Incident Response

A simple, self-contained modular host-based IOC scanner for incident responders.

JIMI is a flow-based orchestration automation platform that combines low-code and no-code capabilities for multi-team collaboration across IT, security, and development operations.

A deprecated digital forensics tool by Netflix that helped investigators scope compromises across AWS cloud instances by identifying behavioral differences and outliers during security incidents.

Docker Explorer is a forensic tool that enables investigators to explore and analyze offline Docker container filesystems by reconstructing layered filesystem structures.

COPS is a YAML-based schema standard for creating collaborative DFIR playbooks that provide structured guidance for incident response processes.

A comprehensive guide to investigating security incidents in popular cloud platforms, covering essential tools, logs, and techniques for cloud investigation and incident response.

Halogen automates the creation of YARA rules based on image files embedded in malicious documents to assist in threat detection and identification.

A Go-based honeypot server for detecting and logging attacker activity

Using Apache mod_rewrite rules to rewrite incident responder or security appliance requests to an innocuous website or the target's real website.

The Cybersecurity and Infrastructure Security Agency (CISA) is a government agency that provides alerts, advisories, and resources to help protect the United States' critical infrastructure from cyber threats.

A comprehensive guide for system administrators to detect and identify potential security threats on Windows 2000 systems.

A comprehensive guide to developing an incident response capability through intelligence-based threat hunting, covering theoretical concepts and real-life scenarios.

A condensed field guide for cyber security incident responders, covering incident response processes, attacker tactics, and practical techniques for handling incidents.

Incident Response Documentation tool for tracking findings and tasks.

A serverless SOAR framework for AWS GuardDuty that automatically executes configurable response actions based on security findings and threat severity.

A cybersecurity challenge where you play the role of an incident response consultant investigating an intrusion at Precision Widgets of North Dakota.

A PHP based web application for managing postmortems with pluggable features.

Template-based incident response runbooks for AWS environments following NIST guidelines to help organizations handle common cloud security incidents.

A set of scripts for collecting forensic data from Windows and Unix systems respecting the order of volatility.

View physical memory as files in a virtual file system for easy memory analysis and artifact access.

Pulsedive is a threat intelligence platform that provides frictionless threat intelligence for growing teams, offering features such as indicator enrichment, threat research, and API integration.

Tools to export data from MISP MySQL database for post-incident analysis and correlation.

Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.

msticpy is a Python library for InfoSec investigation and threat hunting in Jupyter Notebooks, providing data querying, threat intelligence enrichment, analysis capabilities, and interactive visualizations.