Services

API-First DFIR Toolkit

Digital forensics and incident response capabilities delivered as clean REST endpoints. From phishing analysis to automated reporting, integrate security operations directly into your workflows.

Start FreeView Pricing
Automated email threat analysis

Phishing Email Checker

Submit suspicious emails for automated analysis. The engine parses RFC 5322 headers to detect spoofing indicators (SPF, DKIM, DMARC alignment failures), extracts URLs and detects link text mismatches, inspects attachment metadata for risky file patterns, and identifies social engineering tactics through heuristic analysis. Results include a confidence-scored verdict, extracted Indicators of Compromise (IOCs), and actionable remediation steps. A separate AI-enhanced endpoint provides deeper analysis powered by Claude.

POST /api/v1/phishing/analyze

Key Capabilities

  • Header authentication analysis (SPF, DKIM, DMARC, ARC)
  • URL and IOC extraction (IPs, domains, hashes, emails, URLs)
  • Link mismatch detection and homoglyph/typosquatting checks
  • Attachment metadata inspection and risky pattern detection
  • Social engineering and phishing template pattern matching
  • QR code decoding, HTML analysis, and thread hijack detection
  • Confidence-scored phishing verdict with recommended actions
  • AI-enhanced analysis via separate premium endpoint (10 credits)
Internet-facing attack surface discovery

Exposure Scanner

Maps the external attack surface of a domain or IP address. The scanner queries 11 intelligence providers in parallel to enumerate subdomains via Certificate Transparency logs and passive DNS, discover open ports and running services, grade SSL/TLS configurations, retrieve DNS records and WHOIS registration data, identify network ownership (ASN, CIDR), and match discovered services against known vulnerabilities. Results include a risk score (0--100) and are cached for 24 hours.

POST /api/v1/exposure/scan

Key Capabilities

  • Subdomain enumeration via CT logs and passive DNS
  • Open port and service detection (Shodan, Criminal IP, Netlas)
  • SSL/TLS certificate grading and analysis (SSL Labs)
  • DNS record enumeration and WHOIS registration data
  • Network ownership mapping (ASN, CIDR, geolocation)
  • Vulnerability matching against discovered services
  • Risk scoring (0--100) with severity classification
Multi-source threat intelligence aggregation

IOC Enrichment

Enrich Indicators of Compromise -- IP addresses, domain names, file hashes (MD5, SHA-1, SHA-256), and URLs -- with threat intelligence from industry-leading sources including VirusTotal, Shodan, AbuseIPDB, URLhaus, and more. Returns reputation scores, geolocation data, WHOIS records, passive DNS history, associated malware families, and known threat actor attributions. Supports both single-IOC lookups and batch enrichment for large-scale investigations.

POST /api/v1/enrichment/lookup

Key Capabilities

  • Multi-source aggregation (VirusTotal, Shodan, AbuseIPDB, URLhaus, and many more)
  • IP reputation scoring and geolocation
  • Domain WHOIS and passive DNS history
  • File hash reputation and malware family identification
  • URL categorization and threat classification
  • Batch enrichment for bulk IOC processing
Interactive AI-powered investigation support

AI DFIR Assistant

An interactive AI assistant specialized in digital forensics and incident response, available via the CLI. Ask questions about forensic artifacts, pipe in logs or tool output for interpretation, get help with MITRE ATT&CK mapping, and receive structured incident response guidance. Powered by Claude with a domain-restricted system prompt engineered for DFIR workflows. Supports streaming responses optimized for terminal output.

POST /api/v1/ai/chat

Key Capabilities

  • Forensic artifact analysis and interpretation
  • Log file and tool output analysis (pipe stdin)
  • MITRE ATT&CK tactic and technique mapping
  • Incident response playbook guidance
  • Detection rule suggestions (YARA, Sigma)
  • DFIR-scoped topic guardrails
  • Streaming terminal-optimized responses
  • Dynamic credit pricing based on token usage
Intelligent alert prioritization and threat profiling

AI Triage & Analysis

Leverages large language models fine-tuned on cybersecurity data to automate alert triage, perform deep-dive analysis of security incidents, generate threat actor profiles based on observed TTPs (Tactics, Techniques, and Procedures), and produce detection rules in formats like YARA, Sigma, and Snort/Suricata. Reduces mean time to respond (MTTR) by surfacing high-priority incidents and providing analyst-ready context.

POST /api/v1/ai/triage

Key Capabilities

  • Automated alert triage with severity classification
  • Deep analysis of security events and incidents
  • Threat actor profiling from observed TTPs
  • Detection rule generation (YARA, Sigma, Snort/Suricata)
  • Natural language incident summaries
  • MITRE ATT&CK technique correlation
Standalone desktop app for DFIR case management

Investigation Management

DFIR Investigation is a standalone desktop application built for digital forensics and incident response professionals. Manage cases with structured metadata, build visual timelines from evidence artifacts, track IOCs with interactive graph views, map findings to the MITRE ATT&CK matrix, and coordinate tasks across your team. Connects to the DFIR Platform via API key for cloud-based IOC enrichment and plan-based feature access.

Desktop Application

Key Capabilities

  • Case creation with structured metadata and tagging
  • Visual and interactive investigation timelines
  • IOC management with relationship graph views
  • MITRE ATT&CK matrix mapping
  • Task tracking and team collaboration
  • Cloud IOC enrichment via DFIR Platform API key
  • Activity feed and investigation notes
  • OSINT integration and lateral movement tracking
Export forensic reports from the desktop app

Report GenerationComing Soon

Generate comprehensive DFIR reports directly from your investigations in the desktop app. The app currently supports STIX 2.1 bundle export for threat intelligence sharing, MITRE ATT&CK Navigator layer export, full case JSON export and import, CSV exports per table, and MISP event push. Full report generation with PDF export, executive summaries, and formatted technical reports is coming soon.

Desktop Application

Key Capabilities

  • STIX 2.1 bundle export for threat intelligence sharing
  • MITRE ATT&CK Navigator layer export
  • CSV export for any investigation table
  • Case merge across .dfir files
  • PDF report generationSoon
  • Executive summary and technical detail reportsSoon
  • Formatted timeline visualization in reportsSoon
Why DFIR Platform

Built for Security Teams

Every design decision is driven by the needs of SOC analysts, incident responders, and forensic investigators working real cases.

API-First Architecture

Every service is a documented REST endpoint. Integrate DFIR capabilities directly into your SOAR playbooks, SIEM workflows, or custom tooling with straightforward API calls.

Credit-Based Pricing

Pay only for what you use. Each API operation has a transparent credit cost -- from 1 credit for a basic lookup to 25 credits for a full report generation. No hidden fees.

Security by Design

Built by security practitioners for security practitioners. Encryption at rest and in transit, scoped API keys, audit logging, and role-based access controls — because DFIR tools handle sensitive data.

Start Investigating Today

Create a free account with 100 monthly credits. No credit card required. Upgrade when you need more capacity.

Start FreeCompare Plans