// runnable playbook

ransomware response

encryption onset → lateral movement → exfil → ransom note. the first 48 hours are about scoping, finding patient-zero, and preserving evidence before the actor wipes logs.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the ransomware response — timeline kit preset — drop artifact bundles + IOC lists → merge timeline → extract + dedupe IOCs → triage → report

methodology guide →worked example →full tool list + 7 more pipelines →

guided steps

0/6 done

01
evidence manifest generator
hash every input — required for evidentiary integrity
open tool →methodology
your note (local only)
02
forensic timeline builder
merge all timestamped events from input bundles into one ordered timeline
suggested options · order: asc
open tool →methodology
your note (local only)
03
ioc extractor
extract IOCs from any text inputs (notes, logs)
suggested options · format: json · aggregate: true
open tool →methodology
your note (local only)
04
ioc deduplicator and normalizer
merge with any pre-existing IOC bundles in the input set
open tool →methodology
your note (local only)
05
ioc bulk validator & triage
score the merged IOC set
open tool →methodology
your note (local only)
06
case report generator
draft an executive + technical report
suggested options · title: ransomware response
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.