Kanvas for Incident Response

A DF/IR case management tool that provides a unified workspace for investigators enabling key workflows to be completed without switching between multiple applications.

Download from GitHub

Works with SOD (Spreadsheet of Doom) and similar spreadsheet formats..

Customer Service Dashboard
Features

UI & Key Workspace Features

Some of the key features and workflows are shown below. To view full details, please visit the GitHub page.

Incident Timeline

Building timelines from Excel manually? Nah, I’d rather wrestle a raccoon. At least that’s over faster.

  • Making it all automatic, not manual.
  • Only picking the interesting parts from the sheet (not everything).
  • Segmenting the timeline based on days (like Day 1, Day 2, etc.).
  • Quicky export to PNG or CSV for Reporting / Presenatation.
Team Inbox Dashboard
Lateral Movement

Lateral movement

Trying to explain what’s going on without a visual? It's like describing a movie scene using just smoke signals. A timeline chart just makes life so much easier.

  • Automatically whip up the visualization.
  • Pick icons that match your system type.
  • Export the visualization in a snap.

MITRE D3FEND Mapping

Correlate MITRE ATT&CK detections with the D3FEND Matrix to mitigate threats identified during an investigation

  • Containment: Quickly isolate tactics to check how well you’re containing threats based on attacker actions.
  • Post-Incident Improvement: Use D3FEND to review how the response went and get better for next time.
Network Mapping Dashboard
Threat Intelligence Platform

MITRE Flow Builder

Flow Builder lets you visualize and share sequences of adversary actions. You can populate flows with attacker actions and context, then link them to map the sequence of techniques seen during an incident.

  • Add info about adversary TTP'S & then draw connections to show the sequence of techniques used in an incident.
  • Help to embed interactive, pan-and-zoom flows in webpages, which makes sharing CTI stuff way easier.
  • Help to copy a selection as an image and paste it into Word or PowerPoint to quickly build reports and slides.

LLM Assaitance

You’ve probably guessed it, this taps into LLM APIs like OpenAI / Anthropic. Sure, you could use an LLM’s web UI, but here you can save your own predefined prompts.

  • User-defined prompts are stored in a YAML file, and you can edit or add new ones to guide investigations with an LLM.
  • A quick and easy way to interface with the LLM via API during investigations.
  • Helps switch between multiple LLM providers and models.
Network Mapping Dashboard
Threat Intelligence Platform

V.E.R.I.S. Summary

VERIS is basically a way to keep track of cybersecurity incidents in a simple, consistent way. It helps teams share info about what happened, how it happened, and the damage done so everyone can learn and improve security.

  • Standardized data collection for breach and security incidents.
  • Supports clear breach reporting with structured categories.
  • Helps to collaborate with other external entities, such as Verizon data breach reporting.

Markdown Files

Markdown files are simple text files where you write using easy formatting. They’re great for quickly making notes or writing how-to playbooks.

  • Helps to take notes during the investigation, internally or with customers.
  • Supports creating / loading “how-to investigate” type of documents during the investigation.
Network Mapping Dashboard
Threat Intelligence Platform

External Lookups

The external lookup helps the investigator quickly search various threat intel feeds while responding to an incident.

  • IP / Domain / Email/ File Reputation: Info on IP location, open ports, vulnerabilities, WHOIS, DNS data and Binary file details
  • Entra ID Reference: Searchable list of malicious Microsoft Entra AppIDs for BEC cases.
  • Ransomware Victim: Checks if data is leaked after ransomware attacks.
  • CVE Insights: Known exploits from vulnerability databases.

Bookmarks

This helps to bookmark known sources, which will be useful during the investigation.

  • List the updated, well-maintained open-source free projects useful for DF/IR.
  • Create personal bookmarks instead of adding them to the usual web browser.
Network Mapping Dashboard
Threat Intelligence Platform

Quick references

It's hard to keep everything in your muscle memory during an investigation. This module helps you reference things quickly with shortcuts.

  • Event ID Reference: Windows Event IDs grouped for quick investigation.
  • Living Off the Land Binaries: If you find something suspicious, drop it in to see how threat actors have abused it in the wild.
  • Azure portals are constantly changing, which makes it hard to track—but understanding this is handy when responding to Azure cloud incidents.

STIX 2.0 Export

You’ve got all the IOCs in the SOD spreadsheet. What if we could export them in a way that’s easier to share.

  • The STIX export lets you export IOCs in STIX 2.1 JSON format.
  • Drop that straight into threat intelligence platforms like OpenCTI or MISP.
Network Mapping Dashboard