Introduction

Protocol SIFT integrates AI agents with the SANS SIFT Workstation -- 200+ incident response tools on a single platform -- through Model Context Protocol (MCP). An analyst types what they need in natural language. The AI selects tools, executes them, reasons about the output, and produces structured reports. The community's mission: sharpen this proof of concept into a production-grade capability.

Tools and Technologies

•             SANS SIFT Workstation: https://sans.org/tools/sift-workstation - Download ova file and can run in VMs

•             Protocol SIFT Package:  Once downloaded and SIFT up and running, install the Protocol SIFT POC: $ curl -fsSL https://raw.githubusercontent.com/teamdfir/protocol-sift/main/install.sh | bash

•              Starter case data: Sample disk images and memory captures provided at launch. https://sansorg.egnyte.com/fl/HhH7crTYT4JK

•             Protocol SIFT NotebookLM notebook – this is the chief location to go to for asking questions on how to build it, what to build, and how.  A great resource for getting ideas of if you are just beginning.

Example Type of Project Submission

•             Example Submission and level of quality to meet/exceed written by Steve Anson (SANS Author)  GitHub - AppliedIR/Valhuntir: Valhuntir CLI — AI-augmented incident response platform · GitHub

Inspiration

•             SANS blog: "Protocol SIFT: An Experimental Research Initiative for AI-Assisted DFIR" (sans.org)

•             Rob T. Lee's Substack: "Introducing Protocol SIFT: Meeting AI Threat Speed with Defensive AI Orchestration"

•             Anthropic GTG-1002 threat intelligence report: The offensive operation that validates why Protocol SIFT matters