VERDICT DFIR¶
VERDICT is a DFIR agent that opens a Case, drives a narrow typed MCP tool surface, verifies every Finding, and emits a signed Verdict plus report. The scope is intentionally narrow: the strongest claim is that the cited artifacts were examined through replayable tools, not that an entire system is clean.
Start Here¶
| Need | Read |
|---|---|
| Install from a cold clone | Install Guide |
| Run in three commands | Quickstart |
| Run every mode and flag | Running VERDICT |
| Understand trust boundaries | Architecture |
| Verify custody claims | Cryptographic Attestation |
| Interpret verdict words | Verdict Semantics |
| Check measured accuracy | Accuracy Report |
| Inspect the tool surface | MCP Servers and Tools |
Canonical Repository¶
The public release repository is
TimothyVang/verdict-dfir. The
older TimothyVang/sans-hackathon repository is the historical development
remote and should not be treated as a separate product release channel.
Verification Model¶
Every reportable Finding must cite a current-case tool_call_id. The verifier
re-runs the cited tool, compares output hashes, and blocks uncited or drifting
Findings before the final Verdict is signed.