// runnable playbook

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the BEC triage kit preset — drop the suspect .eml(s) → extract headers → pull IOCs → triage → draft case report

methodology guide →worked example →full tool list + 2 more pipelines →

guided steps

0/5 done

01
evidence manifest generator
hash every input file so chain-of-custody is preserved
suggested options · includeSha1: false
open tool →methodology
your note (local only)
02
email header analyzer
parse Received: chain + SPF/DKIM/DMARC results
open tool →methodology
your note (local only)
03
ioc extractor
extract URLs, domains, IPs from the message bodies + headers
suggested options · format: json · aggregate: true
open tool →methodology
your note (local only)
04
ioc bulk validator & triage
score each IOC — surface high-severity items
open tool →methodology
your note (local only)
05
case report generator
draft a markdown report; edit before sending up the chain
suggested options · title: BEC triage
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.