// runnable playbooks
runnable playbooks
a guided path, not automation. each playbook wraps the curated pipeline for a case type and walks you through it one step at a time — open each tool, run it yourself on evidence you already have, check the step off. nothing uploads, no account, no server runs your files. at the end you can export a run summary with a self-hash for your own notes. close the tab when you're done.
52 guided paths · one per case type · all local
crisis-first
- business email compromise (BEC)5 stepsvendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.
- pig butchering / long-con investment scam6 stepsweeks-to-months of chat grooming → fake crypto exchange → drained wallet. evidence spans messaging apps, crypto wallets, and screenshots.
- ransomware response6 stepsencryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.
- stalkerware sweep (mobile)5 stepscovertly installed monitoring apps on a personal phone. iOS + android are very different surfaces: hidden config profiles + pairing records on iOS, sideloaded APKs + accessibility-abuse on android.
- intimate partner violence — tech trail5 stepsfor DV advocates: documenting tech-based abuse — shared accounts, tracking, covert recording, social-media impersonation. evidence has to hold up for protective orders.
- election integrity investigation6 stepsvoter-roll tampering, e-pollbook artifacts, ballot-image chain of custody, election-night messaging spoofing, foreign-influence pattern surfacing.
- account takeover (ATO)7 stepscredential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.
- crypto theft / wallet drain6 stepsapprove-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.
all case types
- insider threat / data exfiltration8 stepsdeparting employee, IP theft, USB exfil, cloud-share leak. evidence patterns: access-anomaly + peer-comparison + after-hours activity.
- phishing campaign investigation7 stepsscope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.
- supply chain compromise8 stepspackage compromise, build-system intrusion, signed-update poisoning. needs SBOM + dependency + build artifact analysis.
- cloud account compromise (M365 / Workspace)8 stepstenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.
- mobile device triage (consent-based)6 stepsconsensual scan of a phone for the basics — apps, messages, location, recent activity. small-org IT, lawyers, or DV advocates.
- workplace harassment / hostile workplace9 stepsHR-grade preservation of slack/teams/email evidence with chain-of-custody, redactions, and timeline rebuilds.
- trade secret / IP theft8 stepsexiting employee took the source/customer list/CAD. preserve USB attach times, cloud-sync, print, and email-out evidence.
- document forgery / disputed authenticity8 stepsis this PDF / docx genuine? revision history, metadata genealogy, ghost text, embedded objects, signature chains.
- AI-generated content dispute6 stepsis this image / text / code AI-generated? content-provenance, model fingerprinting, prompt-history reconstruction.
- deepfake investigation (video / audio / image)7 stepsface-swap, voice-clone, identity-impersonation. PRNU + GAN fingerprint + ELA + lip-sync + audio splice.
- romance scam8 stepsdating-app introduction → emotional manipulation → money request. evidence is profile screenshots, message archives, payment trails.
- tech support scam8 stepspop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.
- cryptojacking8 stepsunauthorized miner on endpoint / cloud workload — CPU/GPU baseline drift + persistence + outbound pool traffic.
- lost or stolen device8 stepspost-recovery triage: what did the finder do, what was accessed, was the device wiped or imaged.
- disgruntled employee exit8 stepslast-day endpoint snapshot: deletions, USB attach, cloud sync bursts, sabotage indicators (scheduled tasks, hidden accounts).
- cyberstalking8 stepsbroader than stalkerware-app: social-graph harassment, doxing, multi-account impersonation, location-leak surfaces.
- sextortion7 stepsextortion via real/fake intimate imagery. evidence is the threat channel + payment demand + (often) deepfake or scraped imagery.
- minor online coercion · youth safety6 stepspost-incident triage for minors — grooming metadata, sextortion payment chains, doxxing, swatting trails. survivor-consent framing · not a CSAM viewer · not covert parental surveillance.
- creator safety · stalker & NCII6 stepsnon-judgmental post-incident triage for adult creators — NCII leaks, impersonation, doxxing, processor deplatforming notices, stalker DMs. metadata and exports only · not subscriber surveillance · runs locally.
- online doxxing (post-event triage)8 stepsPII already published — paste sites, social posts, republish chains. post-event triage: scope exposure, trace author + platform, preserve for takedown and safety planning.
- smart home compromise9 stepsunauthorized access to camera / lock / voice-assistant. who was added, when, from where; was the cloud account reused.
- API key leak / repo compromise11 stepsleaked credential in git history → cloud abuse window → cost-spike + lateral movement. correlate VCS + CSP audit logs.
- healthcare data breach10 stepsPHI exposure, EHR audit gap, DICOM exfil, HIPAA notification scoping. very specific evidence demands.
- medical device tamper / clinical IoT6 stepsdevice integrity — wrong dose, alarm suppression, unauthorized config. not PHI exfil; evidence is pump, ventilator, monitor, and UDI session logs.
- DDoS investigation9 stepspost-event scoping of a volumetric / app-layer attack. evidence is pcap, flow, edge logs, and the botnet fingerprint.
- invoice fraud / vendor account change7 stepsfraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.
- payroll fraud / ghost employee6 stepsunauthorized direct deposit changes · ghost employees · overtime inflation · payroll adjustment after termination. evidence is ADP/Workday/UKG payroll audit exports + HCM headcount cross-checks.
- whistleblower / retaliation investigation7 stepsethics hotline report followed by adverse employment action. evidence spans Navex/EthicsPoint/Allvoices exports + HCM termination/promotion logs + HRSD case files.
- HR platform audit / HCM integrity6 stepsWorkday · SAP SuccessFactors · Oracle HCM · BambooHR audit exports. unauthorized record changes · provisioning lag · headcount drift · cross-system timeline reconstruction.
- equity grant / cap table investigation7 stepsCarta · Shareworks · Pulley cap-table exports. unauthorized grant changes · 409A manipulation · vesting backdates · exercise-to-payroll correlation.
- global mobility / relocation audit7 stepsTopia · Cartus · Graebel assignment exports. unauthorized assignment changes · tax equalization abuse · relocation cost inflation · payroll reimbursement cross-check.
- labor trafficking investigation8 stepspost-coercion documentation — recruitment chat metadata, payroll withholding shape, immigration exports, payment trails. survivor-consent framing · indicators not statutory conclusions · runs locally.
- gig worker payout fraud6 stepsplatform payout redirect · tip skimming · ghost driver accounts — interim playbook until DoorDash/Uber parsers ship.
- livestream impersonation / creator takeover7 stepschannel takeover · stream-key theft · live deepfake impersonation · OAuth grant abuse. evidence spans OBS/Streamlabs config, platform chat/VOD exports, and synthetic media artifacts.
- journalist source protection6 stepspress-source handling: verify journalist + source comms weren't compromised before/after a sensitive story. evidence is E2EE app artifacts · SIM swap · OAuth grants · Google takeout — not corporate ethics hotline exports (see whistleblower-retaliation).
- AI agent runaway action6 stepsan autonomous agent (Claude · GPT · Gemini · Copilot · custom MCP) takes actions outside its prompt scope — reads credentials it shouldn't, exfils data, installs persistence, calls an MCP tool a human wouldn't have approved. evidence is the tool-call trace, the prompt-action divergence, and the OAuth grant ledger — not the prompt itself. distinct from llm-prompt-injection (malicious input) and insider-threat (human actor).
- LLM prompt injection6 stepsadversarial input — user prompt, retrieved doc, MCP tool result, uploaded attachment — manipulates an LLM into ignoring its system prompt or executing unintended actions. evidence is the attempt log, the matched pattern cluster, the indirect-injection carrier artifact, and the guardrail bypass score. distinct from ai-agent-runaway (autonomous scope creep with a benign prompt) and insider-threat (human actor with no model in the path).
- MCP server compromise6 stepsthe MCP (Model Context Protocol) server itself is the failure locus — leaked server credentials, impersonated server identity, server-side tool-definition tampering, or permission escalation in the server's tool-grant ledger. evidence is the server audit log, the client-invocation trail showing what the LLM thinks it called vs what the server actually executed, the tool-call attribution graph, and the OAuth scope grant ledger. distinct from ai-agent-runaway (agent did this with a benign server) and llm-prompt-injection (input bent the model · server was clean). a compromised server can fool both honest models and honest agents.
- report this fraud3 stepskitchen-at-11pm entry — you were scammed and need an official report. four prep-kits turn receipts · chat logs · bank exports into draft ic3 · ftc · cfpb · state ag filings you submit yourself. pick the right agency after you preserve evidence and quantify loss.
- school cyberbullying · K–12 IR6 stepspost-incident district IR — correlate gaggle · bark monitor severity ladders with powerschool discipline rows · google classroom/schoology audit · doctored-screenshot metadata. not counseling · not mandatory-reporter trees · student education records stay local.
- wire fraud at closing · title escrow6 stepshomebuyer wired to fraud account — spoofed escrow-instruction email · closing-packet pdf revision · qualia/docusign audit · MT103 wire message. distinct from generic BEC — alta settlement and title file number in evidence.
- title fraud · deed forgery5 stepsgrantee change without matching sale · county record vs file parties · datatree deed export · pdf revision on recorded instrument.
- nursing home records audit · LTC exploitation5 stepsfacility records + financial exploitation — bank statements · caregiver device exports · POA docs · PMP/MAR adjacency · break-glass access logs. not clinical diagnosis or capacity conclusions · resident PHI stays local. pointclickcare · matrixcare · alis ltc parsers on disk.
- maritime AIS · sanctions / dark vessel10 stepsinsurance-fraud and sanctions-evasion casework — correlate marinetraffic · spire · vesselfinder exports on mmsi · imo · track gaps · spoofing · ship-to-ship transfer. vessel tracks stay local.