API-First DFIR Toolkit
Digital forensics and incident response capabilities delivered as clean REST endpoints. From phishing analysis to automated reporting, integrate security operations directly into your workflows.
Phishing Email Checker
Submit suspicious emails for automated analysis. The engine parses RFC 5322 headers to detect spoofing indicators (SPF, DKIM, DMARC alignment failures), extracts and detonates URLs in a sandboxed environment, identifies obfuscated payloads in attachments, and maps findings to the MITRE ATT&CK framework. Results include a confidence-scored verdict, extracted Indicators of Compromise (IOCs), and actionable remediation steps.
POST /api/v1/phishing/analyzeKey Capabilities
- Header authentication analysis (SPF, DKIM, DMARC)
- URL extraction with redirect chain resolution
- Attachment scanning and payload detection
- MITRE ATT&CK technique mapping
- IOC extraction (IPs, domains, hashes, email addresses)
- Confidence-scored phishing verdict
- AI-enhanced analysis with natural language summary
Exposure Scanner
Searches across known breach datasets, paste sites, dark web marketplaces, and underground forums for credentials and sensitive data tied to your domains and email addresses. Identifies exposed passwords, session tokens, API keys, and personally identifiable information (PII) that could be leveraged for account takeover, credential stuffing, or targeted social engineering attacks.
POST /api/v1/exposure/scanKey Capabilities
- Breach database search across known data dumps
- Dark web and underground forum monitoring
- Exposed credential detection (passwords, tokens, API keys)
- PII leak identification
- Domain-wide exposure assessment
- Historical breach timeline
IOC EnrichmentComing Soon
Enrich Indicators of Compromise -- IP addresses, domain names, file hashes (MD5, SHA-1, SHA-256), and URLs -- with threat intelligence from industry-leading sources including VirusTotal, Shodan, AbuseIPDB, URLhaus, and more. Returns reputation scores, geolocation data, WHOIS records, passive DNS history, associated malware families, and known threat actor attributions. Supports both single-IOC lookups and batch enrichment for large-scale investigations.
POST /api/v1/enrichment/lookupKey Capabilities
- Multi-source aggregation (VirusTotal, Shodan, AbuseIPDB, URLhaus, and many more)
- IP reputation scoring and geolocation
- Domain WHOIS and passive DNS history
- File hash reputation and malware family identification
- URL categorization and threat classification
- Batch enrichment for bulk IOC processing
AI Triage & AnalysisComing Soon
Leverages large language models fine-tuned on cybersecurity data to automate alert triage, perform deep-dive analysis of security incidents, generate threat actor profiles based on observed TTPs (Tactics, Techniques, and Procedures), and produce detection rules in formats like YARA, Sigma, and Snort/Suricata. Reduces mean time to respond (MTTR) by surfacing high-priority incidents and providing analyst-ready context.
POST /api/v1/ai/triageKey Capabilities
- Automated alert triage with severity classification
- Deep analysis of security events and incidents
- Threat actor profiling from observed TTPs
- Detection rule generation (YARA, Sigma, Snort/Suricata)
- Natural language incident summaries
- MITRE ATT&CK technique correlation
Investigation Management
DFIR Investigation is a standalone desktop application built for digital forensics and incident response professionals. Manage cases with structured metadata, build visual timelines from evidence artifacts, track IOCs with interactive graph views, map findings to the MITRE ATT&CK matrix, and coordinate tasks across your team. Connects to the DFIR Platform via API key for cloud-based IOC enrichment and plan-based feature access.
Key Capabilities
- Case creation with structured metadata and tagging
- Visual and interactive investigation timelines
- IOC management with relationship graph views
- MITRE ATT&CK matrix mapping
- Task tracking and team collaboration
- Cloud IOC enrichment via DFIR Platform API key
- Activity feed and investigation notes
- OSINT integration and lateral movement tracking
Report GenerationComing Soon
Generate comprehensive DFIR reports directly from your investigations in the desktop app. The app currently supports STIX 2.1 bundle export for threat intelligence sharing, MITRE ATT&CK Navigator layer export, full case JSON export and import, CSV exports per table, and MISP event push. Full report generation with PDF export, executive summaries, and formatted technical reports is coming soon.
Key Capabilities
- STIX 2.1 bundle export for threat intelligence sharing
- MITRE ATT&CK Navigator layer export
- CSV export for any investigation table
- Case merge across .dfir files
- PDF report generationSoon
- Executive summary and technical detail reportsSoon
- Formatted timeline visualization in reportsSoon
Built for Security Teams
Every design decision is driven by the needs of SOC analysts, incident responders, and forensic investigators working real cases.
API-First Architecture
Every service is a documented REST endpoint. Integrate DFIR capabilities directly into your SOAR playbooks, SIEM workflows, or custom tooling with straightforward API calls.
Credit-Based Pricing
Pay only for what you use. Each API operation has a transparent credit cost -- from 1 credit for a basic lookup to 25 credits for a full report generation. No hidden fees.
Security by Design
Built by security practitioners for security practitioners. Encryption at rest and in transit, scoped API keys, audit logging, and role-based access controls — because DFIR tools handle sensitive data.
Start Investigating Today
Create a free account with 50 monthly credits. No credit card required. Upgrade when you need more capacity.