TOOL FAMILY

Cybersecurity and DFIR.

Additional page sections

Defensive instruments for incident evidence, telemetry, resilience, threat hypotheses and blast-radius analysis.

INSTRUMENTS

Purpose-built tools in this family.

Each instrument has a method, assumptions, limitations, example output and exportable artifact.

Cybersecurity and DFIR

Additional section

DFIR Evidence Map Builder

Builds an evidence source matrix and investigation sequence for a selected incident scenario.

Best for
DFIR evidence timeline and matrix
Input
5 categorical evidence fields
Output
DFIR evidence timeline and matrix
Method
incident timeline
Maturity
Beta · v2.9
Limits
Does not perform forensics.
Exports
copy, Markdown, JSON, CSV
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

KEV Exposure Triage Tool

Prioritizes review of a known-exploited vulnerability using user-entered exposure, asset criticality and compensating controls.

Best for
Known-exploited vulnerability review note
Input
7 categorical evidence fields
Output
Known-exploited vulnerability review note
Method
heatmap
Maturity
Beta · v3.1
Limits
Does not scan assets.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

Cyber Resilience Control Mapper

Maps a disruption scenario to controls, telemetry, recovery evidence and test cadence.

Best for
Cyber resilience control map
Input
7 categorical evidence fields
Output
Cyber resilience control map
Method
evidence matrix
Maturity
Beta · v1.1
Limits
Does not execute failover.
Exports
copy, Markdown, JSON
CybersecurityDFIROperational Resilience
open instrument →
Cybersecurity and DFIR

Cyber/AI Convergence Risk Mapper

Maps where an AI system changes cyber dependencies, identities, data flows and incident-response paths.

Best for
AI-cyber dependency map
Input
6 categorical evidence fields
Output
AI-cyber dependency map
Method
permission graph
Maturity
Prototype · v1.2
Limits
Does not enumerate live systems.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

DFIR Timeline Consistency Checker

Checks whether incident timestamps, evidence sources and time-zone assumptions are internally consistent.

Best for
DFIR timeline consistency note
Input
5 categorical evidence fields
Output
DFIR timeline consistency note
Method
incident timeline
Maturity
Research interface · v1.3
Limits
Does not parse logs.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

Threat Hunting Hypothesis Builder

Turns a defensive suspicion into a hunt hypothesis with telemetry, expected observations and falsification criteria.

Best for
Threat-hunting hypothesis card
Input
5 categorical evidence fields
Output
Threat-hunting hypothesis card
Method
falsification matrix
Maturity
Research interface · v1.5
Limits
Does not provide offensive procedures.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

Incident Blast Radius Estimator

Estimates likely blast-radius pressure from identity scope, lateral movement potential, data reach and dependency concentration.

Best for
Incident blast-radius review note
Input
5 categorical evidence fields
Output
Incident blast-radius review note
Method
heatmap
Maturity
Research interface · v1.7
Limits
Does not confirm compromise scope.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR

Cyber Telemetry Coverage Map

Maps telemetry coverage across identity, endpoint, cloud, network, email, application and data layers.

Best for
Cyber telemetry coverage map
Input
7 categorical evidence fields
Output
Cyber telemetry coverage map
Method
heatmap
Maturity
Research interface · v1.9
Limits
Does not connect to logging systems.
Exports
copy, Markdown, JSON
CybersecurityDFIR
open instrument →
FAMILY METHOD

Cyber/DFIR Tool Methodology.

Defensive instruments for incident evidence, telemetry, resilience, threat hypotheses and blast-radius analysis.

Open methodology