Skip to content

VERDICT — SANS Find Evil! 2026 submission

Choose a tag to compare

View all tags
@TimothyVang TimothyVang released this 11 Jun 13:12
· 48 commits to master since this release
v-submit
d85fa5a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

VERDICT is a DFIR agent that runs from a local clone, drives a narrow typed MCP tool surface, verifies every Finding, and produces a signed, offline-verifiable Verdict plus report.

Install and run

git clone --depth 1 --branch v-submit https://github.com/TimothyVang/verdict-dfir.git verdict
cd verdict
bash scripts/setup
scripts/verdict <path-to-evidence>

Use --sift when you want disk-image parsing through a SANS SIFT VM:

scripts/verdict --sift <path-to-evidence>

Required before a real investigation

  • Claude Code or an Anthropic credential available to the local environment.
  • Evidence you are authorized to analyze.
  • For raw .E01 / .dd disk content: local Sleuth Kit/libewf support or --sift.
  • Run bash scripts/doctor.sh after setup to see exact missing prerequisites.

Which assets matter

  • find-evil-demo.mp4 — short demo walkthrough.
  • report.html — offline report example.
  • findevil-mcp-*.tar.xz + SHA256SUMS — optional prebuilt Rust MCP binaries for advanced/manual installs.
  • find-evil-submission.zip — historical SANS submission bundle, not the normal install path.

Normal install path

Most users should ignore the release assets and install from the tagged source checkout with bash scripts/setup. The setup script builds or fetches the product pieces, checks prerequisites, and prints an honest readiness summary.

Documentation at this tag

Demo videos

Narrated walkthroughs (download or stream the .mp4 assets below):

  • Product showcase (4:35) — full end-to-end run on a 22-host enterprise · find-evil-demo.mp4
  • Educational explainer — what VERDICT is + core concepts · verdict-educational-explainer.mp4
  • Feature deep-dives — self-correction, live dashboard, offline tamper/verify · verdict-feature-deep-dives.mp4
  • Quickstart — install to a signed verdict in two commands · verdict-quickstart.mp4
  • Help build VERDICT — invariants + contributor on-ramp · verdict-contributor-call.mp4
Assets 14
Loading