Free, no account
Free DFIR Tools and References
Interactive tools and working references for the people doing SOC triage and incident response. Built by practitioners who still do the job. Nothing gated, nothing uploaded, use them in the browser.
Start here
The two tools worth bookmarking. Paste your own data or load a built-in sample.
Analyzer
Event Log Triage Analyzer
Paste EvtxECmd CSV and it flags the suspicious events, log clears, off-hours logons, service installs, PowerShell cradles, with the reasoning and next step for each. Runs in your browser.
Open the tool →
Scorecard
Incident Triage Scorecard
Classify any security alert in under five minutes. Eight questions that produce a defensible severity call you can hand off with confidence.
Open the tool →
Interactive tools
Searchable command and artifact references. Filter, copy, adapt.
Searchable
PowerShell for Security Operations
31 investigation commands across 9 ATT&CK tactics, each with syntax, what it reveals, and what to look for. Search and filter live.
Open the tool →
Searchable
KQL Query Reference
Production KQL for Microsoft Sentinel and Defender XDR, organized by ATT&CK tactic. Copy, adapt, run.
Open the tool →
Searchable
Windows Event ID Reference
The Windows Security, Sysmon, PowerShell, and Defender event IDs that matter in an investigation, with what each one tells you.
Open the tool →
Searchable
Windows Forensic Artifacts Reference
Where the evidence lives on a Windows host: execution, filesystem, registry, and user-activity artifacts with their forensic value.
Open the tool →
Command Reference
Native Windows Forensic Commands
Volatile-data capture with cmd and PowerShell when KAPE and EZ Tools can't be deployed: processes, connections, persistence, and the wevtutil bridge to full-tool analysis.
Read the reference →
Runbooks
DFIR Investigation Runbooks
Seven structured investigation runbooks, identity compromise, endpoint, email, and more, from first signal to containment.
Open the tool →
Searchable
ASR Rules Quick Reference
Every Microsoft Defender Attack Surface Reduction rule with deployment category, false-positive risk, and rollout guidance.
Open the tool →
Cheatsheets and guides
Command references and walkthroughs to keep open while you work.
Cheatsheet
KAPE & EZ Tools Cheatsheet
The full collect-parse-analyze Windows DFIR workflow: KAPE targets and modules, custom .tkape/.mkape, every EZ Tools parser with the output columns that matter and worked examples.
Read the cheatsheet →
Reference
Linux Forensic Artifacts Reference
Where the evidence lives on a compromised Linux host: filesystem timestamps, auth logs, persistence, process evidence, and anti-forensics tells, for RHEL and Ubuntu.
Read the reference →
Cheatsheet
M365 SOC Alert Triage
Triage a Microsoft 365 alert: classify it, pull the right table, decide containment, and know what survives a token revoke.
Read the cheatsheet →
Cheatsheet
M365 Threat Hunting
Hypothesis-driven hunting: the method, the advanced KQL detections don't use, and real hunts by objective for Sentinel and Defender XDR.
Read the cheatsheet →
Cheatsheet
Entra ID Security
Identity-plane attack detection and hardening: sign-in forensics, token theft, PIM, app and workload identity, with real KQL.
Read the cheatsheet →
Cheatsheet
Identity & Access Management
Access governance and design for Entra: groups and roles, conditional access, consent, service principals, privileged access, and reviews.
Read the cheatsheet →
Cheatsheet
M365 Security Architecture
The whole-tenant hardening baseline: the secure-by-design decisions across identity, CA, data, endpoint, email, Sentinel, and posture.
Read the cheatsheet →
Cheatsheet
Detection Engineering
Engineering detections as a discipline: rule anatomy, coverage, real detections by tactic, testing and tuning, and detection-as-code.
Read the cheatsheet →
Cheatsheet
Network Forensics
PCAP and traffic investigation: capture, Wireshark/tshark filters, protocol indicators, Suricata rules, and C2 beacon detection.
Read the cheatsheet →
Cheatsheet
Memory Forensics
Volatility 3 by investigation type: process injection, credential theft, fileless malware, persistence, kernel rootkits, and Linux memory.
Read the cheatsheet →
Cheatsheet
Incident Response
The IR lifecycle end to end: preparation, analysis, evidence handling, containment, eradication, playbooks, and post-incident metrics.
Read the cheatsheet →
Cheatsheet
Purple Teaming
Emulate the attack, validate the detection: the purple loop and attack-to-detection pairings across the ATT&CK kill chain.
Read the cheatsheet →
Cheatsheet
Offensive Security for Defenders
Think like the attacker, defend better: the offensive lifecycle seen from the blue side, each phase paired with what you detect.
Read the cheatsheet →
Guide
Build Your Security Operations Home Lab
Step-by-step build for a working SOC home lab: virtualization, Windows and Linux targets, logging, and a SIEM to practice against.
Read the guide →
From the tools to the method
These run the commands and flag the evidence. Windows Endpoint Investigation teaches the method behind them: correlating what they return into a defensible account of what happened, and proving it.
Explore the course