PERSONA: Educator / Student
CATEGORY: Education
ENDPOINTS: 5 used
UPDATED: April 2026

USE CASE · EDUCATOR / STUDENT

Real DFIR tools for students and instructors

Teaching digital forensics requires real indicators, real enrichment, and real sandbox output — but commercial TI feeds ban educational use and enterprise licensing locks classrooms out. DFIR Platform ships an explicit Academic tier at $9/month with 500 credits, 2 API keys, and full access to the phishing, IOC, and file-analysis endpoints.

Apply for the $9 Academic tier Try /ioc-check — live in class, no signup

CONTEXT

Teaching DFIR with real tools is harder than it should be

Instructors teaching incident response, malware analysis, or threat intel constantly hit the same wall: the good tools are priced for enterprises and the free tiers forbid educational, shared, or bulk use. VirusTotal's free tier is rate-limited and explicitly non-commercial. Commercial feeds require a site license nobody in higher-education procurement will sign. Students end up practicing on screenshots of other people's investigations.

PAIN POINTS

VirusTotal free tier is capped at 500 lookups/day per key and prohibits institutional sharing.
Enterprise TI platforms quote $20k+/year and require a 12-month commitment — outside every course budget.
Self-hosted sandboxes (Cuckoo, CAPE) need a GPU host, a maintenance plan, and a semester of TA time to keep running.
Students graduate having read about IOC enrichment without ever running a real query against a real dataset.

The reality

“VirusTotal free tier is capped at 500 lookups/day per key and prohibits institutional sharing.”

CAPABILITIES

The endpoints that solve it

DFIR Platform has a dedicated Academic plan — $9/month, 500 credits, 2 API keys, email support — that gives instructors and students the exact same endpoints a paying SOC uses. Eligibility is straightforward: a .edu (or equivalent national academic) email address or documented affiliation with a recognized program. Labs run against live data; AI-assisted endpoints let students read the reasoning rather than memorize outputs.

IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Submit a batch of IPs, domains, URLs, or hashes and get a normalized verdict per indicator across up to 11 sources. Ideal for a 'triage this incident' lab where students defend their conclusions against multi-source evidence.

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

Hand students a real .eml, ask them to explain the SPF/DKIM/DMARC verdict, then let them compare against the API's output. Great first-week exercise for an incident-response module.

File / malware static analysis

5 credits

POST /v1/file/analyze

Upload a sample, get hashes, PE / ELF metadata, strings, and a multi-source reputation lookup. Use for malware-fundamentals classes that need something between 'read the strings' and 'run a full sandbox'.

AI triage with rationale

10 credits

POST /v1/ai/triage

Returns a verdict and the reasoning behind it — the single most useful endpoint in a teaching setting because it models the analyst's thought process in natural language, which students can critique.

Public classroom tools

/ioc-check and /phishing-check are free, browser-based, and zero-setup. Perfect for live demos in a lecture theatre without asking the class to create accounts.

WORKFLOW

A 10-week course, one shared credit budget

The workflow most instructors settle on: one institutional Academic subscription owned by the instructor, a second API key issued for shared lab use, and a weekly structured exercise. Students call the API from a Jupyter notebook or a small Python script — the teaching happens in the questions students ask about the responses.

$ dfir-lab run education-dfir-training

# Week 3 lab: students classify a list of indicators and defend
# their verdict against multi-source evidence. ~10 indicators per
# student at 3 credits each = 30 credits per submission.
import os, requests

API_KEY = os.environ["DFIR_API_KEY"]  # shared classroom key
indicators = [
    {"type": "ip",     "value": "45.142.212.x"},
    {"type": "domain", "value": "login-paypa1.example"},
    {"type": "url",    "value": "https://bit.ly/fakelink-demo"},
]

r = requests.post(
    "https://api.dfir-lab.ch/v1/enrichment/lookup",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"indicators": indicators},
    timeout=30,
)

# Students write up: which sources agreed? where did they disagree?
# what single piece of evidence would change the verdict?
for result in r.json()["results"]:
    print(result["indicator"], "->", result["verdict"])

Real data, real sources, one homework per student — about 30 credits each. Fits the Academic tier comfortably for a class of 20.

01
Step 01
Instructor signs up on the Academic tier
Register from a .edu (or national academic) address. Academic eligibility is reviewed manually — a syllabus link or course page is usually enough.
02
Step 02
Issue a shared lab key
The Academic tier includes 2 API keys. Keep one for instructor prep, issue the second as the classroom key — rotated per term.
03
Step 03
Design the weekly exercise
Pick one endpoint per week. Week 1: /phishing-check in the browser. Week 3: /v1/enrichment/lookup in Python. Week 7: /v1/file/analyze on a sample from your teaching corpus.
04
Step 04
Grade on reasoning, not verdict
The /v1/ai/triage endpoint returns an explanation. Ask students to agree or disagree with it in writing — the grading target is the argument, not the label.
05
Step 05
Reset every month
Academic credits refresh monthly. Course runs longer? A second month of $9 or a one-time $9 top-up covers a whole semester.

PRICING

Pricing that tracks your workload

The Academic tier ($9/month, 500 credits, 2 API keys) is purpose-built for classroom use. Eligible with a .edu email or documented academic affiliation. Bootcamps without formal academic status typically fit Starter ($29/month, 500 credits) — same credits, no affiliation check.

Recommended tier

Academic

500 credits / month

Entry price

$9/mo

01
Small seminar — 8 students, weekly 10-IOC lab
8 × 4 × 10 × 3 = 960 credits/month — OR split across weeks: ~240 credits/week peak
One Academic seat ($9/mo, 500 credits) covers 2 of 4 weeks; a second month or a 500-credit top-up ($35) covers the whole semester.
02
Standard class — 20 students, weekly 10-IOC lab
20 × 4 × 10 × 3 = 2,400 credits/month — spread as ~600 credits/week
Academic (500 credits) does not cover this alone — pair with a 2,000-credit top-up, or step up to Professional ($99, 2,500 credits) for the duration of the course.
03
Bootcamp cohort — 30 students, IOC + file + AI mix
30 × 4 × (5 × 3 + 1 × 5 + 1 × 10) = 30 × 4 × 30 = 3,600 credits/month
Fits Professional ($99/mo, 2,500 credits) plus a 1,000-credit top-up, or negotiate an Enterprise seat for a multi-cohort program.

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Apply for the $9 Academic tier

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /ioc-check — live in class, no signup

The public IOC checker. Paste an IP, domain, URL, or hash and watch the multi-source verdict resolve live. Best first-lecture demo we have — no accounts, no keys, no setup friction.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: Instructors and students at accredited universities, community colleges, and recognized cyber programs, using an institutional email address or with a verifiable affiliation (staff page, syllabus, program listing). If your situation is borderline, email us and explain — we would rather say yes than be gatekeepers.
Q / 02: The Academic tier includes 2 API keys. The common pattern is one instructor key and one shared classroom key rotated each term. A per-student key is not required — students authenticate by calling from a lab machine / notebook, not by owning individual accounts.
Q / 03: No — it is a full, ongoing plan at $9/month. You keep paying $9 as long as the account is active and verified as academic. Convert to a paid tier if you leave academia.
Q / 04: Yes. Students writing a dissertation in DFIR or threat intelligence are explicitly welcome on the Academic tier. Cite the platform and endpoints used — that is all the attribution required.
Q / 05: The /v1/file/analyze endpoint accepts hashes — so classroom exercises can pivot on a known sample hash (e.g. from VX-Underground, Malware Bazaar) without every student downloading live binaries. Safer for the students and for the campus network.
Q / 06: A starter pack of Jupyter notebooks lives in the docs. Contributions welcome — the instructor community pushes back sample assignments and we merge the good ones.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Real DFIR tools for students and instructors

Teaching DFIR with real tools is harder than it should be

PAIN POINTS

VirusTotal free tier is capped at 500 lookups/day per key and prohibits institutional sharing.
Enterprise TI platforms quote $20k+/year and require a 12-month commitment — outside every course budget.
Self-hosted sandboxes (Cuckoo, CAPE) need a GPU host, a maintenance plan, and a semester of TA time to keep running.
Students graduate having read about IOC enrichment without ever running a real query against a real dataset.

The reality

“VirusTotal free tier is capped at 500 lookups/day per key and prohibits institutional sharing.”

The endpoints that solve it

IOC enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Phishing email analyzer

1 credit

POST /v1/phishing/analyze

Hand students a real .eml, ask them to explain the SPF/DKIM/DMARC verdict, then let them compare against the API's output. Great first-week exercise for an incident-response module.

File / malware static analysis

5 credits

POST /v1/file/analyze

AI triage with rationale

10 credits

POST /v1/ai/triage

Public classroom tools

/ioc-check and /phishing-check are free, browser-based, and zero-setup. Perfect for live demos in a lecture theatre without asking the class to create accounts.

A 10-week course, one shared credit budget

$ dfir-lab run education-dfir-training

# Week 3 lab: students classify a list of indicators and defend
# their verdict against multi-source evidence. ~10 indicators per
# student at 3 credits each = 30 credits per submission.
import os, requests

API_KEY = os.environ["DFIR_API_KEY"]  # shared classroom key
indicators = [
    {"type": "ip",     "value": "45.142.212.x"},
    {"type": "domain", "value": "login-paypa1.example"},
    {"type": "url",    "value": "https://bit.ly/fakelink-demo"},
]

r = requests.post(
    "https://api.dfir-lab.ch/v1/enrichment/lookup",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"indicators": indicators},
    timeout=30,
)

# Students write up: which sources agreed? where did they disagree?
# what single piece of evidence would change the verdict?
for result in r.json()["results"]:
    print(result["indicator"], "->", result["verdict"])

Real data, real sources, one homework per student — about 30 credits each. Fits the Academic tier comfortably for a class of 20.

Step 01

Instructor signs up on the Academic tier

Register from a .edu (or national academic) address. Academic eligibility is reviewed manually — a syllabus link or course page is usually enough.

Step 02

Issue a shared lab key

The Academic tier includes 2 API keys. Keep one for instructor prep, issue the second as the classroom key — rotated per term.

Step 03

Design the weekly exercise

Pick one endpoint per week. Week 1: /phishing-check in the browser. Week 3: /v1/enrichment/lookup in Python. Week 7: /v1/file/analyze on a sample from your teaching corpus.

Step 04

Grade on reasoning, not verdict

The /v1/ai/triage endpoint returns an explanation. Ask students to agree or disagree with it in writing — the grading target is the argument, not the label.

Step 05

Reset every month

Academic credits refresh monthly. Course runs longer? A second month of $9 or a one-time $9 top-up covers a whole semester.

Pricing that tracks your workload

Recommended tier

Academic

500 credits / month

Entry price

$9/mo

Small seminar — 8 students, weekly 10-IOC lab

8 × 4 × 10 × 3 = 960 credits/month — OR split across weeks: ~240 credits/week peak

One Academic seat ($9/mo, 500 credits) covers 2 of 4 weeks; a second month or a 500-credit top-up ($35) covers the whole semester.

Standard class — 20 students, weekly 10-IOC lab

20 × 4 × 10 × 3 = 2,400 credits/month — spread as ~600 credits/week

Academic (500 credits) does not cover this alone — pair with a 2,000-credit top-up, or step up to Professional ($99, 2,500 credits) for the duration of the course.

Bootcamp cohort — 30 students, IOC + file + AI mix

30 × 4 × (5 × 3 + 1 × 5 + 1 × 10) = 30 × 4 × 30 = 3,600 credits/month

Fits Professional ($99/mo, 2,500 credits) plus a 1,000-credit top-up, or negotiate an Enterprise seat for a multi-cohort program.

Frequently asked

Q / 01

Who qualifies for the Academic tier?

Instructors and students at accredited universities, community colleges, and recognized cyber programs, using an institutional email address or with a verifiable affiliation (staff page, syllabus, program listing). If your situation is borderline, email us and explain — we would rather say yes than be gatekeepers.

Q / 02

Can students share a single API key?

The Academic tier includes 2 API keys. The common pattern is one instructor key and one shared classroom key rotated each term. A per-student key is not required — students authenticate by calling from a lab machine / notebook, not by owning individual accounts.

Q / 03

Is the Academic tier a trial?

No — it is a full, ongoing plan at $9/month. You keep paying $9 as long as the account is active and verified as academic. Convert to a paid tier if you leave academia.

Q / 04

Can I use this for my thesis / capstone?

Yes. Students writing a dissertation in DFIR or threat intelligence are explicitly welcome on the Academic tier. Cite the platform and endpoints used — that is all the attribution required.

Q / 05

What about samples? I cannot share live malware with students.

The /v1/file/analyze endpoint accepts hashes — so classroom exercises can pivot on a known sample hash (e.g. from VX-Underground, Malware Bazaar) without every student downloading live binaries. Safer for the students and for the campus network.

Q / 06

Do you have lab notebooks / assignments ready to use?

A starter pack of Jupyter notebooks lives in the docs. Contributions welcome — the instructor community pushes back sample assignments and we merge the good ones.

Real DFIR tools for students and instructors

Teaching DFIR with real tools is harder than it should be

The endpoints that solve it

IOC enrichment

Phishing email analyzer

File / malware static analysis

AI triage with rationale

Public classroom tools

A 10-week course, one shared credit budget

Instructor signs up on the Academic tier

Issue a shared lab key

Design the weekly exercise

Grade on reasoning, not verdict

Reset every month

Pricing that tracks your workload

Small seminar — 8 students, weekly 10-IOC lab

Standard class — 20 students, weekly 10-IOC lab

Bootcamp cohort — 30 students, IOC + file + AI mix

Three ways to evaluate

Apply for the $9 Academic tier

Try /ioc-check — live in class, no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Attack Surface Management for NIS2 / DORA

Stop triaging by hand.

Real DFIR tools for students and instructors

Teaching DFIR with real tools is harder than it should be

The endpoints that solve it

IOC enrichment

Phishing email analyzer

File / malware static analysis

AI triage with rationale

Public classroom tools

A 10-week course, one shared credit budget

Instructor signs up on the Academic tier

Issue a shared lab key

Design the weekly exercise

Grade on reasoning, not verdict

Reset every month

Pricing that tracks your workload

Small seminar — 8 students, weekly 10-IOC lab

Standard class — 20 students, weekly 10-IOC lab

Bootcamp cohort — 30 students, IOC + file + AI mix

Three ways to evaluate

Apply for the $9 Academic tier

Try /ioc-check — live in class, no signup

API reference

Frequently asked

Other teams solving adjacent problems

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Attack Surface Management for NIS2 / DORA

Stop triaging by hand.