Security Analysis From Your Terminal
dfir-cli is a cross-platform command-line toolkit for digital forensics and incident response. Analyze phishing emails, enrich IOCs, investigate Microsoft 365 email compromise, and generate court-ready reports — all from your terminal, in a single binary with zero external dependencies.
Install in Seconds
Available on macOS, Linux, and Windows. Choose your preferred method.
macOS
Homebrew
brew install dfir-lab/tap/dfir-cliLinux
Install Script
curl -fsSL https://raw.githubusercontent.com/dfir-lab/dfir-cli-releases/main/install.sh | shWindows
PowerShell
iwr https://raw.githubusercontent.com/dfir-lab/dfir-cli-releases/main/install.ps1 | iexBuilt for Security Professionals
Phishing Analysis
Analyze suspicious emails with header authentication checks, IOC extraction, and AI-enhanced verdicts. Supports .eml files, raw headers, and stdin piping.
IOC Enrichment
Enrich IPs, domains, URLs, hashes, and emails against multiple threat intelligence providers. Batch processing from files for large-scale investigations.
Exposure Scanning
Scan domains for external attack surface exposure. SSL grading, DNS analysis, and risk scoring with results from 11 intelligence providers.
AI DFIR Assistant
Ask questions about forensic artifacts, pipe in tool output for AI analysis, and get MITRE ATT&CK mapping. Specialized for digital forensics and incident response.
AI Triage & Analysis
Triage SIEM alerts with AI severity classification, deep-dive incident analysis, threat actor profiling from TTPs, and detection rule generation in YARA, Sigma, and Snort formats.
BEC Investigation
Complete Microsoft 365 email fraud investigation toolkit. 11 commands to detect compromised accounts, trace attacker activity, and generate court-ready reports — no PowerShell, no Azure CLI, no external dependencies.
Multiple Output Formats
Table output for humans, JSON and JSONL for automation. Pipe results to jq, feed into SIEM, or integrate with your SOAR playbooks.
Cross-Platform
Native binaries for macOS (Intel + Apple Silicon), Linux (amd64 + arm64), and Windows. Zero runtime dependencies.
Intelligent Output
Color-coded verdicts, score bars, and severity badges in your terminal. Auto-detects non-TTY environments and switches to JSON.
Powerful Commands, Simple Interface
Analyze a Phishing Email
$ dfir-cli phishing analyze --file suspicious.eml
Phishing Analysis
Verdict: MALICIOUS
Score: [████████████████████░░░░] 87/100
Summary: Spoofed sender with credential harvesting link
Authentication Results:
SPF: FAIL
DKIM: FAIL
DMARC: FAILEnrich an IOC
$ dfir-cli enrichment lookup --ip 185.220.101.34 IOC Enrichment: 185.220.101.34 Verdict: MALICIOUS Score: [██████████████████░░░░░░] 76/100 Provider Verdict Score Details VirusTotal Malicious 89 14/90 engines flagged AbuseIPDB Malicious 95 847 reports, ISP: Tor Exit Shodan Suspicious 65 8 open ports, 3 CVEs
Scan for Exposure
$ dfir-cli exposure scan --domain example.com Exposure Scan: example.com Risk Level: LOW Risk Score: [████░░░░░░░░░░░░░░░░░░░] 18/100 SSL Grade: A+ Duration: 12.4s
Ask the AI Assistant
$ dfir-cli ai "What artifacts indicate lateral movement on Windows?" AI Assistant ## Key Artifacts - Prefetch: PSEXESVC.EXE, WMIC.EXE - Event Logs: Security 4624 (Type 3/10), 4648 - Registry: Terminal Server Client\Servers - ShimCache / AmCache execution entries ## MITRE ATT&CK - T1021.002 — SMB/Windows Admin Shares - T1021.001 — Remote Desktop Protocol - T1047 — Windows Management Instrumentation [sonnet | 1,842 input + 387 output tokens | 3 credits]
Triage a SIEM Alert
$ dfir-cli ai triage --file splunk-alert.json --source splunk AI Triage Severity: CRITICAL Confidence: [████████████████████████] 94/100 Classification: brute_force Summary: Sustained brute-force attack targeting the domain admin account on DC01 via RDP. 847 failed logons from Tor exit node 185.220.101.34. Indicators: Type Value Role ip 185.220.101.34 source domain dc01.corp.acme.com destination ATT&CK Mapping: Technique Name Tactic T1110.001 Password Guessing Credential Access T1021.001 Remote Desktop Protocol Lateral Movement T1078 Valid Accounts Persistence Recommendations: • Block IP 185.220.101.34 at perimeter firewall • Force password reset for admin account on dc01 • Enable account lockout policy (5 attempts / 15 min) [10 credits used | 40 remaining]
Investigate a Business Email Compromise
$ dfir-cli bec forwarding-audit --user cfo@contoso.com
Forwarding Audit
Type: mailbox_forwarding
User: cfo@contoso.com
Dest: attacker@gmail.com
Status: enabled
Risk: CRITICAL
Score: [████████████████████░░░░] 85/100
Risk Factors:
- [external_forwarding] Forwards to external domain (+70)
- [freemail] Destination is a free email provider (+15)
$ dfir-cli bec report --case-id BEC-2026-001 --input-dir ./evidence/
BEC Investigation Report
Case ID: BEC-2026-001
Generated: 2026-04-07T12:00:00Z
Data Summary:
Timeline: 47 events
Accounts: 2 compromised
Forwarding: 3 rules
MITRE: 5 techniques
Evidence: 6 files hashed
Generated Files:
FORMAT FILE SIZE
FULL BEC-2026-001_full.json 24.3 KB
FULL BEC-2026-001_full.html 18.7 KB
IC3 BEC-2026-001_ic3.json 8.2 KB
INSURANCE BEC-2026-001_insurance.json 12.1 KBGenerate a Detection Rule
$ dfir-cli ai detect --format sigma --description "Detect brute force RDP"
Detection Rule
Name: Brute Force RDP Login Attempts
Format: sigma
Severity: high
Rule:
title: Brute Force RDP Login Attempts
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
LogonType: 10
condition: selection | count() by SourceIP > 50
timeframe: 1h
level: high
ATT&CK: T1110.001, T1021.001
[15 credits used | 25 remaining]Quick Setup
Get started with one command.
$ dfir-cli config init
DFIR Lab CLI Configuration
Enter your API key: sk-dfir-****************************
API key validated successfully.
Configuration saved to ~/.config/dfir-cli/config.yaml
You're ready to go! Try:
dfir-cli phishing analyze --file email.eml
dfir-cli enrichment lookup --ip 8.8.8.8
dfir-cli exposure scan --domain example.comGet your API key from the DFIR Platform dashboard.
CI/CD Friendly
Meaningful exit codes for automation and scripting.
| Exit Code | Meaning |
|---|---|
| 0 | Clean / Success |
| 1 | Error |
| 2 | Malicious / High risk |
| 3 | Suspicious / Medium risk |
| 4 | Insufficient credits |
Start Analyzing From Your Terminal
Install dfir-cli in seconds. 100 free credits every month, no credit card required.