Skip to content
Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
Branch: master
Clone or download
Latest commit c928949 May 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
diffy Merge pull request #60 from forestmonster/options-doc-fmonsen May 20, 2019
diffy_api Consider modifying BaselineSchema. Dec 11, 2018
diffy_cli Move target iteration to core baseline CLI method. Feb 2, 2019
docs Document the Inventory plugin base class. Feb 1, 2019
tests There are 45 files that Black would like reformatted. Nov 29, 2018
.bumpversion.cfg initial commit May 1, 2018
.gitignore initial commit May 1, 2018
.pre-commit-config.yaml Don't fix requirements.txt any more. Dec 3, 2018
.pyup.yml Don't file a PR for every update. Tell us only when we depend on inse… Nov 29, 2018
.readthedocs.yml initial commit May 1, 2018
.travis.yml Fix due to travis-ci/travis-ci#7940 (comment) Nov 27, 2018
CHANGELOG.rst initial commit May 1, 2018
LICENSE Update copyright date Sep 11, 2018 initial commit May 1, 2018
OSSMETADATA Adding OSSMETADATA file Sep 11, 2018
README.rst Remove blank line endings, add pre-commit advice Jul 30, 2018
analysis-localhost.json Issue 46 fixes (#49) Nov 30, 2018
baseline-localhost.json Issue 46 fixes (#49) Nov 30, 2018
config.yml initial commit May 1, 2018 Specify moto version number Jul 18, 2018
dev-requirements.txt Security updates to package dependencies. Apr 16, 2019
localhost-localhost.json Issue 46 fixes (#49) Nov 30, 2018 spulec/moto#1589 fixed! Jul 17, 2018
requirements.txt Security updates to package dependencies. Apr 16, 2019
setup.cfg initial commit May 1, 2018 Issue 46 fixes (#49) Nov 30, 2018 Initial implementation of background processing via RQ. Closes #4. May 3, 2018
web-requirements.txt Security updates to package dependencies. Apr 16, 2019



docs/images/diffy_small.png Codecov PyPi version Supported Python versions License Status RTD

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).

Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.

It's called "Diffy" because it helps a human investigator to identify the differences between instances, and because Alex pointed out that "The Difforensicator" was unnecessarily tricky.

See Releases for recent changes. See our Read the Docs site for well-formatted documentation.

Supported Technologies

  • AWS (AWS Systems Manager / SSM)
  • Local
  • osquery

Each technology has its own plugins for targeting, collection and persistence.


  • Efficiently highlights outliers in security-relevant instance behavior. For example, you can use Diffy to tell you which of your instances are listening on an unexpected port, are running an unusual process, include a strange crontab entry, or have inserted a surprising kernel module.

  • Uses one, or both, of two methods to highlight differences:

    • Collection of a "functional" baseline from a "clean" running instance, against which your instance group is compared, and
    • Collection of a "clustered" baseline, in which all instances are surveyed, and outliers are made obvious.
  • Uses a modular plugin-based architecture. We currently include plugins for collection using osquery via AWS Systems Manager (formerly known as Simple Systems Manager or SSM).


Via pip:

pip install diffy


We are actively adding more plugins & tests, and improving the documentation.

Why python 3 only?

Please see Guido's guidance regarding the Python 2.7 end of life date.

You can’t perform that action at this time.