If you have questions about our reports or services please use the Contact Us page to get in touch. Thank you.

Security Researcher

You’re a security researcher who wants to analyze case artifacts for learning and/or fun and is not doing so on behalf of an organization (see the next option). The following artifacts will be shared with the subscriber using our threat intelligence platform:

Dropped files
Memory captures
Event logs
Ransom samples

Monthly Subscription $15/month
Yearly Subscription $180/year (1 free DFIR Report t-shirt)


You’re an organization who uses our reports and/or artifacts for profit or you protect your organization using our work. This service covers security companies, security teams within companies, CERTs, governments, etc. Includes email Q&A as time permits. This tier receives access to all artifacts as well as our threat intelligence platform. If you need a receipt for this purchase please use the Contact Us page to get in touch.

Monthly Subscription $30/month
Yearly Subscription $360/year (2 free DFIR Report t-shirts)

If you are interested in a specific case please message us using Contact Us after signing up. Case numbers are located at the bottom of each report.

Intel Feed

We track infrastructure related to Cobalt Strike, Qbot/Qakbot, PoshC2, Covenant, Metasploit, Empire, Meterpreter stagers and more using a variety of different methods. We are currently tracking over 1000 confirmed Cobalt Strike servers, 100+ Metasploit servers, 60+ PS Empire servers, 100+ Covenant servers and more.

This feed is made available using our threat intel platform which can be accessed via a GUI or API. The feeds can be exported to txt, csv, STIX, MISP, etc. as needed to import into your IDS, Firewall, and/or Threat Intelligence Platform. We can provide a script if needed to download the feed from our API.

This feed is billed at a yearly rate. Please Contact Us us for pricing and/or trial options.