Get Started
What is SandBytes
Overview of the incident response case management platform and key concepts.
Overview
SandBytes is an incident response case management platform that helps security teams:
- Centralize evidence, findings, indicators of compromise (IOCs), reports, requirements, and recommendations in one place.
- Automate incident report generation and workflow execution.
- Investigate by uploading artifacts, processing them through parsers, enriching data, detecting triggered IOCs, and hunting across processed records.
- Automate with a visual workflow builder (SandsFlow): design drag-and-drop workflows that run node-by-node using Celery and Redis.
- Integrate threat intelligence feeds and manage IOCs.
- Support analysts with a knowledge base of guidelines and tools.
The platform targets security analysts who manage cases from triage through reporting and keep evidence, findings, and IOCs linked and searchable.
Key capabilities
| Capability | Description |
|---|---|
| Case management | Create and manage incident response cases with metadata, members, and lifecycle. |
| Evidence & triage | Upload artifacts into triage packages, process them with parsers, and link results to cases. |
| Findings & IOCs | Record findings, manage IOCs, and detect matches across processed data. |
| Reporting | Generate incident reports (e.g. PDF/DOCX) from case data using templates. |
| Hunt | Search and filter parsed data (e.g. Elasticsearch) with Lucene-style queries and dashboards. |
| Workflows | Build and run automated workflows for repeatable analysis and response. |
| Threat intel | Ingest and manage feeds; use them for enrichment and IOC detection. |
Terminology
| Term | Description |
|---|---|
| Case | An incident response case that groups evidence, findings, requirements, tasks, and reports. |
| Evidence | Artifacts or data associated with a case (e.g. files, logs) organized in triage packages. |
| Triage package | A collection of artifacts uploaded and processed together for a case. |
| Finding | A documented observation or conclusion tied to a case (e.g. from analysis or IOC hits). |
| IOC (Indicator of Compromise) | A threat indicator (hash, domain, IP, etc.) used for detection and hunting. |
| Parser | A component that processes uploaded artifacts and produces structured records for search and enrichment. |
| Enricher | A component that adds context or data to parsed records (e.g. threat intel lookup). |
| Feed | A threat intelligence feed that supplies IOCs or other data to the platform. |
| Workflow | A visual, node-based automation (SandsFlow) executed by the workflow engine (Celery/Redis). |
Next: Comparisons with other tools, Deployment, or Getting Started use cases.