Documentation — AnalystLog

Getting Started

AnalystLog turns raw security investigation notes into structured, professional SOC reports mapped to 9 industry frameworks. Paste what you wrote during a lab, CTF, or live incident — get back a report you can put in front of a hiring manager or an incident review.

Creating your first report

Create an account and pick a username — it becomes your public portfolio URL.
From the dashboard, click + New Report.
Paste your raw notes (50–10,000 characters) and optionally pick a scenario hint like Phishing/BEC or CTF Challenge.
Click Generate report and wait 20–30 seconds.
Review the report, then keep it private or publish it to your portfolio.

The free plan

Free accounts include 3 reports with all 9 framework mappings, stored privately. Pro ($9/month) adds unlimited reports, public portfolio publishing, PDF export, and a higher generation rate limit (30/hour vs 10/hour).

Writing Good Notes

You don't need perfect notes. Half-sentences, shorthand, and messy timestamps are fine — paste whatever you have. Structure is AnalystLog's job, not yours.

What to include

Timestamps — even rough ones, in whatever timezone you noted them
IPs, domains, URLs, file names, and hashes
Tool output — EDR alerts, SIEM queries, Wireshark filters, command lines
Your own observations and hunches, however unpolished

What AnalystLog does with them

The AI classifies the scenario, reconstructs the timeline, extracts and defangs every indicator, maps observed behavior to the applicable frameworks, and writes the narrative sections. Anything your notes don't support gets flagged [ANALYST TO VERIFY] instead of invented.

Example raw notes

10:42 - EDR alert, powershell.exe spawned from winword.exe on WS-0413
10:47 - pulled email from quarantine, attachment invoice_0423.docm
sender domain registered 3 days ago, reply-to mismatch
b64 encoded command in ps logs -> downloads from 185.220.101[.]42
blocked hash on EDR, isolated host 11:03
no lateral movement seen in last 24h of logs

Six lines like these are enough for a complete nine-section report.

Understanding Your Report

Every report follows the same nine-section structure:

Executive Summary

Three to five sentences a manager can read in 30 seconds: what happened, the impact, and the current status.

Incident Classification & Severity

Scenario type and a severity rating (critical / high / medium / low / informational) with the reasoning behind it.

Timeline of Events

A chronological table of events with timestamps taken verbatim from your notes. Events without timestamps are marked Undetermined — times are never fabricated.

Technical Analysis

The attack reconstructed step by step: initial access, execution, what the attacker did, and what the evidence supports.

Indicators of Compromise

Every IP, domain, hash, file name, and email extracted from your notes, defanged (hxxps, [.]) and tabulated for SIEM import.

Framework Mappings

The behavior mapped to ATT&CK techniques, Kill Chain phases, D3FEND countermeasures, and the other applicable frameworks.

Response Actions Taken

Containment, eradication, and recovery steps that actually happened per your notes, framed against the NIST 800-61r3 lifecycle.

Recommendations & Remediation

Prioritized, concrete next steps — detection rules to write, controls to deploy, gaps to close.

Lessons Learned & Detection Opportunities

What this incident teaches the SOC, and the logging or alerting that would catch it earlier next time.

What [ANALYST TO VERIFY] means

Wherever your notes are ambiguous, incomplete, or can't support a claim — a timeline gap, a partial indicator, an inferred step — the report inserts the literal flag [ANALYST TO VERIFY] with a note on what needs checking. This is a feature, not a weakness: real incident reports mark their own uncertainty, and reviewers trust reports that do.

The framework version footnote

Every report ends with a footnote listing the exact framework versions used (e.g., ATT&CK v19, D3FEND v1.3.0). Frameworks rev regularly and technique IDs can change between versions — the footnote makes your mappings auditable years later.

Framework Reference

MITRE ATT&CK

v19

The industry-standard catalog of adversary tactics and techniques. Every observed behavior is mapped to a technique ID (e.g., T1566.002) so other analysts can immediately understand the attack.

Applied to every report with observable attacker behavior.

NIST SP 800-61

NIST's incident response guidance. Revision 3 aligns incident handling with the CSF 2.0 functions rather than the old four-phase model. Response actions in your report are framed against this lifecycle.

Applied to incident and lab scenarios with a response component.

NIST CSF

2.0

The Cybersecurity Framework's six functions — Govern, Identify, Protect, Detect, Respond, Recover. Used to position recommendations within a broader security program.

Applied to recommendations and remediation sections.

Cyber Kill Chain

Lockheed Martin, 7 phases

Models an intrusion as seven sequential phases from Reconnaissance to Actions on Objectives. Useful for showing how far an attack progressed and where it was (or could have been) broken.

Applied when the notes show attack progression across phases.

MITRE D3FEND

v1.3.0

The defensive counterpart to ATT&CK: a knowledge graph of countermeasure techniques (e.g., D3-UAL, User Account Locking). Recommendations cite D3FEND IDs so defenses are specific, not hand-wavy.

Applied to detection and hardening recommendations.

OWASP Top 10

2025

The canonical list of web application risk categories. Web attack write-ups are classified against it (e.g., A03 Injection) so application teams speak the same language.

Applied to web application attack scenarios.

CVSS

4.0 / 3.1

The Common Vulnerability Scoring System quantifies vulnerability severity from 0.0 to 10.0. Where a specific vulnerability is involved, the report includes a score and vector string.

Applied to vulnerability exploitation scenarios.

STRIDE

Microsoft's threat classification model: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Used to categorize the threat class of the incident.

Applied to threat modeling within the analysis section.

Diamond Model

Characterizes an intrusion through four vertices: Adversary, Capability, Infrastructure, Victim. Unknown vertices are explicitly marked rather than guessed, which is itself useful intel hygiene.

Applied to intrusion analysis; vertices populated from evidence only.

Making a report public

Open any report and click the ○ Private toggle to switch it to ● Public. Public reports appear instantly on your portfolio page; flip the toggle back any time to unpublish.

Your portfolio URL

Your portfolio lives at analystlog.com/u/your-username — no sign-in required to view it. Each public report also has its own shareable URL, which you can copy with the Copy portfolio link button on the report page.

Sharing with recruiters

Put your portfolio URL on your CV and LinkedIn next to your certs. When a hiring manager asks "have you actually worked an incident?", you send a link instead of an anecdote.

What employers see

Your display name, bio, and public reports only. Private reports, your email, and your raw notes are never visible. Reports render in the same terminal-style format you see in the dashboard — severity, framework badges, full nine-section write-up.

FAQ

Is my data used to train AI models?

No. Your notes are sent to the model to generate your report and stored in your account so you can view it — nothing more.

How long are reports stored?

Indefinitely, unless you delete them.

Can I delete a report?

Yes — from the dashboard. coming soon Deletion is not yet available in the UI; it's next on the roadmap.

What happens when I hit the free limit?

After 3 reports you'll see an upgrade prompt. Your existing reports remain fully accessible — you just can't generate new ones until you upgrade.

Can I edit a generated report?

Not yet. coming soon In the meantime, the [ANALYST TO VERIFY] flags show you exactly where your own review should focus.