PURPOSE
What this family supports.
Defensive instruments for incident evidence, telemetry, resilience, threat hypotheses and blast-radius analysis.
TOOL METHODOLOGY
Cyber/DFIR Tool Methodology.
Additional page sections
Defensive instruments for incident evidence, telemetry, resilience, threat hypotheses and blast-radius analysis.
INPUT ASSUMPTIONS
How inputs are treated.
Inputs are user-entered assumptions or evidence states. The tools do not verify live systems, datasets, vendors, clinical claims, vulnerabilities or scientific measurements.
OUTPUT POLICY
Artifact boundaries.
Outputs are preliminary orientation artifacts for human review. They are not certification, legal advice, medical advice, engineering sign-off or compliance approval.
OUTPUT ARTIFACTS
Artifacts produced.
- DFIR evidence timeline and matrix
- Known-exploited vulnerability review note
- Cyber resilience control map
- AI-cyber dependency map
- DFIR timeline consistency note
- Threat-hunting hypothesis card
- Incident blast-radius review note
- Cyber telemetry coverage map
SOURCE FAMILIES
Reference families.
AI system securityCISA KEV source familyDFIR evidence handlingDFIR telemetry readinessDFIR timeline constructionMITRE ATT&CK source familyNVD source familybusiness continuitycloud audit logscyber recovery testingdetection engineeringevidence provenanceidentity securityincident response integrationincident response practiceincident scoping
INSTRUMENTS
Tools using this methodology.
Cybersecurity and DFIR
Additional section
DFIR Evidence Map Builder
Builds an evidence source matrix and investigation sequence for a selected incident scenario.
- Best for
- DFIR evidence timeline and matrix
- Input
- 5 categorical evidence fields
- Output
- DFIR evidence timeline and matrix
- Method
- incident timeline
- Maturity
- Beta · v2.9
- Limits
- Does not perform forensics.
- Exports
- copy, Markdown, JSON, CSV
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
KEV Exposure Triage Tool
Prioritizes review of a known-exploited vulnerability using user-entered exposure, asset criticality and compensating controls.
- Best for
- Known-exploited vulnerability review note
- Input
- 7 categorical evidence fields
- Output
- Known-exploited vulnerability review note
- Method
- heatmap
- Maturity
- Beta · v3.1
- Limits
- Does not scan assets.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
Cyber Resilience Control Mapper
Maps a disruption scenario to controls, telemetry, recovery evidence and test cadence.
- Best for
- Cyber resilience control map
- Input
- 7 categorical evidence fields
- Output
- Cyber resilience control map
- Method
- evidence matrix
- Maturity
- Beta · v1.1
- Limits
- Does not execute failover.
- Exports
- copy, Markdown, JSON
CybersecurityDFIROperational Resilience
open instrument →
Cybersecurity and DFIR
Cyber/AI Convergence Risk Mapper
Maps where an AI system changes cyber dependencies, identities, data flows and incident-response paths.
- Best for
- AI-cyber dependency map
- Input
- 6 categorical evidence fields
- Output
- AI-cyber dependency map
- Method
- permission graph
- Maturity
- Prototype · v1.2
- Limits
- Does not enumerate live systems.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
DFIR Timeline Consistency Checker
Checks whether incident timestamps, evidence sources and time-zone assumptions are internally consistent.
- Best for
- DFIR timeline consistency note
- Input
- 5 categorical evidence fields
- Output
- DFIR timeline consistency note
- Method
- incident timeline
- Maturity
- Research interface · v1.3
- Limits
- Does not parse logs.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
Threat Hunting Hypothesis Builder
Turns a defensive suspicion into a hunt hypothesis with telemetry, expected observations and falsification criteria.
- Best for
- Threat-hunting hypothesis card
- Input
- 5 categorical evidence fields
- Output
- Threat-hunting hypothesis card
- Method
- falsification matrix
- Maturity
- Research interface · v1.5
- Limits
- Does not provide offensive procedures.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
Incident Blast Radius Estimator
Estimates likely blast-radius pressure from identity scope, lateral movement potential, data reach and dependency concentration.
- Best for
- Incident blast-radius review note
- Input
- 5 categorical evidence fields
- Output
- Incident blast-radius review note
- Method
- heatmap
- Maturity
- Research interface · v1.7
- Limits
- Does not confirm compromise scope.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Cybersecurity and DFIR
Cyber Telemetry Coverage Map
Maps telemetry coverage across identity, endpoint, cloud, network, email, application and data layers.
- Best for
- Cyber telemetry coverage map
- Input
- 7 categorical evidence fields
- Output
- Cyber telemetry coverage map
- Method
- heatmap
- Maturity
- Research interface · v1.9
- Limits
- Does not connect to logging systems.
- Exports
- copy, Markdown, JSON
CybersecurityDFIR
open instrument →
Version policy: each instrument has a version, maturity state, assumptions, limitations, example input, example output and export formats. Method notes should be updated when scoring logic, input taxonomy or source families change.