- PERSONA
- Freelance Consultant
- CATEGORY
- Freelance
- ENDPOINTS
- 6 used
- UPDATED
- April 2026
DFIR toolkit for the freelance consultant
Freelance DFIR is priced out of enterprise tooling
- VirusTotal Enterprise, Recorded Future, Intel 471: annual contracts, 5-figure minimums, no month-to-month option.
- Free tiers of VT / AbuseIPDB / urlscan explicitly prohibit commercial use — unusable in paid engagements.
- Sandboxing vendors (Joe, Any.Run, Hybrid Analysis pro) each sell separate seats, doubling or tripling the monthly spend.
- Report writing still happens in Word at 11pm on a Friday — nothing in the stack helps turn raw findings into a client-readable narrative.
“VirusTotal Enterprise, Recorded Future, Intel 471: annual contracts, 5-figure minimums, no month-to-month option.”
The endpoints that solve it
Multi-source IOC enrichment
Drop the IOC list from your engagement evidence (pcap, EDR export, firewall log) into one call. Each indicator gets a normalized verdict from up to 11 sources per IP, 8 per domain/URL, 6 per hash — the same set you'd get from six separate vendor logins.
File triage (fast)
Upload a suspicious binary or document. Returns hash reputation across engines, PE / macro / OLE analysis, extracted strings, and a risk verdict. Fast enough to run on every attachment from a BEC investigation.
File triage (deep / sandboxed)
Dynamic analysis for the binaries that matter. Use it on the one or two samples per engagement that warrant full sandbox detonation — not on everything.
AI triage summary for the client report
Feed the combined enrichment + file analysis JSON in, get a client-readable paragraph out. Drops straight into the Executive Summary section of your report template.
AI threat-actor profile
Given the TTPs and indicators you've assembled, produce a narrative on the likely threat actor / campaign — MITRE ATT&CK mapping, historical context, recommended containment. The 'Attribution and Context' section of the report writes itself.
Public exposure scan (optional service line)
Offer attack-surface assessments as a $X fixed-fee service. One call per client domain, a clean report of open ports, exposed services, and TLS posture to hand over.
The per-engagement workflow
# 1. Enrich every IOC you extracted from the evidence
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
-H "Authorization: Bearer $DFIR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"indicators": [
{ "type": "ip", "value": "45.155.205.x" },
{ "type": "domain", "value": "c2-lookalike.tld" },
{ "type": "hash", "value": "e3b0c4429..." }
]
}'
# 2. Triage the one binary that matters (sandbox)
curl https://api.dfir-lab.ch/v1/file/deep \
-H "Authorization: Bearer $DFIR_API_KEY" \
-F "file=@suspicious_payload.bin"
# 3. Turn the combined findings into a client-report paragraph
curl https://api.dfir-lab.ch/v1/ai/threat-profile \
-H "Authorization: Bearer $DFIR_API_KEY" \
-H "Content-Type: application/json" \
-d @engagement_findings.json- 01Step 01
Scope and collect
Client onboarding, evidence ingest (logs, pcap, disk image, email exports). No API usage yet — the platform enters at the analysis stage.
- 02Step 02
IOC enrichment pass
Batch every extracted indicator through /v1/enrichment/lookup. One call per batch of ~20 IOCs keeps API usage linear and easy to budget against the engagement fee.
- 03Step 03
File triage
Run /v1/file/analyze on every suspicious artifact. Reserve /v1/file/deep for the 1–2 samples where dynamic analysis actually changes the verdict.
- 04Step 04
AI-assisted report drafting
Feed the combined JSON into /v1/ai/triage (per-incident summary) and /v1/ai/threat-profile (attribution narrative). The output is a draft, not a deliverable — review, edit, sign your name.
- 05Step 05
Deliver and expense
Month-to-month billing means the $29 or $99 API spend sits on a single invoice you can expense back to the client's engagement fee, cleanly.
Pricing that tracks your workload
- 01
Occasional engagements — 3 small cases/month
3 × (40 IOCs × 3 cr + 2 files × 5 cr + 1 AI triage × 10) = 3 × (120 + 10 + 10) = 420 credits/monthFits Starter ($29, 500 credits) with ~80 credits of headroom — the right tier for someone booking a few engagements per month. - 02
Full-time solo practice — 6 engagements/mo, mixed depth
6 × (60 IOCs × 3 + 4 × 5 + 1 deep × 25 + 1 triage × 10 + 1 profile × 20) = 6 × (180 + 20 + 25 + 10 + 20) = 6 × 255 = 1,530 credits/monthFits Professional ($99, 2,500 credits) comfortably, with room for ad-hoc exposure scans on client domains. - 03
Heavy IR retainer — 10 engagements/mo with deep analysis
10 × (100 IOCs × 3 + 5 × 5 + 3 deep × 25 + 2 triages × 10 + 1 profile × 20) = 10 × (300 + 25 + 75 + 20 + 20) = 10 × 440 = 4,400 credits/monthBeyond Professional (2,500) — Professional + a 5,000-credit top-up works, but at this volume Enterprise's unlimited-usage pricing becomes more economical. Talk to sales.
Three ways to evaluate
Create a free account (100 credits/mo)
Full API access, dashboard, and your own credits. Includes everything the free tier offers.
Try /ioc-check and /file-analyzer — no signup
Paste IOCs at /ioc-check or drop a binary into /file-analyzer in the browser. Rate-limited but free — useful for confirming response quality on a real piece of engagement evidence before you wire the API into a scripted workflow.
API reference
Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.
Frequently asked
- Q / 01
- Yes. Starter, Professional, and Enterprise all explicitly permit use in paid client engagements — that is the whole point of those tiers. The Free tier (100 credits/month) is intended for evaluation and personal research. If your engagement letter requires a written commercial-use confirmation, Professional and above get one on request.
- Q / 02
- Most consultants either absorb the $29–$99/mo into overhead or line-item it on the engagement invoice as 'threat intelligence platform access'. Either works — the platform's month-to-month billing and itemized invoices make client-side reimbursement straightforward. Enterprise can invoice per-client if you manage multiple retained accounts.
- Q / 03
- On self-serve tiers, all usage accrues to your single organization account — evidence and IOCs you submit are processed in-memory for the request and the derived artifacts (verdict, indicator history) are persisted under your org. Per-client sub-organizations with isolated history are an Enterprise feature. For most solo consultants, the self-serve model + local engagement folders is the sanctioned pattern.
- Q / 04
- Treat it as a draft, never as a deliverable. The /v1/ai/triage and /v1/ai/threat-profile endpoints produce structured narratives grounded in the JSON you feed them — they are excellent for turning raw findings into a readable first draft, but human review, fact-checking, and signoff are non-negotiable. The time savings come from not starting from a blank page.
- Q / 05
- Credit top-ups are available on Starter and Professional — the common pattern is Professional + a 5,000-credit top-up for a heavy month. Past roughly 10,000 credits/month of sustained usage, Enterprise's unlimited-usage pricing beats top-ups on unit economics.
- Q / 06
- Self-serve tiers are SaaS only. Air-gapped / on-premise deployment is an Enterprise feature. If you handle government or defense work under FedRAMP / IL-level constraints, get in touch before scoping the engagement.
Other teams solving adjacent problems
Stop triaging by hand.
Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.