The CalCyber Response Platform is a collaborative incident-response and case-management system for DFIR teams — built on a hardened, battle-tested open-source core and extended with cross-case intelligence correlation, native threat-intel sync, and AI-assisted analysis. Self-hosted on your own infrastructure, so your case data stays yours.
Most case tools treat every investigation as an island. The Response Platform connects them: when an IOC, asset, domain, or threat actor shows up in more than one case, the link is surfaced automatically — turning a pile of isolated tickets into a single intelligence picture. Spot repeat infrastructure, recurring actors, and campaigns that span months of case history.
Correlation runs across every case in the system — so a hash flagged today is matched against everything your team has ever investigated, not just the case in front of you.
Track incidents end to end — notes, timelines, assets, IOCs, tasks, and evidence — in organized case-detail tabs. Multiple analysts work the same case together, with full provenance back-links from each IOC to the note that produced it.
Native MISP synchronization keeps cases and events in lockstep — bidirectional case ↔ event syncing with IOC ↔ attribute mapping governed by TLP. Extract IOCs from notes with type validation, and link assets to the evidence that supports them.
Generate executive case summaries even for huge cases, ask a case-scoped chat assistant about your investigation, and run per-event AI analysis. The platform suggests MITRE ATT&CK and Unified Kill Chain phases, evidence classifications, and case templates.
Model how work and indicators connect — task linking with blocks / depends-on relationships and cycle-detection warnings, IOC-to-asset relationship tracking, and timelines that reconstruct exactly what happened, when.
Drop-in compatible with the IRIS API and database, so it fits existing workflows and automation. It runs entirely on your own infrastructure — and the CalCyber Agentic SOC can push triage results, IOCs, and notes straight into it, closing the loop from detection to documented resolution.
An incident is rarely the whole story. The same actor reuses infrastructure; the same malware resurfaces in a new department; a domain seen last quarter shows up again today. The Response Platform is built to see those connections — and to keep every byte of that intelligence on infrastructure you control.
Every indicator is matched against your entire case history automatically — no manual cross-referencing, no intelligence left on the table.
The CalCyber Agentic SOC feeds findings, IOCs, and notes directly in, so detection and case management become one continuous workflow.
Fully self-hosted. Sensitive case data, evidence, and intelligence never leave your environment.
A hardened fork of a widely deployed DFIR platform — drop-in API and database compatible, and actively maintained.
We'll show you how cross-case correlation surfaces connections across your investigations, how threat intel flows in and out, and how it deploys on your own infrastructure. No commitment.
Request a Demo