Practitioner-built · Free · No account needed
The Digital Sentinel
AI Prompt Library for Blue Teamers
50 prompts  ·  0 community-submitted
// 01 — Large Language Models
LLMs for IR Work

General-purpose AI that IR, Detection, Threat Hunting, and TI teams have adapted for daily workflows.

Claude
Free + Pro

Anthropic's model. Best-in-class for long-context analysis — feeds an entire week of logs without truncation.

IR Tip

Use Projects to maintain persistent investigation context across sessions. With a 200K token window, you can dump full Defender or Splunk exports and get coherent analysis without chunking.

ChatGPT
Free + Plus

OpenAI's flagship model. Widest ecosystem, best plugin support, and Custom GPTs for specialized IR workflows.

IR Tip

Build a Custom GPT loaded with your team's runbooks and playbooks as knowledge files. Point analysts at it during live incidents so they stop hunting for documentation mid-response.

Perplexity
Free + Pro

AI-native search engine with real-time web access. The fastest tool for OSINT during live incidents.

IR Tip

Use it for real-time actor lookups, CVE context, domain history, and paste site hits during active incidents. Beats manually pivoting across 10 browser tabs and gives cited sources.

Copilot for Security

Microsoft's security-specific AI. Native integration with Sentinel, Defender XDR, Intune, and Entra.

IR Tip

Earns its cost for first-pass Sentinel incident summaries and Defender alert explanations during L1 triage. The limitations are real: session context resets frequently, generated KQL needs validation before production. Treat its output as a draft, not a finding.

Google Gemini
Free + Enterprise

Google's AI model. Most valuable for teams on Google Workspace, GCP, or Chronicle SecOps.

IR Tip

Gemini in Google SecOps lets you query Chronicle logs with natural language — no KQL required. If your org is GCP-native, this removes a significant barrier for L1 analysts during triage.

// 02 — Security-Native AI
Built for Security

Tools designed specifically for security workflows — not general-purpose models adapted to fit.

VirusTotal
Free + Enterprise

Industry-standard for file, URL, IP, and domain analysis. AI-powered behavior summaries on submissions.

IR Tip

The AI behavior summary on file submissions saves 10–15 minutes of sandbox review per sample. Run everything through it before committing to manual analysis — the summary alone often tells you if it's worth the time.

Splunk AI Assistant

Natural language search and SPL generation built into Splunk Enterprise and Cloud.

IR Tip

Useful for getting a first-pass SPL query without knowing the exact field names — particularly when you're in an unfamiliar index mid-investigation. Always review the generated SPL before running at scale; field extractions and index scoping need a human check.

Fabric
Open Source

Daniel Miessler's open-source AI pattern library for security and analysis workflows. CLI-first, composable.

IR Tip

The analyze_malware_input and create_sigma_rules patterns are immediately useful. Pipe log output directly in from the terminal — no GUI, no copy-paste. Best for analysts who live in the command line.

// 03 — Local & Private
AI That Stays on Your Machine

For logs, malware samples, and forensic artefacts you cannot send to the cloud. No data leaves your network.

Ollama
Free

Run open-source LLMs locally with a single command. Supports Llama 3, Mistral, Gemma, and dozens more.

IR Tip

Non-negotiable for sensitive log analysis and malware samples you can't send to the cloud. Run Llama 3.3 70B for near-GPT-4 quality completely offline. Works on a forensic workstation with no internet access required.

LM Studio
Free

Desktop GUI for running local LLMs. Easy model downloads, built-in chat, and a local API server.

IR Tip

The GUI makes local models accessible for analysts who aren't comfortable with the terminal. Spin up a local API server and point your team's scripts at it — same interface as OpenAI's API, zero external calls, full data sovereignty.

// 04 — Community Tools
Practitioner Essentials

Not AI tools — but the community platforms the prompts on this site are built around. If you're doing detection, hunting, or threat intel work, these belong in your workflow.

Sigma HQ
Open Source

The community standard for vendor-neutral detection rules. Write once, deploy to Splunk, Sentinel, Elastic, or any supported SIEM.

IR Tip

The Sigma Rule prompt on this site outputs rules in this format. Use the Sigma HQ repository as a reference baseline — before writing a new rule, check whether the community has already solved the same detection problem.

Uncoder.io
Free + Pro

Cross-platform detection rule translator. Converts Sigma, KQL, SPL, and YARA-L between platforms in seconds.

IR Tip

Pair this with the AI-generated Sigma rules from this site's prompt library. Generate the rule with AI, convert it to your SIEM's native query language with Uncoder — faster than manual translation and less error-prone.

MISP
Open Source

Open-source threat intelligence platform. Share, correlate, and store structured threat data across teams and organisations.

IR Tip

Use MISP as the structured output destination for your AI-generated IOC enrichment and threat actor profiles. The AI prompt gives you the analysis — MISP gives it a home your team can query, share, and build on over time.

OpenCTI
Open Source

Open-source cyber threat intelligence platform. Structured actor profiles, campaign tracking, and MITRE ATT&CK-native data model.

IR Tip

Feed AI-generated threat actor profiles and Diamond Model outputs from this site's Intel prompts into OpenCTI for structured storage. Its ATT&CK-native graph makes relationships between actors, TTPs, and infrastructure queryable in ways flat documents can't match.

// 05 — Before You Paste
What Should Never Go to the Cloud

Practitioners handle some of the most sensitive data in any organisation. Before feeding anything into a cloud AI, read this.

Data You Should Not Send

Not all incident data is equal. Some of it has no business leaving your environment.

Never send to cloud LLMs

PII-containing logs (names, emails, employee records) · Malware samples from active incidents · Attorney-client privileged communications · Regulated data subject to GDPR, HIPAA, or PCI-DSS · Raw forensic artefacts from named victim organisations. For all of the above: use Ollama or LM Studio locally.

Training Data Policies

LLM providers have different policies on whether your inputs are used to train future models.

What to check

Claude (API): does not train on your data by default. Claude (claude.ai free): check your privacy settings. ChatGPT (free): training is on by default — turn it off in settings. ChatGPT (API/Enterprise): off by default. Always verify against the provider's current data use policy before sending anything sensitive.

Prompt Injection Risk

When you feed attacker-controlled data into an LLM, the attacker may be feeding the LLM instructions too.

What this looks like

A phishing email body, a malicious log entry, or a crafted file name can contain text designed to hijack the AI's behaviour. Treat AI output based on attacker-controlled input with extra skepticism, and never act on it without independent verification.