Skip to content
This repository was archived by the owner on Feb 27, 2026. It is now read-only.

scriptedstatement/claude-ir

BranchesTags

Repository files navigation

Important

This repository has been retired. It is no longer maintained.

Development continues at AppliedIR/aiir — the Artificial Intelligence Incident Response Platform.

Documentation: appliedir.github.io/aiir

Claude-IR

AI-assisted incident response workstation combining semantic search, threat intelligence, and forensic tools for use with Claude Code.

Architecture

graph LR
    subgraph ws["Claude-IR Workstation"]
        CC["Claude Code<br/>IR Orchestrator"]
        subgraph local["Local MCP Servers"]
            RAG["forensic-rag-mcp<br/>Knowledge Search"]
            WT["windows-triage-mcp<br/>Baseline Validation"]
            OCTI["opencti-mcp<br/>Threat Intel"]
        end
        DB1[("ChromaDB")]
        DB2[("SQLite")]
    end

    OpenCTI["OpenCTI Instance"]
    REMnux["REMnux Instance"]
    MSLearn["Microsoft Learn MCP"]
    Zeltser["Zeltser Writing MCP"]

    CC --> RAG --> DB1
    CC --> WT --> DB2
    CC --> OCTI -->|"HTTP(S)"| OpenCTI
    CC -.->|"HTTP"| REMnux
    CC -.->|"HTTPS"| MSLearn
    CC -.->|"HTTPS"| Zeltser
Loading

All MCP servers are optional — enable only what you need. Each MCP server is a separate repo cloned into the claude-ir directory during setup; they don't appear in this repo's file listing but are linked above.

Local MCP Servers

Included in this project. Run on your workstation, no external services required (except opencti-mcp which connects to your OpenCTI instance).

Component Purpose Repo
forensic-rag-mcp Semantic search over IR knowledge from 23 authoritative sources forensic-rag-mcp
windows-triage-mcp Offline file/process validation against Windows baselines windows-triage-mcp
opencti-mcp Threat intelligence queries against your OpenCTI instance opencti-mcp

Remote MCP Servers

Third-party MCP servers maintained by external projects. The claude-ir setup process can configure these for you — just enable the ones you want. Microsoft Learn and Zeltser MCPs work out of the box; REMnux requires a separate instance.

Component Purpose Additional Setup Source
remnux-mcp Malware analysis (200+ tools) REMnux instance with MCP server remnux-mcp-server
microsoft-learn Azure/Windows/M365 security documentation None Microsoft
zeltser-ir-writing IR report writing guidelines None Lenny Zeltser

Configuration: Credentials for these servers are stored in .mcp.json (project-local, gitignored). See .mcp.json.example for the template.

What Can You Ask?

With Claude-IR configured, you can ask Claude:

Forensic Knowledge

  • "What artifacts indicate credential dumping?"
  • "How do I detect lateral movement in Windows event logs?"
  • "What are the KAPE targets for browser forensics?"

Threat Intelligence (requires OpenCTI)

  • "What do we know about APT29?"
  • "Look up this hash in OpenCTI"
  • "What campaigns are associated with Cobalt Strike?"

Baseline Validation

  • "Is this process tree normal for svchost.exe?"
  • "Check if this DLL path is legitimate"
  • "What LOLBins can execute arbitrary code?"

Malware Analysis (requires REMnux instance)

  • "Analyze this suspicious executable"
  • "What capabilities does this PE have?"
  • "Extract IOCs from this document"

Investigation Guidance

  • "Analyze these EVTX logs for suspicious activity"
  • "Build a timeline from these artifacts"
  • "What persistence mechanisms should I check?"

Prerequisites

  • Platform: Linux (SIFT Workstation, WSL2, or general Ubuntu/Debian)
  • Claude Code - Anthropic's CLI tool
  • Python 3.10+
  • Git (2.x+)
  • SIFT Workstation (optional but recommended) - For forensic tools

For optional remote MCP servers:

  • OpenCTI instance - Your own deployment (OpenCTI docs)
  • REMnux instance - With MCP server running in HTTP mode (REMnux docs)

Quick Start

git clone https://github.com/scriptedstatement/claude-ir.git
cd claude-ir
./setup.sh

Follow the on-screen instructions to launch Claude and finalize setup.

To add optional components later:

./setup.sh --opencti    # Add threat intelligence (guided setup)
./setup.sh --remnux     # Add malware analysis (guided setup)

Setup time: ~30 minutes with pre-built databases (recommended), or 7-9 hours if building from source. One-time only.

Directory structure after setup:

claude-ir/
├── setup.sh              # Quick-start setup script
├── forensic-rag-mcp/     # Semantic search MCP (gitignored)
├── windows-triage-mcp/   # Baseline validation MCP (gitignored)
├── opencti-mcp/          # Threat intel MCP (gitignored, optional)
├── cases/                # Investigation cases (gitignored)
│   └── .templates/       # Case templates (tracked)
├── .claude/
│   ├── settings.json     # Forensic rule hooks
│   └── commands/         # Slash commands (/case, /setup-review)
├── .mcp.json             # MCP config + credentials (project-local, gitignored)
├── CLAUDE.md
└── ...

Case Management

Forensic investigations are organized into cases. Each case has structured folders for evidence, extracted artifacts, and reports.

Commands:

/case              # Quick status - show active case or list available
/case init <name>  # Create new case with folders
/case open <name>  # Load existing case
/case status       # Show active case details
/case list         # List all cases
/case close        # Mark case as closed

Case structure:

cases/<name>/
├── CASE.yaml      # Case metadata and paths
├── evidence/      # Source evidence (read from here)
├── extracted/     # Tool output (write here)
└── reports/
    ├── ACTIONS.md   # Timestamped action log
    ├── FINDINGS.md  # Evidence-backed findings
    └── TIMELINE.md  # Chronological events

State persistence: The active case is tracked in .claude/active_case. This survives context compaction during long sessions - Claude always knows which case is active and where to read/write files.

Starting a new session: Type /case to see which case is active or list available cases.

For Claude Code

Read CLAUDE.md first. It contains:

  • Operational rules (plan display, deletion policy, checkpoints)
  • MCP tool reference (RAG, Windows-Triage, OpenCTI, REMnux)
  • Evidence presentation requirements

Documentation

Document Purpose
setup.sh Quick-start setup script (run this first)
CLAUDE.md Operational guide for Claude during IR
ARCHITECTURE.md System design and component overview
FORENSIC_DISCIPLINE.md Forensic discipline and evidence standards
TOOL_REFERENCE.md Tool selection and workflows
FORENSIC_TOOLS.md SIFT tool reference and syntax
docs/TROUBLESHOOTING.md Common issues and solutions

Responsible Use

This project is intended for authorized security testing, incident response, and educational purposes. Users are responsible for ensuring their use complies with applicable laws, regulations, and organizational policies. Do not use these tools against systems or data you are not authorized to access.

Acknowledgments

Architecture and direction by Steve Anson. Implementation by Claude Code (Anthropic).

License

MIT License - see LICENSE

About

[RETIRED] Moved to AppliedIR/aiir

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

7 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages