Comparing IR Solutions

Cyber Triage is faster, easier, and more thorough than Ad-Hoc processes—cheaper and better at host forensics than EDR.

Standard
Standard Pro
Team
Collects volatile and file system data
Collects to USB Drive
Analyzes memory images using Volatility
Pivot through collected data to determine scope
View timeline of threats to get context
Generates HTML and CybOX reports
Collects over the network
Automatically analyzes data to identify suspicious items
Detect malware using ReversingLabs
Analyzes files using Yara rules
Hides known good items with allowlists
Flags IOC with denylists
Correlates with single user’s previous collection to determine how common item is
Groups hosts by incident for better reporting and correlation
Produces JSON report that can be imported into SIEMs
Custom report branding
Collect to and from USB
Collect over the network
Collect to S3
Malware scanning limits 5000/week4000/day4000/day
Queue up multiple collections
Collaborate and share data amongst the team
Integrate with orchestration system
Scoring and Recommendations
Collects from many hosts simultaneously
Queue lists of hosts for scanning
Integrates with SIEMs and orchestration tools using REST API
Stores data in a multi-user database
Correlates with all user’s previous collections to determine how common item is
Simultaneously collect and analyze multiple hosts at the same time
Correlates artifacts with past cases the team has worked
Analysts can collaborate and work on the same incident at the same time
Higher performance via PostgreSQL server
Synchronize threat intelligence lists across all clients
Headless ingest
Run as a windows service
Higher malware scanning limits (refreshed daily instead of weekly)
Free team server key

In addition to Cyber Triage, companies are often considering other types of host-based investigative solutions.

    • Ad-Hoc Process: Using many tools to complete the end-to-end host investigation process. Many of the tools are command line, free, and produce text file outputs
    • EDR: Endpoint Detection and Response agents are always running and collecting data. Their stored data can be used during the investigation.

If you’d like to try Cyber Triage yourself, sign up for a free evaluation of the full version.