Email header, advisory text, CVE, certificate, log, token, config, or domain.
Tool Chains
Use tools as workflows, not isolated utilities.
Each chain shows what to open first, what output to carry forward, and where the work should land as a handoff, brief, evidence packet, or detection starter.
Extract, decode, format, compare, or classify before making a claim.
Send output to a detection, evidence checklist, handoff, report, or tracker.
Tool output supports analysis. It does not prove exposure, compromise, or remediation alone.
Chains
Common analyst paths
Email suspicion
Use when a suspicious message needs a safe first read.
Advisory to hunt
Use when a vendor note or report contains indicators and behavior clues.
Patch triage
Use when severity needs local applicability and owner-ready proof.
Infrastructure pivot
Use when domain, range, mail, certificate, or ownership context matters.
Artifact inspection
Use when pasted payloads, logs, configs, or evidence need cleanup.
Report-ready output
Use when tool results need to become a brief or reusable output.
Role Fit
Which chain should each role open first?
SOC
Advisory to hunt
Extract indicators, normalize them, draft search, then turn the result into a detection handoff.
Patch team
Patch triage
Connect severity, affected product proof, version validation, and evidence before assignment.
Infra
Infrastructure pivot
Follow domains, certs, mail-auth records, and IP ranges into attack-surface context.
Leader
Report-ready output
Use saved work and brief templates so a tool result becomes a decision-ready update.
Recommended use: start with a chain when you know the evidence type, then land in Handoff Center, Brief Builder, or Evidence Checklist.