Protocol SIFT: An Experimental Research Initiative for AI-Assisted DFIR

Artificial intelligence (AI) is reshaping the cyber threat landscape at an unprecedented pace. Adversaries are weaponizing AI to automate reconnaissance, scale social engineering, and accelerate offensive operations. It is dramatically increasing the complexity of rapid triage and initial assessments for digital forensics and incident response (DFIR) professionals.

Today, an adversary can move from initial intrusion to full domain admin in just 8 minutes. Consequently, responders face immense pressure to analyze massive volumes of memory captures, log streams, endpoint artifacts, and cloud telemetry at scale, all while maintaining absolute accuracy.

To adapt, the DFIR profession must evaluate how emerging technologies can augment workflows without compromising established accuracy standards. Protocol SIFT was created specifically for this purpose: an experimental initiative targeting rapid assessment and triage analysis, hyper-focused on accelerating the speed and capability of the human responder.

What is Protocol SIFT?

Protocol SIFT is a community-driven, open-source experimental initiative by SANS, designed to explore how AI can assist trained responders in accelerating specific incident response tasks. Operating within the widely adopted SANS Investigative Forensic Toolkit (SIFT), this effort builds upon established DFIR practices to augment—never replace—the human practitioner.

Under this protocol, AI acts strictly as a constrained workflow assistant used to coordinate DFIR tooling, sequence analytical steps, and reduce friction in repetitive tasks. Because deterministic DFIR utilities remain the sole source of analytical output, the validation, interpretation, and reporting of analysis are always performed by the investigator, not the AI.

Conducted within an established, skill-based framework, Protocol SIFT evaluates how AI orchestration can improve efficiency in identifying, assessing, and triaging threats. Every command executed and logged ties directly to verifiable artifacts. Ultimately, all meaning, understanding, and decision-making require explicit human oversight, keeping the core of incident response firmly rooted in the expertise of trained professionals.

The name "Protocol SIFT" highlights the integration of strict AI safety guardrails (the Protocol) with the industry-standard SIFT. While SIFT provides the essential DFIR tools used by incident responders, the "Protocol" ensures that AI assistants operate under rigorous, predefined rules to maintain technical accuracy and automatically log every action.

What Protocol SIFT is Not

Protocol SIFT is not validated for forensic soundness or evidentiary reliability. It has not been validated for use in criminal or civil proceedings, and it is not admissible in court. Protocol SIFT is in its initial research stage and has not undergone formal validation for investigative use in forensic cases. Any capability intended for courtroom or evidentiary application requires formal validation, documentation review, and peer scrutiny consistent with established forensic standards. Protocol SIFT is separate from and does not modify or replace the core SIFT Workstation. The SIFT Workstation remains the standard digital forensic and incident response platform maintained by SANS.

The Role of SANS and Protocol SIFT: A Community-Centered Initiative for DFIR Advancement

SANS supports the DFIR community through education, open-source tools, and applied research. The SIFT Workstation provides a standardized DFIR environment aligned with the latest tooling and artifact understanding. Protocol SIFT extends that foundation as a research effort examining AI-assisted orchestration within analysis of workflows. Its development is conducted within established DFIR artifact extraction and interpretation frameworks, which require a trained responder to validate findings and accurately report their conclusions based on human-verified facts.

For more information on Protocol SIFT, stay tuned to this blog and our other online resources. This project is driven by the community and for the community. Combating the speed of AI-enabled threats (which are no longer theoretical) requires us to work collectively on improving the skills, rules, instructions, and techniques that will enable human responders, paired with a SIFT copilot, to respond just as fast as the adversaries.

The SIFT Workstation has been a community project for 18 years. Building on that legacy, Protocol SIFT is researching how to accelerate artifact processing and assessments, ultimately allowing human defenders to match AI against AI (defense vs. offense).