Curated tools with IR-specific setup tips. Practitioner-tested, vendor-neutral.
No affiliate links. No sponsorships. Just what actually works.
General-purpose AI that IR, Detection, Threat Hunting, and TI teams have adapted for daily workflows.
Anthropic's model. Best-in-class for long-context analysis — feeds an entire week of logs without truncation.
Use Projects to maintain persistent investigation context across sessions. With a 200K token window, you can dump full Defender or Splunk exports and get coherent analysis without chunking.
OpenAI's flagship model. Widest ecosystem, best plugin support, and Custom GPTs for specialized IR workflows.
Build a Custom GPT loaded with your team's runbooks and playbooks as knowledge files. Point analysts at it during live incidents so they stop hunting for documentation mid-response.
AI-native search engine with real-time web access. The fastest tool for OSINT during live incidents.
Use it for real-time actor lookups, CVE context, domain history, and paste site hits during active incidents. Beats manually pivoting across 10 browser tabs and gives cited sources.
Microsoft's security-specific AI. Native integration with Sentinel, Defender XDR, Intune, and Entra.
Earns its cost for first-pass Sentinel incident summaries and Defender alert explanations during L1 triage. The limitations are real: session context resets frequently, generated KQL needs validation before production. Treat its output as a draft, not a finding.
Google's AI model. Most valuable for teams on Google Workspace, GCP, or Chronicle SecOps.
Gemini in Google SecOps lets you query Chronicle logs with natural language — no KQL required. If your org is GCP-native, this removes a significant barrier for L1 analysts during triage.
Tools designed specifically for security workflows — not general-purpose models adapted to fit.
Industry-standard for file, URL, IP, and domain analysis. AI-powered behavior summaries on submissions.
The AI behavior summary on file submissions saves 10–15 minutes of sandbox review per sample. Run everything through it before committing to manual analysis — the summary alone often tells you if it's worth the time.
Natural language search and SPL generation built into Splunk Enterprise and Cloud.
Useful for getting a first-pass SPL query without knowing the exact field names — particularly when you're in an unfamiliar index mid-investigation. Always review the generated SPL before running at scale; field extractions and index scoping need a human check.
Daniel Miessler's open-source AI pattern library for security and analysis workflows. CLI-first, composable.
The analyze_malware_input and create_sigma_rules patterns are immediately useful. Pipe log output directly in from the terminal — no GUI, no copy-paste. Best for analysts who live in the command line.
For logs, malware samples, and forensic artefacts you cannot send to the cloud. No data leaves your network.
Run open-source LLMs locally with a single command. Supports Llama 3, Mistral, Gemma, and dozens more.
Non-negotiable for sensitive log analysis and malware samples you can't send to the cloud. Run Llama 3.3 70B for near-GPT-4 quality completely offline. Works on a forensic workstation with no internet access required.
Desktop GUI for running local LLMs. Easy model downloads, built-in chat, and a local API server.
The GUI makes local models accessible for analysts who aren't comfortable with the terminal. Spin up a local API server and point your team's scripts at it — same interface as OpenAI's API, zero external calls, full data sovereignty.
Not AI tools — but the community platforms the prompts on this site are built around. If you're doing detection, hunting, or threat intel work, these belong in your workflow.
The community standard for vendor-neutral detection rules. Write once, deploy to Splunk, Sentinel, Elastic, or any supported SIEM.
The Sigma Rule prompt on this site outputs rules in this format. Use the Sigma HQ repository as a reference baseline — before writing a new rule, check whether the community has already solved the same detection problem.
Cross-platform detection rule translator. Converts Sigma, KQL, SPL, and YARA-L between platforms in seconds.
Pair this with the AI-generated Sigma rules from this site's prompt library. Generate the rule with AI, convert it to your SIEM's native query language with Uncoder — faster than manual translation and less error-prone.
Open-source threat intelligence platform. Share, correlate, and store structured threat data across teams and organisations.
Use MISP as the structured output destination for your AI-generated IOC enrichment and threat actor profiles. The AI prompt gives you the analysis — MISP gives it a home your team can query, share, and build on over time.
Open-source cyber threat intelligence platform. Structured actor profiles, campaign tracking, and MITRE ATT&CK-native data model.
Feed AI-generated threat actor profiles and Diamond Model outputs from this site's Intel prompts into OpenCTI for structured storage. Its ATT&CK-native graph makes relationships between actors, TTPs, and infrastructure queryable in ways flat documents can't match.
Practitioners handle some of the most sensitive data in any organisation. Before feeding anything into a cloud AI, read this.
Not all incident data is equal. Some of it has no business leaving your environment.
PII-containing logs (names, emails, employee records) · Malware samples from active incidents · Attorney-client privileged communications · Regulated data subject to GDPR, HIPAA, or PCI-DSS · Raw forensic artefacts from named victim organisations. For all of the above: use Ollama or LM Studio locally.
LLM providers have different policies on whether your inputs are used to train future models.
Claude (API): does not train on your data by default. Claude (claude.ai free): check your privacy settings. ChatGPT (free): training is on by default — turn it off in settings. ChatGPT (API/Enterprise): off by default. Always verify against the provider's current data use policy before sending anything sensitive.
When you feed attacker-controlled data into an LLM, the attacker may be feeding the LLM instructions too.
A phishing email body, a malicious log entry, or a crafted file name can contain text designed to hijack the AI's behaviour. Treat AI output based on attacker-controlled input with extra skepticism, and never act on it without independent verification.