volume.
Capture-only mode by default. Turn AI on when ready — it backfills everything captured while off. Deterministic imports still populate timeline.
Share findings externally safely — internal IPs/hosts tokenized, secrets redacted, screenshot EXIF stripped + PII blurred. No AI keys in the ZIP.
Full theme coverage — every panel, graph, swimlane canvas. Follows OS preference, persists per-session. Night-shift DFIR without eye strain.
Export the full case state (no AI keys, no machine config) as one JSON. Import on another machine and continue. Cross-team collaboration without credentials leakage.
AI eyes on your evidence. Open source. On your machine. Your conclusions.