Standard | Standard Pro | Team | |
|---|---|---|---|
| Collects volatile and file system data | |||
| Collects to USB Drive | |||
| Analyzes memory images using Volatility | |||
| Pivot through collected data to determine scope | |||
| View timeline of threats to get context | |||
| Generates HTML and CybOX reports | |||
| Collects over the network | |||
| Automatically analyzes data to identify suspicious items | |||
| Detect malware using ReversingLabs | |||
| Analyzes files using Yara rules | |||
| Hides known good items with allowlists | |||
| Flags IOC with denylists | |||
| Correlates with single user’s previous collection to determine how common item is | |||
| Groups hosts by incident for better reporting and correlation | |||
| Produces JSON report that can be imported into SIEMs | |||
| Custom report branding | |||
| Collect to and from USB | |||
| Collect over the network | |||
| Collect to S3 | |||
| Malware scanning limits | 5000/week | 4000/day | 4000/day |
| Queue up multiple collections | |||
| Collaborate and share data amongst the team | |||
| Integrate with orchestration system | |||
| Scoring and Recommendations | |||
| Collects from many hosts simultaneously | |||
| Queue lists of hosts for scanning | |||
| Integrates with SIEMs and orchestration tools using REST API | |||
| Stores data in a multi-user database | |||
| Correlates with all user’s previous collections to determine how common item is | |||
| Simultaneously collect and analyze multiple hosts at the same time | |||
| Correlates artifacts with past cases the team has worked | |||
| Analysts can collaborate and work on the same incident at the same time | |||
| Higher performance via PostgreSQL server | |||
| Synchronize threat intelligence lists across all clients | |||
| Headless ingest | |||
| Run as a windows service | |||
| Higher malware scanning limits (refreshed daily instead of weekly) | |||
| Free team server key |
In addition to Cyber Triage, companies are often considering other types of host-based investigative solutions.
-
- Ad-Hoc Process: Using many tools to complete the end-to-end host investigation process. Many of the tools are command line, free, and produce text file outputs
- EDR: Endpoint Detection and Response agents are always running and collecting data. Their stored data can be used during the investigation.
If you’d like to try Cyber Triage yourself, sign up for a free evaluation of the full version.