I am Zach

In a previous post I released a library of DFIR-IRIS case templates covering common incident types. Those templates give you a pre-built task list, structured note directories, and a report scaffold, but the actual narrative content still needs to be written by a human analyst at the end of a long and usually exhausting investigation. I've been experimenting with a different approach: embedding structured LLM prompts directly inside the case template's summary field, so that when the investigation is complete, an AI can draft the report narrative from the case data automatically. This post describes the concept, shows how the prompts are structured, and discusses where it works well and where it still needs a human. Experimental status: These are experimental templates. They are not a replacement for analyst judgment and should not be used to generate reports that go to stakeholders without review. The intent is to reduce the time cost of first-draft report writ...

Every incident starts the same way: a blank case. No structure, no task list, no note framework, just an empty canvas at the moment when you have the least time to think about documentation. Over time I got tired of rebuilding the same scaffolding from scratch, so I built a library of DFIR-IRIS case templates covering the most common incident types we handle in security operations. The templates are free, open-source, and available on GitHub. This post walks through what's included, how they're structured, and how to get started. What's Included The library currently covers 13 incident types: Template File What it covers 💼 Business Email Compromise BEC.json Account takeover, inbox rules, financial fraud, payroll diversion ☁️ Cloud Data Breach CloudDataBreach.json Cloud tenant/storage exposure, IAM investigation, provider coordination 🗃️ Data Breach DataBreach.json Unauthorized access/disclosure, GDPR/HIPAA/PCI-DSS/CCPA obligat...