[{"slug":"bec","label":"business email compromise (BEC)","shortLabel":"BEC","launchTier":1,"priority":"H","description":"vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["email-header-analyzer","email-thread-reconstructor","email-header-chain-analyzer","email-spoofing-spf-dkim-validator","email-received-header-hop-analyzer","mailer-fingerprint-identifier","email-impersonation-pattern-detector","mail-rule-parser"],"secondaryToolSlugs":["phishing-header-analyzer","domain-reputation-check","url-unshortener-chain","o365-audit-log-parser","office365-audit-log-analyzer","okta-log-analyzer","ioc-extractor","fatcousin-saas-audit-export-correlator","bec-impersonation-thread-forensic-analyzer","microsoft-defender-office365-message-trace-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"pig-butchering","label":"pig butchering / long-con investment scam","shortLabel":"pig butchering","launchTier":1,"priority":"H","description":"weeks-to-months of chat grooming → fake crypto exchange → drained wallet. evidence spans messaging apps, crypto wallets, and screenshots.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["ios-whatsapp-artifact-forensic-extractor","ethereum-tx-decoder","bitcoin-tx-decoder","crypto-tx-graph","ios-dating-app-artifact-forensic-extractor","ios-screenshot-burst-forensic-analyzer","crypto-mixer-pattern-detector","crypto-wallet-classifier"],"secondaryToolSlugs":["android-whatsapp-database-forensic-analyzer","bitcoin-address-clustering","domain-reputation-check","url-unshortener-chain","nft-rug-pull-victim-investigation-kit","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","ios-telegram-artifact-forensic-extractor","android-telegram-database-forensic-extractor","ios-signal-artifact-forensic-extractor","android-signal-database-forensic-extractor","casb-oauth-token-abuse-detector"]},{"slug":"ransomware-response","label":"ransomware response","shortLabel":"ransomware","launchTier":1,"priority":"H","description":"encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["encryption-onset-timer","ransomware-staging-detector","ransomware-family-identifier","crypto-ransom-note-parser","double-extortion-evidence-collector","lateral-movement-chain-visualizer","backup-deletion-artifact-analyzer","mass-rename-detector"],"secondaryToolSlugs":["evtx-parser","windows-event-deepdive","amcache-parser","shimcache-parser","volume-shadow-copy-deletion-detector","shadow-copy-disable-artifact-detector","credential-lateral-movement-tracer","lateral-movement-network-pattern-detector","ransomware-data-exfil-manifest-forensic-analyzer","incident-timeline-builder","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"stalkerware-sweep","label":"stalkerware sweep (mobile)","shortLabel":"stalkerware","launchTier":1,"priority":"H","description":"covertly installed monitoring apps on a personal phone. iOS + android are very different surfaces: hidden config profiles + pairing records on iOS, sideloaded APKs + accessibility-abuse on android.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["apk-analyzer","android-permissions-auditor","android-anonymous-messaging-app-artifact-detector","android-encrypted-vault-app-artifact-detector","android-app-cloner-artifact-forensic-detector","ios-pairing-record-forensic-analyzer","ios-jailbreak-artifact-detector","ios-lockdown-certificate-artifact-extractor"],"secondaryToolSlugs":["mobile-device-pairing-record-analyzer","ipa-analyzer","ios-burner-app-artifact-detector","android-burner-app-artifact-forensic-detector","ios-encrypted-messaging-app-residue-detector","android-vpn-app-artifact-forensic-extractor","mobile-app-sandbox-artifact-analyzer","ios-face-id-enrollment-artifact-forensic-analyzer","android-biometric-prompt-session-forensic-analyzer","edge-extension-side-load-artifact-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"ipv-tech","label":"intimate partner violence — tech trail","shortLabel":"IPV tech","launchTier":1,"priority":"H","description":"for DV advocates: documenting tech-based abuse — shared accounts, tracking, covert recording, social-media impersonation. evidence has to hold up for protective orders.","primaryToolCount":8,"secondaryToolCount":10,"primaryToolSlugs":["ios-location-history","ios-location-history-reconstructor","android-gps-location-history-forensic-extractor","android-google-timeline-artifact-forensic-extractor","bluetooth-pairing-history-forensic-extractor","wifi-connection-history-forensic-extractor","ios-significant-locations-forensic-extractor","ios-frequent-locations-artifact-analyzer"],"secondaryToolSlugs":["ios-imessage-deletion-artifact-detector","ios-imessage-edited-message-forensic-reconstructor","ios-whatsapp-deleted-message-recovery-detector","android-whatsapp-deleted-message-recovery-artifact-detector","mobile-conversation-deletion-pattern-detector","smart-lock-access-forensic-analyzer","apple-home-key-nfc-lock-event-forensic-analyzer","matter-protocol-commissioning-log-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"election-integrity","label":"election integrity investigation","shortLabel":"election","launchTier":1,"priority":"M","description":"voter-roll tampering, e-pollbook artifacts, ballot-image chain of custody, election-night messaging spoofing, foreign-influence pattern surfacing.","primaryToolCount":8,"secondaryToolCount":2,"primaryToolSlugs":["email-spoofing-spf-dkim-validator","email-impersonation-pattern-detector","ai-generated-text-fingerprint-analyzer","ai-generated-image-provenance-analyzer","metadata-inconsistency-finder","metadata-consistency-checker","ela-detector","copy-move-forgery-detector"],"secondaryToolSlugs":["fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"ato","label":"account takeover (ATO)","shortLabel":"ATO","launchTier":1,"priority":"H","description":"credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["okta-log-analyzer","o365-audit-log-parser","office365-audit-log-analyzer","microsoft365-audit-log-analyzer","mail-rule-parser","password-spray-detector","credential-artifact-scanner","sim-swap-artifact-forensic-detector"],"secondaryToolSlugs":["user-agent-analyzer","passive-os-fingerprinter","tls-ja3-fingerprinter","microsoft-entra-conditional-access-log-forensic-analyzer","okta-device-trust-posture-log-forensic-analyzer","zero-trust-access-anomaly-correlator","github-audit-log-analyzer","aws-cloudtrail-forensic-analyzer","browser-extension-cross-profile-correlator","chrome-extension-manifest-permission-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"crypto-theft","label":"crypto theft / wallet drain","shortLabel":"crypto theft","launchTier":1,"priority":"H","description":"approve-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.","primaryToolCount":8,"secondaryToolCount":9,"primaryToolSlugs":["ethereum-tx-decoder","bitcoin-tx-decoder","crypto-tx-graph","crypto-transaction-graph","smart-contract-bytecode-analyzer","crypto-mixer-pattern-detector","bitcoin-address-clustering","private-key-format-detector"],"secondaryToolSlugs":["monero-transaction-analyzer","mnemonic-validator","keystore-parser","blockchain-timestamp-verifier","browser-history-extractor","chrome-extension-analyzer","nft-metadata-forensics","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"insider-threat","label":"insider threat / data exfiltration","shortLabel":"insider threat","launchTier":2,"priority":"H","description":"departing employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["insider-threat-indicator-scorer","data-access-anomaly-detector","peer-group-comparison-analyzer","time-of-day-activity-fingerprinter","user-behavior-baseline-profiler","copy-paste-behavior-forensics","user-workstation-affinity-mapper","credential-lateral-movement-tracer"],"secondaryToolSlugs":["microsoft-purview-dlp-incident-forensic-analyzer","endpoint-dlp-usb-exfil-block-log-analyzer","multi-vendor-dlp-incident-correlator","netskope-cloud-access-security-log-forensic-analyzer","lenel-badge-reader-event-log-forensic-analyzer","physical-access-holiday-anomaly-detector","lnk-deep-analyzer","recentdocs-mru-analyzer","writing-sample-authorship-comparator","orphaned-account-detector-from-iga-export","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"phishing-campaign","label":"phishing campaign investigation","shortLabel":"phishing","launchTier":2,"priority":"H","description":"scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["phishing-header-analyzer","phishing-url-email-extractor","email-attachment-scanner","url-unshortener-chain","domain-reputation-check","ioc-extractor","ioc-deduplicator-normalizer","javascript-deobfuscator"],"secondaryToolSlugs":["phishing-kit-landing-page-artifact-forensic-extractor","email-html-payload-extractor","email-url-rewrite-chain-forensic-analyzer","proofpoint-tap-alert-export-forensic-analyzer","obfuscated-url-decoder","yara-tester","passive-dns-resolution-history-forensic-analyzer","domain-generation-algorithm-dns-cluster-detector","string-deobfuscator","base64-mass-decoder","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"supply-chain-compromise","label":"supply chain compromise","shortLabel":"supply chain","launchTier":2,"priority":"M","description":"package compromise, build-system intrusion, signed-update poisoning. needs SBOM + dependency + build artifact analysis.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["yara-scanner","yara-rule-scanner","pe-analyzer","pe-static-analyzer","compile-timestamp-vs-deploy-timestamp-conflict-detector","imphash-calculator","compiler-artifact-identifier","code-style-fingerprinter"],"secondaryToolSlugs":["string-ioc-correlator","binary-similarity-scorer","file-dna-fingerprinter","fuzzy-hash-calculator","docker-image-inspector","kubernetes-config-analyzer","slsa-build-provenance-metadata-forensic-analyzer","dependency-confusion-package-metadata-forensic-analyzer","software-supply-chain-typosquat-cluster-detector","code-signing-certificate-chain-forensic-analyzer","fatcousin-cross-export-ioc-hash-correlator","fatcousin-multi-tool-super-timeline-correlator"]},{"slug":"cloud-account-compromise","label":"cloud account compromise (M365 / Workspace)","shortLabel":"cloud ATO","launchTier":2,"priority":"H","description":"tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["office365-audit-log-analyzer","microsoft365-audit-log-analyzer","o365-audit-log-parser","azure-activity-log-analyzer","saas-overprivileged-oauth-scope-detector","microsoft-defender-cloud-apps-alert-forensic-analyzer","fatcousin-saas-audit-export-correlator","microsoft-account-activity-export-forensic-analyzer"],"secondaryToolSlugs":["mail-rule-parser","microsoft-entra-conditional-access-log-forensic-analyzer","azure-ad-conditional-access-decision-log-forensic-analyzer","zero-trust-access-anomaly-correlator","fatcousin-auth-identity-export-correlator","fatcousin-cloud-log-findings-export-merge-correlator","cloud-iam-excessive-permission-correlator","casb-oauth-token-abuse-detector","iam-policy-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","s3-access-log-analyzer"]},{"slug":"mobile-triage","label":"mobile device triage (consent-based)","shortLabel":"mobile triage","launchTier":2,"priority":"M","description":"consensual scan of a phone for the basics — apps, messages, location, recent activity. small-org IT, lawyers, or DV advocates.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["ios-backup-browser","ios-backup-analyzer","android-backup-analyzer","ios-spotlight-search-artifact-extractor","ios-screen-time-analyzer","ios-app-install-uninstall-timeline-reconstructor","android-logcat-analyzer","mobile-location-history-extractor"],"secondaryToolSlugs":["ios-photos-forensics","ios-notes-forensics","ios-call-history-parser","ios-sms-parser","android-sms-db-parser","android-call-log-parser","cellebrite-ufdr-export-forensic-analyzer","mobile-extraction-chain-of-custody-metadata-validator","imsi-catcher-stingray-pattern-detector","custody-child-safety-device-audit-kit","fatcousin-cross-export-ioc-hash-correlator","fatcousin-multi-tool-super-timeline-correlator"]},{"slug":"workplace-harassment","label":"workplace harassment / hostile workplace","shortLabel":"harassment","launchTier":2,"priority":"M","description":"HR-grade preservation of slack/teams/email evidence with chain-of-custody, redactions, and timeline rebuilds.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["slack-export-analyzer","slack-export-forensic-analyzer","teams-export-forensic-analyzer","slack-forensics","teams-forensics","email-thread-reconstructor","email-threading-reconstructor","writing-sample-authorship-comparator"],"secondaryToolSlugs":["navex-ethics-hotline-export-forensic-analyzer","hr-acuity-investigation-export-forensic-analyzer","chain-of-custody-gap-detector","redaction-quality-verifier","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"trade-secret-theft","label":"trade secret / IP theft","shortLabel":"trade secret","launchTier":2,"priority":"M","description":"exiting employee took the source/customer list/CAD. preserve USB attach times, cloud-sync, print, and email-out evidence.","primaryToolCount":8,"secondaryToolCount":9,"primaryToolSlugs":["lnk-deep-analyzer","lnk-timeline-correlator","lnk-batch-timeline-correlator","shellbags-analyzer","jump-list-parser","jumplist-deep-correlator","print-spool-forensics","document-print-history-extractor"],"secondaryToolSlugs":["browser-download-history-correlator","download-history-analyzer","user-workstation-affinity-mapper","digital-guardian-dlp-event-forensic-analyzer","dlp-policy-severity-escalation-correlator","chain-of-custody-gap-detector","redaction-quality-verifier","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"document-forgery","label":"document forgery / disputed authenticity","shortLabel":"doc forgery","launchTier":2,"priority":"M","description":"is this PDF / docx genuine? revision history, metadata genealogy, ghost text, embedded objects, signature chains.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["pdf-object-explorer","pdf-forensics","pdf-incremental-update-analyzer","pdf-author-revision-metadata-analyzer","pdf-digital-signature-chain-analyzer","document-version-ghost-extractor","document-metadata-genealogy-tracer","tracked-changes-forensic-reconstructor"],"secondaryToolSlugs":["ooxml-hidden-content-extractor","office-coauthoring-extractor","office-document-revision-history-extractor","embedded-ole-object-extractor","compound-document-carver","document-template-origin-tracer","metadata-inconsistency-finder","redaction-burn-verifier","pkcs12-keystore-metadata-forensic-extractor","revoked-certificate-ocsp-crl-forensic-analyzer","fatcousin-cross-export-ioc-hash-correlator","fatcousin-multi-tool-super-timeline-correlator"]},{"slug":"ai-content-dispute","label":"AI-generated content dispute","shortLabel":"AI content","launchTier":2,"priority":"M","description":"is this image / text / code AI-generated? content-provenance, model fingerprinting, prompt-history reconstruction.","primaryToolCount":8,"secondaryToolCount":11,"primaryToolSlugs":["ai-generated-text-fingerprint-analyzer","ai-generated-image-provenance-analyzer","ai-generated-image-metadata-stripper-detector","ai-generated-code-provenance-analyzer","stable-diffusion-generation-metadata-extractor","comfyui-workflow-forensic-analyzer","automatic1111-artifact-forensic-extractor","gan-fingerprint-detector"],"secondaryToolSlugs":["chatgpt-conversation-export-forensic-analyzer","claude-conversation-export-forensic-analyzer","ai-prompt-history-forensic-analyzer","ai-conversation-timeline-reconstructor","ai-output-manipulation-and-editing-detector","image-stego-detector","lsb-stego-extractor","stego-brute-forcer","metadata-inconsistency-finder","fatcousin-cross-export-ioc-hash-correlator","fatcousin-multi-tool-super-timeline-correlator"]},{"slug":"deepfake-investigation","label":"deepfake investigation (video / audio / image)","shortLabel":"deepfake","launchTier":2,"priority":"H","description":"face-swap, voice-clone, identity-impersonation. PRNU + GAN fingerprint + ELA + lip-sync + audio splice.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["video-deepfake-analyzer","face-swap-artifact-detector","gan-fingerprint-detector","ai-synthetic-voice-generation-artifact-analyzer","audio-splice-detector","ela-detector","prnu-fingerprinter","copy-move-forgery-detector"],"secondaryToolSlugs":["video-timestamp-analyzer","video-container-forensics","metadata-consistency-checker","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"romance-scam","label":"romance scam","shortLabel":"romance scam","launchTier":2,"priority":"M","description":"dating-app introduction → emotional manipulation → money request. evidence is profile screenshots, message archives, payment trails.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["ios-dating-app-artifact-forensic-extractor","ios-whatsapp-artifact-forensic-extractor","android-whatsapp-database-forensic-analyzer","ios-telegram-artifact-forensic-extractor","android-telegram-database-forensic-extractor","ios-cash-app-artifact-forensic-extractor","ios-venmo-artifact-forensic-extractor","ai-generated-image-provenance-analyzer"],"secondaryToolSlugs":["ios-screenshot-burst-forensic-analyzer","url-unshortener-chain","domain-reputation-check","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"tech-support-scam","label":"tech support scam","shortLabel":"tech support scam","launchTier":2,"priority":"L","description":"pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["remote-desktop-log-clearing-detector","rdp-cache-parser","live-response-tool-execution-detector","lolbin-execution-burst-detector","browser-history-extractor","browser-extension-analyzer","chrome-extension-analyzer","powershell-deobfuscator"],"secondaryToolSlugs":["powershell-history-clearing-detector","psreadline-gap-analyzer","scheduled-task-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"cryptojacking","label":"cryptojacking","shortLabel":"cryptojacking","launchTier":2,"priority":"L","description":"unauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["process-tree-rebuilder","memory-pe-extractor","memory-entropy-analyzer","in-memory-config-extractor","network-beaconing-detector","network-beaconing-pattern-detector","dns-query-analyzer","c2-callback-interval-analyzer"],"secondaryToolSlugs":["scheduled-task-analyzer","registry-autoruns-parser","linux-persistence-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"lost-stolen-device","label":"lost or stolen device","shortLabel":"lost device","launchTier":2,"priority":"L","description":"post-recovery triage: what did the finder do, what was accessed, was the device wiped or imaged.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["ios-pairing-record-forensic-analyzer","mobile-device-pairing-record-analyzer","ios-jailbreak-artifact-detector","mobile-factory-reset-evidence-artifact-detector","mobile-remote-wipe-artifact-detector","android-factory-reset-artifact-detector","ios-app-install-uninstall-timeline-reconstructor","login-session-reconstructor"],"secondaryToolSlugs":["mobile-passcode-change-burst-artifact-detector","mobile-find-my-disable-artifact-detector","mobile-extraction-chain-of-custody-metadata-validator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"disgruntled-exit","label":"disgruntled employee exit","shortLabel":"exit triage","launchTier":2,"priority":"M","description":"last-day endpoint snapshot: deletions, USB attach, cloud sync bursts, sabotage indicators (scheduled tasks, hidden accounts).","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["mass-rename-detector","secure-deletion-detector","file-shredder-remnant-scanner","registry-key-deletion-burst-detector","scheduled-task-deletion-detector","service-deletion-burst-detector","browser-history-clearing-pattern-detector","powershell-history-clearing-detector"],"secondaryToolSlugs":["lnk-deep-analyzer","user-workstation-affinity-mapper","endpoint-dlp-usb-exfil-block-log-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"cyberstalking","label":"cyberstalking","shortLabel":"cyberstalking","launchTier":2,"priority":"M","description":"broader than stalkerware-app: social-graph harassment, doxing, multi-account impersonation, location-leak surfaces.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["ai-chatbot-multi-account-correlation-analyzer","multi-source-entity-resolver","investigation-knowledge-graph","osint-normalizer","writing-sample-authorship-comparator","ios-significant-locations-forensic-extractor","android-google-timeline-artifact-forensic-extractor","domain-reputation-check"],"secondaryToolSlugs":["url-unshortener-chain","email-impersonation-pattern-detector","online-defamation-harassment-litigation-kit","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"sextortion","label":"sextortion","shortLabel":"sextortion","launchTier":2,"priority":"H","description":"extortion via real/fake intimate imagery. evidence is the threat channel + payment demand + (often) deepfake or scraped imagery.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["email-header-analyzer","ios-imessage-deletion-artifact-detector","ios-whatsapp-artifact-forensic-extractor","android-whatsapp-database-forensic-analyzer","ai-generated-image-provenance-analyzer","face-swap-artifact-detector","bitcoin-tx-decoder","crypto-tx-graph"],"secondaryToolSlugs":["url-unshortener-chain","domain-reputation-check","ela-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"minor-sextortion","label":"minor online coercion · youth safety","shortLabel":"minor coercion","launchTier":2,"priority":"H","description":"post-incident triage for minors — grooming metadata, sextortion payment chains, doxxing, swatting trails. survivor-consent framing · not a CSAM viewer · not covert parental surveillance.","primaryToolCount":7,"secondaryToolCount":10,"primaryToolSlugs":["evidence-manifest-generator","custody-child-safety-device-audit-kit","ios-screen-time-analyzer","ios-screen-time-family-sharing-correlation-detector","mobile-screen-time-parser","ios-backup-browser","ios-imessage-deletion-artifact-detector"],"secondaryToolSlugs":["ios-whatsapp-artifact-forensic-extractor","android-whatsapp-database-forensic-analyzer","email-header-analyzer","doxxing-victim-investigation-kit","swatting-call-attribution-kit","ai-generated-image-provenance-analyzer","face-swap-artifact-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"sex-worker-stalker-investigation","label":"creator safety · stalker & NCII","shortLabel":"creator safety","launchTier":2,"priority":"M","description":"non-judgmental post-incident triage for adult creators — NCII leaks, impersonation, doxxing, processor deplatforming notices, stalker DMs. metadata and exports only · not subscriber surveillance · runs locally.","primaryToolCount":8,"secondaryToolCount":11,"primaryToolSlugs":["evidence-manifest-generator","doxxing-victim-investigation-kit","sextortion-ncii-investigation-kit","sextortion-takedown-notice-package-generator","payment-processor-subpoena-response-normalizer-stripe","payment-processor-subpoena-response-normalizer-paypal","ai-generated-image-provenance-analyzer","ela-detector"],"secondaryToolSlugs":["online-defamation-harassment-litigation-kit","ios-imessage-deletion-artifact-detector","ios-whatsapp-artifact-forensic-extractor","multi-source-entity-resolver","domain-reputation-check","social-media-subpoena-response-normalizer-twitter-x","social-media-subpoena-response-normalizer-reddit","payment-processor-subpoena-response-normalizer-square","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"online-doxxing","label":"online doxxing (post-event triage)","shortLabel":"online doxxing","launchTier":2,"priority":"H","description":"PII already published — paste sites, social posts, republish chains. post-event triage: scope exposure, trace author + platform, preserve for takedown and safety planning.","primaryToolCount":8,"secondaryToolCount":10,"primaryToolSlugs":["doxxing-victim-investigation-kit","osint-normalizer","multi-source-entity-resolver","investigation-knowledge-graph","domain-reputation-check","ioc-extractor","url-unshortener-chain","ai-chatbot-multi-account-correlation-analyzer"],"secondaryToolSlugs":["writing-sample-authorship-comparator","email-impersonation-pattern-detector","online-defamation-harassment-litigation-kit","swatting-call-attribution-kit","passive-dns-resolution-history-forensic-analyzer","sextortion-takedown-notice-package-generator","ela-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"smart-home-compromise","label":"smart home compromise","shortLabel":"smart home","launchTier":2,"priority":"L","description":"unauthorized access to camera / lock / voice-assistant. who was added, when, from where; was the cloud account reused.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["alexa-voice-history-forensic-extractor","google-home-artifact-forensic-analyzer","homekit-accessory-forensic-analyzer","ring-camera-artifact-forensic-extractor","nest-camera-forensic-analyzer","smart-lock-access-forensic-analyzer","smart-thermostat-timeline-analyzer","smart-tv-artifact-forensic-extractor"],"secondaryToolSlugs":["home-assistant-forensic-analyzer","zigbee-network-forensic-analyzer","multi-protocol-smart-home-device-correlation-tool","smart-home-evidence-presence-tampering-detector","matter-protocol-commissioning-log-forensic-analyzer","thread-border-router-log-forensic-analyzer","login-session-reconstructor","iot-firmware-forensic-extractor","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","access-control-badge-swipe-log-forensic-analyzer","bms-hvac-trend-log-forensic-analyzer"]},{"slug":"api-key-leak","label":"API key leak / repo compromise","shortLabel":"key leak","launchTier":2,"priority":"M","description":"leaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["git-repository-forensics","github-audit-log-parser","github-audit-log-analyzer","aws-cloudtrail-deep-analyzer","aws-cloudtrail-forensic-analyzer","iam-policy-analyzer","iam-escalation-graph","k8s-secrets-decoder"],"secondaryToolSlugs":["github-actions-artifact-provenance-forensic-analyzer","aws-secrets-manager-access-log-forensic-analyzer","api-key-abuse-rate-limit-anomaly-detector","terraform-state-analyzer","scout-suite-aws-assessment-forensic-analyzer","secrets-rotation-failure-timeline-correlator","credential-stuffing-victim-response-kit","gcp-audit-log-analyzer","azure-activity-log-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"healthcare-breach","label":"healthcare data breach","shortLabel":"healthcare","launchTier":2,"priority":"M","description":"PHI exposure, EHR audit gap, DICOM exfil, HIPAA notification scoping. very specific evidence demands.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["dicom-metadata-forensics","access-database-forensics","office365-audit-log-analyzer","microsoft365-audit-log-analyzer","log-gap-analyzer","log-ingestion-gap-detector","log-authenticity-scorer","chain-of-custody-gap-detector"],"secondaryToolSlugs":["user-behavior-baseline-profiler","data-access-anomaly-detector","redaction-quality-verifier","medical-records-breach-investigation-kit","hipaa-break-glass-access-log-forensic-analyzer","meditech-expanse-audit-log-forensic-analyzer","ehr-patient-portal-access-log-forensic-analyzer","symantec-dlp-incident-export-forensic-analyzer","netskope-dlp-alert-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"medical-device-tamper","label":"medical device tamper / clinical IoT","shortLabel":"device tamper","launchTier":2,"priority":"H","description":"device integrity — wrong dose, alarm suppression, unauthorized config. not PHI exfil; evidence is pump, ventilator, monitor, and UDI session logs.","primaryToolCount":6,"secondaryToolCount":8,"primaryToolSlugs":["insulin-pump-log-forensic-analyzer","philips-intellivue-monitor-alarm-log-forensic-analyzer","medical-device-udi-tracking-log-forensic-analyzer","hipaa-break-glass-access-log-forensic-analyzer","log-authenticity-scorer","case-report-generator"],"secondaryToolSlugs":["ventilator-therapy-session-log-forensic-analyzer","dialysis-machine-session-log-forensic-analyzer","ehr-patient-portal-access-log-forensic-analyzer","dicom-metadata-forensics","log-gap-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","evidence-manifest-generator"]},{"slug":"ddos-investigation","label":"DDoS investigation","shortLabel":"DDoS","launchTier":2,"priority":"L","description":"post-event scoping of a volumetric / app-layer attack. evidence is pcap, flow, edge logs, and the botnet fingerprint.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["pcap-reader","pcap-analyzer","netflow-analyzer","pcap-flow-reconstructor","network-flow-anomaly-detector","tls-ja3-fingerprinter","passive-os-fingerprinter","nginx-log-analyzer"],"secondaryToolSlugs":["http-access-log-analyzer","zeek-log-analyzer","irc-botnet-analyzer","nginx-plus-api-gateway-log-forensic-analyzer","api-key-abuse-rate-limit-anomaly-detector","cloudflare-dns-firewall-log-forensic-analyzer","aws-route53-resolver-query-log-forensic-analyzer","fortinet-fortigate-traffic-log-forensic-analyzer","checkpoint-firewall-log-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"invoice-fraud","label":"invoice fraud / vendor account change","shortLabel":"invoice fraud","launchTier":2,"priority":"M","description":"fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.","primaryToolCount":8,"secondaryToolCount":12,"primaryToolSlugs":["email-header-analyzer","email-thread-reconstructor","email-header-chain-analyzer","pdf-object-explorer","pdf-forensics","pdf-author-revision-metadata-analyzer","document-metadata-genealogy-tracer","metadata-inconsistency-finder"],"secondaryToolSlugs":["tracked-changes-forensic-reconstructor","document-version-ghost-extractor","bill-com-ap-audit-log-forensic-analyzer","ap-vendor-bank-change-anomaly-detector","cross-ap-procurement-invoice-correlator","pdf-digital-signature-chain-analyzer","fednow-payment-message-forensic-analyzer","instant-payment-fraud-velocity-correlator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","openair-psa-audit-log-forensic-analyzer","case-report-generator"]},{"slug":"payroll-fraud","label":"payroll fraud / ghost employee","shortLabel":"payroll fraud","launchTier":2,"priority":"H","description":"unauthorized direct deposit changes · ghost employees · overtime inflation · payroll adjustment after termination. evidence is ADP/Workday/UKG payroll audit exports + HCM headcount cross-checks.","primaryToolCount":8,"secondaryToolCount":5,"primaryToolSlugs":["adp-payroll-audit-log-forensic-analyzer","workday-payroll-export-forensic-analyzer","payroll-ghost-employee-detector","payroll-unauthorized-adjustment-detector","payroll-overtime-inflation-detector","cross-hcm-payroll-headcount-correlator","cross-payroll-wfm-timesheet-correlator","case-report-generator"],"secondaryToolSlugs":["ukg-payroll-audit-log-forensic-analyzer","gusto-payroll-audit-log-forensic-analyzer","multi-payroll-platform-timeline-correlator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"whistleblower-retaliation","label":"whistleblower / retaliation investigation","shortLabel":"whistleblower","launchTier":2,"priority":"H","description":"ethics hotline report followed by adverse employment action. evidence spans Navex/EthicsPoint/Allvoices exports + HCM termination/promotion logs + HRSD case files.","primaryToolCount":8,"secondaryToolCount":6,"primaryToolSlugs":["navex-ethics-hotline-export-forensic-analyzer","ethics-retaliation-pattern-detector","ethics-unauthorized-case-dismissal-detector","cross-ethics-hcm-retaliation-correlator","hr-acuity-investigation-export-forensic-analyzer","cross-er-hrsd-case-correlator","servicenow-hrsd-case-export-forensic-analyzer","case-report-generator"],"secondaryToolSlugs":["allvoices-employee-report-audit-log-forensic-analyzer","multi-ethics-platform-timeline-correlator","multi-er-platform-timeline-correlator","whistleblower-retaliation-evidence-kit","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"hr-platform-audit","label":"HR platform audit / HCM integrity","shortLabel":"HR platform audit","launchTier":2,"priority":"M","description":"Workday · SAP SuccessFactors · Oracle HCM · BambooHR audit exports. unauthorized record changes · provisioning lag · headcount drift · cross-system timeline reconstruction.","primaryToolCount":8,"secondaryToolCount":5,"primaryToolSlugs":["workday-hcm-audit-log-forensic-analyzer","sap-successfactors-ec-export-forensic-analyzer","oracle-hcm-cloud-audit-log-forensic-analyzer","hcm-unauthorized-job-change-detector","cross-hcm-payroll-headcount-correlator","multi-hcm-platform-timeline-correlator","onboarding-unauthorized-task-skip-detector","case-report-generator"],"secondaryToolSlugs":["bamboohr-core-hris-export-forensic-analyzer","namely-hris-export-forensic-analyzer","incident-timeline-builder","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"equity-grant-audit","label":"equity grant / cap table investigation","shortLabel":"equity grant audit","launchTier":2,"priority":"M","description":"Carta · Shareworks · Pulley cap-table exports. unauthorized grant changes · 409A manipulation · vesting backdates · exercise-to-payroll correlation.","primaryToolCount":8,"secondaryToolCount":5,"primaryToolSlugs":["carta-equity-cap-table-export-forensic-analyzer","shareworks-equity-admin-audit-log-forensic-analyzer","equity-unauthorized-grant-change-detector","equity-409a-manipulation-detector","equity-vesting-backdate-detector","cross-equity-payroll-exercise-correlator","multi-equity-platform-timeline-correlator","case-report-generator"],"secondaryToolSlugs":["pulley-equity-grant-audit-log-forensic-analyzer","etrade-equity-edge-export-forensic-analyzer","incident-timeline-builder","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"global-mobility-audit","label":"global mobility / relocation audit","shortLabel":"global mobility","launchTier":2,"priority":"M","description":"Topia · Cartus · Graebel assignment exports. unauthorized assignment changes · tax equalization abuse · relocation cost inflation · payroll reimbursement cross-check.","primaryToolCount":8,"secondaryToolCount":5,"primaryToolSlugs":["topia-global-mobility-export-forensic-analyzer","cartus-relocation-export-forensic-analyzer","mobility-unauthorized-assignment-change-detector","mobility-tax-equalization-abuse-detector","mobility-relocation-cost-inflation-detector","cross-mobility-payroll-relocation-correlator","multi-mobility-platform-timeline-correlator","case-report-generator"],"secondaryToolSlugs":["graebel-relocation-audit-log-forensic-analyzer","sirva-mobility-assignment-audit-log-forensic-analyzer","fragomen-immigration-export-forensic-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"labor-trafficking-investigation","label":"labor trafficking investigation","shortLabel":"labor trafficking","launchTier":2,"priority":"M","description":"post-coercion documentation — recruitment chat metadata, payroll withholding shape, immigration exports, payment trails. survivor-consent framing · indicators not statutory conclusions · runs locally.","primaryToolCount":8,"secondaryToolCount":10,"primaryToolSlugs":["evidence-manifest-generator","ios-whatsapp-artifact-forensic-extractor","android-whatsapp-database-forensic-analyzer","ios-telegram-artifact-forensic-extractor","android-telegram-database-forensic-extractor","telegram-desktop-tdata-artifact-forensic-extractor","fragomen-immigration-export-forensic-analyzer","workday-payroll-export-forensic-analyzer"],"secondaryToolSlugs":["payroll-unauthorized-adjustment-detector","cross-hcm-payroll-headcount-correlator","ios-burner-app-artifact-detector","android-burner-app-artifact-forensic-detector","prepaid-sim-activation-artifact-forensic-detector","osint-normalizer","multi-source-entity-resolver","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"gig-worker-payout-fraud","label":"gig worker payout fraud","shortLabel":"gig payout fraud","launchTier":2,"priority":"H","description":"platform payout redirect · tip skimming · ghost driver accounts — interim playbook until DoorDash/Uber parsers ship.","primaryToolCount":5,"secondaryToolCount":6,"primaryToolSlugs":["payment-processor-subpoena-response-normalizer-stripe","payment-processor-subpoena-response-normalizer-paypal","venmo-transaction-export-forensic-analyzer","ios-venmo-artifact-forensic-extractor","case-report-generator"],"secondaryToolSlugs":["ios-cash-app-artifact-forensic-extractor","cross-payroll-wfm-timesheet-correlator","payroll-unauthorized-adjustment-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","evidence-manifest-generator"]},{"slug":"livestream-impersonation","label":"livestream impersonation / creator takeover","shortLabel":"livestream impersonation","launchTier":2,"priority":"M","description":"channel takeover · stream-key theft · live deepfake impersonation · OAuth grant abuse. evidence spans OBS/Streamlabs config, platform chat/VOD exports, and synthetic media artifacts.","primaryToolCount":7,"secondaryToolCount":8,"primaryToolSlugs":["obs-streamlabs-config-forensic-analyzer","twitch-chat-log-forensic-analyzer","youtube-gaming-stream-chat-forensic-analyzer","video-deepfake-analyzer","ai-synthetic-voice-generation-artifact-analyzer","google-account-activity-export-forensic-deep-analyzer","casb-oauth-token-abuse-detector"],"secondaryToolSlugs":["twitch-stream-vod-metadata-forensic-extractor","kick-streaming-chat-log-forensic-analyzer","face-swap-artifact-detector","deepfake-voice-cloning-fraud-investigation-kit","url-unshortener-chain","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"journalist-source-protection","label":"journalist source protection","shortLabel":"source protection","launchTier":2,"priority":"H","description":"press-source handling: verify journalist + source comms weren't compromised before/after a sensitive story. evidence is E2EE app artifacts · SIM swap · OAuth grants · Google takeout — not corporate ethics hotline exports (see whistleblower-retaliation).","primaryToolCount":7,"secondaryToolCount":8,"primaryToolSlugs":["ios-signal-artifact-forensic-extractor","android-signal-database-forensic-extractor","signal-desktop-artifact-forensic-extractor","sim-swap-artifact-forensic-detector","google-account-activity-export-forensic-deep-analyzer","casb-oauth-token-abuse-detector","google-takeout-forensic-parser"],"secondaryToolSlugs":["threema-android-artifact-forensic-extractor","wire-artifact-forensic-extractor","proton-vpn-client-log-forensic-analyzer","login-session-reconstructor","saas-overprivileged-oauth-scope-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator","case-report-generator"]},{"slug":"ai-agent-runaway","label":"AI agent runaway action","shortLabel":"agent runaway","launchTier":2,"priority":"H","description":"an autonomous agent (Claude · GPT · Gemini · Copilot · custom MCP) takes actions outside its prompt scope — reads credentials it shouldn't, exfils data, installs persistence, calls an MCP tool a human wouldn't have approved. evidence is the tool-call trace, the prompt-action divergence, and the OAuth grant ledger — not the prompt itself. distinct from llm-prompt-injection (malicious input) and insider-threat (human actor).","primaryToolCount":7,"secondaryToolCount":12,"primaryToolSlugs":["ai-agent-tool-call-execution-trace-reconstructor","ai-agent-prompt-vs-action-divergence-detector","ai-agent-autonomous-action-accountability-tracer","ai-agent-credential-handling-audit","mcp-tool-call-graph-reconstructor","ai-agent-persistence-mechanism-detector","ai-agent-network-exfiltration-pattern-detector"],"secondaryToolSlugs":["ai-agent-multi-step-transaction-graph-builder","ai-agent-file-system-modification-trace-builder","mcp-server-permission-escalation-detector","anthropic-mcp-claude-tool-call-attribution-tool","microsoft-copilot-365-audit-forensic-extractor","microsoft-copilot-artifact-forensic-analyzer","github-copilot-usage-artifact-analyzer","llm-tool-call-injection-forensic-analyzer","casb-oauth-token-abuse-detector","saas-overprivileged-oauth-scope-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"llm-prompt-injection","label":"LLM prompt injection","shortLabel":"prompt injection","launchTier":2,"priority":"H","description":"adversarial input — user prompt, retrieved doc, MCP tool result, uploaded attachment — manipulates an LLM into ignoring its system prompt or executing unintended actions. evidence is the attempt log, the matched pattern cluster, the indirect-injection carrier artifact, and the guardrail bypass score. distinct from ai-agent-runaway (autonomous scope creep with a benign prompt) and insider-threat (human actor with no model in the path).","primaryToolCount":7,"secondaryToolCount":12,"primaryToolSlugs":["llm-prompt-injection-attempt-log-forensic-analyzer","prompt-injection-attempt-detector-in-uploaded-doc","indirect-prompt-injection-document-artifact-detector","mcp-prompt-injection-via-tool-result-detector","rag-prompt-injection-via-retrieved-doc-detector","llm-jailbreak-conversation-artifact-detector","llm-guardrail-bypass-score-anomaly-detector"],"secondaryToolSlugs":["chatbot-jailbreak-pattern-cluster-detector","jailbreak-corpus-evolution-tracker","jailbreak-prompt-corpus-pattern-matcher","llm-system-prompt-exfiltration-attempt-detector","llm-context-window-leak-detector","llm-red-team-evaluation-log-forensic-analyzer","multi-turn-social-engineering-llm-session-analyzer","prompt-injection-artifact-detector","prompt-injection-campaign-attribution-tool","llm-tool-call-injection-forensic-analyzer","api-key-leakage-into-prompt-detector","vllm-inference-server-log-forensic-analyzer"]},{"slug":"mcp-server-compromise","label":"MCP server compromise","shortLabel":"mcp server compromise","launchTier":2,"priority":"H","description":"the MCP (Model Context Protocol) server itself is the failure locus — leaked server credentials, impersonated server identity, server-side tool-definition tampering, or permission escalation in the server's tool-grant ledger. evidence is the server audit log, the client-invocation trail showing what the LLM thinks it called vs what the server actually executed, the tool-call attribution graph, and the OAuth scope grant ledger. distinct from ai-agent-runaway (agent did this with a benign server) and llm-prompt-injection (input bent the model · server was clean). a compromised server can fool both honest models and honest agents.","primaryToolCount":6,"secondaryToolCount":9,"primaryToolSlugs":["mcp-model-context-protocol-server-audit-log-forensic-analyzer","mcp-client-invocation-log-forensic-analyzer","mcp-server-permission-escalation-detector","mcp-tool-call-graph-reconstructor","mcp-prompt-injection-via-tool-result-detector","anthropic-mcp-claude-tool-call-attribution-tool"],"secondaryToolSlugs":["ai-agent-tool-call-execution-trace-reconstructor","ai-agent-prompt-vs-action-divergence-detector","ai-agent-credential-handling-audit","llm-tool-call-injection-forensic-analyzer","casb-oauth-token-abuse-detector","saas-overprivileged-oauth-scope-detector","api-key-leakage-into-prompt-detector","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"report-this-fraud","label":"report this fraud","shortLabel":"report fraud","launchTier":2,"priority":"H","description":"kitchen-at-11pm entry — you were scammed and need an official report. four prep-kits turn receipts · chat logs · bank exports into draft ic3 · ftc · cfpb · state ag filings you submit yourself. pick the right agency after you preserve evidence and quantify loss.","primaryToolCount":5,"secondaryToolCount":8,"primaryToolSlugs":["ic3-fbi-cybercrime-complaint-prep-kit","ftc-report-fraud-submission-prep-kit","cfpb-financial-complaint-prep-kit","state-ag-consumer-complaint-multi-state-prep-kit","case-report-generator"],"secondaryToolSlugs":["credential-stuffing-victim-response-kit","data-breach-victim-notification-readiness-kit","synthetic-identity-fraud-investigation-kit","elder-abuse-financial-exploitation-kit","nft-rug-pull-victim-investigation-kit","evidence-manifest-generator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"school-cyberbullying","label":"school cyberbullying · K–12 IR","shortLabel":"school cyberbullying","launchTier":2,"priority":"H","description":"post-incident district IR — correlate gaggle · bark monitor severity ladders with powerschool discipline rows · google classroom/schoology audit · doctored-screenshot metadata. not counseling · not mandatory-reporter trees · student education records stay local.","primaryToolCount":5,"secondaryToolCount":9,"primaryToolSlugs":["gaggle-student-safety-alert-export-forensic-analyzer","bark-school-edition-alert-export-forensic-analyzer","powerschool-sis-audit-log-forensic-analyzer","google-classroom-audit-log-forensic-analyzer","case-report-generator"],"secondaryToolSlugs":["schoology-audit-log-forensic-analyzer","goguardian-classroom-monitor-export-forensic-analyzer","securly-aware-alert-export-forensic-analyzer","lightspeed-classroom-monitor-log-forensic-analyzer","infinite-campus-sis-audit-log-forensic-analyzer","evidence-manifest-generator","writing-sample-authorship-comparator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"wire-fraud-at-closing","label":"wire fraud at closing · title escrow","shortLabel":"wire fraud at closing","launchTier":2,"priority":"H","description":"homebuyer wired to fraud account — spoofed escrow-instruction email · closing-packet pdf revision · qualia/docusign audit · MT103 wire message. distinct from generic BEC — alta settlement and title file number in evidence.","primaryToolCount":5,"secondaryToolCount":7,"primaryToolSlugs":["qualia-title-platform-audit-log-forensic-analyzer","docusign-real-estate-closing-packet-cert-chain-analyzer","swift-mt-message-forensic-analyzer","email-header-analyzer","case-report-generator"],"secondaryToolSlugs":["email-thread-reconstructor","pdf-author-revision-metadata-analyzer","pdf-digital-signature-chain-analyzer","fednow-payment-message-forensic-analyzer","evidence-manifest-generator","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"title-fraud-deed-forgery","label":"title fraud · deed forgery","shortLabel":"deed forgery","launchTier":2,"priority":"M","description":"grantee change without matching sale · county record vs file parties · datatree deed export · pdf revision on recorded instrument.","primaryToolCount":5,"secondaryToolCount":5,"primaryToolSlugs":["corelogic-deed-record-export-forensic-analyzer","pdf-author-revision-metadata-analyzer","pdf-digital-signature-chain-analyzer","email-thread-reconstructor","case-report-generator"],"secondaryToolSlugs":["email-header-analyzer","document-metadata-genealogy-tracer","evidence-manifest-generator","qualia-title-platform-audit-log-forensic-analyzer","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"nursing-home-records-audit","label":"nursing home records audit · LTC exploitation","shortLabel":"LTC records audit","launchTier":2,"priority":"H","description":"facility records + financial exploitation — bank statements · caregiver device exports · POA docs · PMP/MAR adjacency · break-glass access logs. not clinical diagnosis or capacity conclusions · resident PHI stays local. pointclickcare · matrixcare · alis ltc parsers on disk.","primaryToolCount":3,"secondaryToolCount":9,"primaryToolSlugs":["elder-abuse-financial-exploitation-kit","controlled-substance-pmp-log-forensic-analyzer","case-report-generator"],"secondaryToolSlugs":["pointclickcare-facility-audit-log-forensic-analyzer","matrixcare-resident-chart-export-forensic-analyzer","alis-ltc-resident-activity-log-forensic-analyzer","medical-records-breach-investigation-kit","hipaa-break-glass-access-log-forensic-analyzer","evidence-manifest-generator","pdf-author-revision-metadata-analyzer","fatcousin-multi-tool-super-timeline-correlator","fatcousin-cross-export-ioc-hash-correlator"]},{"slug":"maritime-ais-sanctions","label":"maritime AIS · sanctions / dark vessel","shortLabel":"maritime AIS","launchTier":2,"priority":"H","description":"insurance-fraud and sanctions-evasion casework — correlate marinetraffic · spire · vesselfinder exports on mmsi · imo · track gaps · spoofing · ship-to-ship transfer. vessel tracks stay local.","primaryToolCount":7,"secondaryToolCount":8,"primaryToolSlugs":["marinetraffic-ais-export-forensic-analyzer","vesselfinder-vessel-track-export-forensic-analyzer","spire-maritime-ais-csv-forensic-analyzer","ais-spoofing-detection-from-receiver","ship-to-ship-transfer-detection-from-ais","vessel-ownership-obfuscation-chain-detector","case-report-generator"],"secondaryToolSlugs":["port-state-control-inspection-log-forensic-analyzer","ais-broadcast-log-forensic-analyzer","gis-track-forensics","vdr-furuno-extraction-forensic-parser","ecdis-route-history-forensic-analyzer","evidence-manifest-generator","multi-artifact-correlator","fatcousin-cross-export-ioc-hash-correlator"]}]