// case type
API key leak / repo compromise
leaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
- github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
- github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
- aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
- aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
- aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
- iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
- kubernetes secrets decoderpaste secret yaml or json · decode base64 · credential hints · redact toggle · runs locally · keys stay in browser
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- terraform state analyzerdrop terraform tfstate · resource inventory · sensitive values · misconfigs · dependency edges · redact view · runs locally
- terraform plan diffplan json or tfstate · before/after diff · attribute changes · security flags · sg 0.0.0.0/0 · public s3 · iam · csv export · runs locally
- gcp audit log analyzerdrop google cloud audit log json · api calls · iam changes · storage access · vm events · security findings · runs locally
- azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
API key leak — cloud audit
11 stepsdrop git history + GitHub audit + CloudTrail + IAM report → IOC extract → breach merge → timeline → report
- 01evidence-manifest-generatorhash repo exports + audit logs before analysis
- 02git-repository-forensicsscan git history for leaked credentials + secret patterns
- 03github-audit-log-analyzerGitHub audit log — who accessed the repo after the leak window
- 04aws-cloudtrail-deep-analyzerCloudTrail deep parse for API abuse after key exposure
- 05aws-iam-credential-reportIAM credential report — active keys + last-used timestamps
- 06k8s-event-log-analyzerKubernetes event log if the key was used against a cluster
- 07k8s-rbac-graph-builderRBAC graph — what the leaked credential could access
- 08ioc-extractorpull IPs + API endpoints from audit log text
- 09breach-ioc-normalizermerge with any threat-intel IOC list from the CSP
- 10forensic-timeline-builderrebuild the abuse window from leak → first malicious API call
- 11case-report-generatordraft a report scoping the blast radius + recommended revocations