account takeover (ATO)
credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.
a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.
wraps the ATO — attacker fingerprint kit preset — drop M365 / Okta / cloudtrail log exports → extract IPs + UAs + ASNs → dedupe → triage → timeline → report
guided steps
- evidence manifest generator
hash raw audit-log exports — most identity providers don't re-issue them
- ioc extractor
pull source IPs, user-agent fragments, originating ASNs from the log text
suggested options · format: json · aggregate: true
- ioc deduplicator and normalizer
drop RFC1918 noise — what remains is the attacker's external infrastructure
suggested options · lowercase: true · dropPrivate: true
- breach ioc normalizer
merge with any pre-existing IOC list from the IdP's threat-intel feed (if provided as input)
- ioc bulk validator & triage
score the remaining IPs — high-severity hits are the attacker's persistent infra
- forensic timeline builder
rebuild the login sequence so you can pinpoint patient-zero session
suggested options · order: asc
- case report generator
draft a report identifying the persistence window + recommended revocations
suggested options · title: ATO — attacker fingerprint
when you're done
export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.