cross-tool corroboration

you ran several tools — an edr export, a mailbox csv, a firewall log, a couple of reproducibility receipts — about the same incident. corroboration lines them up and shows you where independent artifacts AGREE on an indicator (an ip, an email, a hash, a timestamp, an account, a file path), where they CONFLICT, and where a finding rests on a single source. agreement across more independent sources is stronger — but it is still a heuristic over what you drop here. nothing uploads, nothing is fetched, everything is read in this tab.

corroboration is a heuristic over what you provide — agreement is not proof; conflict is not innocence. verify each indicator at its source.

local-only. every file is read in this browser tab — parsed for indicators and hashed with a streaming sha-256 for the receipt. nothing uploads, nothing is fetched. close the tab and it's gone.

drop two or more exports about the same incident — csv, json, jsonl, or plain-text logs, or a few reproducibility receipts. corroboration needs at least two sources to compare.

how the scoring works

agreement / unique. every distinct indicator (kind + normalized value) is counted across the sources it appears in. present in two or more sources → agreement; present in exactly one → unique. confidence scales only with the number of independent sources — no claim beyond “n inputs name the same thing.”
conflict. grounded in a small, declared set of functional dependencies — relationships expected to be single-valued in well-formed evidence (a file path should have one content hash). when one key value is paired with more than one distinct companion value, that is a flagged conflict. the exact dependency list is reproduced in the exported report so the assumption is auditable.
extraction is best-effort. indicators are pulled by simple, inspectable regexes; an account id is only recognized when a column or key name says so. a missed or mis-typed value is always possible — open the source and confirm.

bind a run to its inputs with a reproducibility receipt, then continue in triage or the forensics index.

cross-tool corroboration

corroboration is a heuristic over what you provide — agreement is not proof; conflict is not innocence. verify each indicator at its source.

how the scoring works

agreement / unique. every distinct indicator (kind + normalized value) is counted across the sources it appears in. present in two or more sources → agreement; present in exactly one → unique. confidence scales only with the number of independent sources — no claim beyond “n inputs name the same thing.”

conflict. grounded in a small, declared set of functional dependencies — relationships expected to be single-valued in well-formed evidence (a file path should have one content hash). when one key value is paired with more than one distinct companion value, that is a flagged conflict. the exact dependency list is reproduced in the exported report so the assumption is auditable.

extraction is best-effort. indicators are pulled by simple, inspectable regexes; an account id is only recognized when a column or key name says so. a missed or mis-typed value is always possible — open the source and confirm.