fatcousin
// industry vertical

agentic AI forensics · API / MCP / copilot

agent tool-call traces · MCP server call graphs · prompt-vs-action divergence · credential-handling audit · agent persistence + exfil patterns · Claude / GPT / Gemini / Copilot artifact trails. distinct from llm-prompt-injection — runaway is the agent acting outside its prompt scope, not a malicious prompt.

tools
22
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. ai agent tool call execution trace reconstructordrop agent run log · reconstruct tool-call sequence + state mutations · runs locally
  2. ai agent prompt vs action divergence detectordrop agent run log · detect actions taken inconsistent with prompt · runs locally
  3. ai agent autonomous action accountability tracerdrop agent run log · trace responsibility for each autonomous action · runs locally
  4. mcp tool call graph reconstructordrop mcp client + server log set · reconstruct tool-call dependency graph · runs locally
  5. anthropic mcp claude tool call attribution tooldrop claude tool call log · attribute each tool call to model decision · runs locally
  6. microsoft copilot 365 audit forensic extractordrop m365 copilot audit log · parse prompts + app context · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. ai agent credential handling auditdrop agent run log · audit credential usage + leakage risk · runs locally
  2. ai agent persistence mechanism detectordrop agent + system state · detect persistence implanted by agent · runs locally
  3. ai agent network exfiltration pattern detectordrop agent network log · detect data exfiltration via agent · runs locally
  4. ai agent multi step transaction graph builderdrop agent run log · build graph of agent actions across steps · runs locally
  5. ai agent file system modification trace builderdrop agent run log + filesystem snapshot · reconstruct fs changes attributable to agent · runs locally
  6. mcp server permission escalation detectordrop mcp server audit log · detect over-permissioned tool exposure · runs locally
  7. Microsoft Copilot artifact forensic analyzeranalyze Microsoft Copilot artifacts including prompts, coding sessions, and AI-assisted workflows · runs locally
  8. GitHub Copilot usage artifact analyzerreconstruct GitHub Copilot usage, completions, and AI-assisted coding workflows · runs locally
  9. github copilot workspace artifact forensic extractordrop copilot workspace export · parse chat + repo context · runs locally
  10. llm tool call injection forensic analyzerdrop agent tool call log export · parse injected args + unauthorized tool invocations · runs locally
  11. casb oauth token abuse detectordrop casb oauth grant export · detect excessive scope grants · runs locally
  12. saas overprivileged oauth scope detectordrop saas oauth grant export · detect excessive oauth scopes · runs locally
  13. fatcousin multi tool super timeline correlatordrop any fatcousin findings csv/json · unified timestamp-sorted timeline · runs locally
  14. fatcousin cross export ioc hash correlatordrop hash/ioc csv from any fatcousin tool · shared indicator intersection report · runs locally
  15. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
  16. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper agentic AI coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready