Anthropic's GTG-1002 report documented adversaries running Claude Code at 80–90% autonomous execution across offensive operations. State-level threat actors already have AI-powered attack chains that compress the entire kill chain — from initial access to lateral movement to data exfiltration — into a coordinated, machine-speed sequence. Meanwhile, most incident response teams are still typing vol.py commands one at a time, manually grepping event logs, and writing their timeline notes in a shared doc while the attacker's dwell time ticks up.
At the [un]prompted 2026 conference, Rob T. Lee — founding curriculum director of SANS Institute, one of the most respected names in digital forensics and incident response — asked the question defenders have been waiting for someone credible to ask out loud: what if we gave the defender the same capability?
His answer is Protocol SIFT. And the demo he ran onstage changed the math on what a small IR team can actually accomplish.
What Protocol SIFT Is
Protocol SIFT is the strategic integration of Claude Code with the SANS SIFT Workstation, connected through Anthropic's Model Context Protocol (MCP). To understand why that matters, you need to understand what each component brings to the table.
The SIFT Workstation has been a cornerstone of the forensics community for 18 years. It is an open-source, Ubuntu-based forensic toolkit that ships with decades of battle-tested tooling: Volatility for memory analysis, Plaso for timeline creation, bulk_extractor for artifact extraction, Autopsy, log2timeline, and dozens of other court-recognized utilities. SIFT supports E01, AFF, and raw image formats. It has been used in real criminal investigations, civil litigation, and enterprise breach investigations around the world. The tools are deterministic — they do not invent findings. They extract what is verifiably present in the forensic artifact.
Claude Code is the agentic coding and reasoning engine Anthropic built for complex, multi-step technical work. It can read a natural language instruction, reason about the appropriate sequence of technical operations required to fulfill it, write and execute the necessary commands, interpret the output, and iterate based on what it finds.
The Model Context Protocol connects these two systems. MCP is an open standard that gives AI models structured access to external tools and data sources — in this case, the full SIFT toolchain running locally on the workstation.
The result: an analyst types their investigative intent in plain English. The AI reasons about which forensic tools to invoke, in what sequence, with what parameters, and orchestrates the full investigation automatically. Rob T. Lee demonstrated this live at [un]prompted 2026 with a single command: "SIFT!! Find Evil!" — and Protocol SIFT proceeded to run automated memory analysis, disk forensics, timeline creation, artifact correlation, and report generation without further analyst input.
The Speed Differential
Here is the number that matters: a traditional full-system forensic investigation — from image acquisition through prefetch analysis, event log review, memory forensics, timeline construction with Plaso, artifact correlation, and final report writing — takes a minimum of one full working day for a skilled analyst. That is on a single system, with no complications, no rabbit holes, and no interruptions. In a real incident with multiple compromised endpoints, that timeline multiplies accordingly.
In Rob T. Lee's live demonstration at [un]prompted 2026, Protocol SIFT completed the same scope of work in 14 to 18 minutes. Not a partial analysis. Not a high-level summary. A comprehensive investigation that automatically identified malicious binaries, persistence mechanisms, command-and-control activity, and constructed a full attack chain — without being explicitly told what to look for.
The deliverable at the end of those 14 minutes was a structured PDF report containing an executive summary, technical findings, MITRE ATT&CK framework mapping for each identified technique, a complete list of indicators of compromise, and remediation recommendations prioritized by severity.
To be precise about what is happening here: the AI is not doing the forensic analysis. The AI is orchestrating deterministic forensic tools that have been doing reliable analysis for nearly two decades. Claude Code decides which tools to run and in what sequence, interprets their output, identifies the connections between findings, and synthesizes a coherent picture of the incident. The forensic evidence itself is extracted by the same Volatility, log2timeline, and SIFT tools that analysts have always used. The analyst's role shifts from execution to validation — reviewing the AI's findings, challenging its interpretations, and making the judgment calls that require actual domain expertise.
That is not a diminishment of the analyst role. It is a force multiplier.
Why Forensic Integrity Is Preserved
The obvious question from any forensics practitioner: does AI-assisted analysis hold up? Does it introduce fabrication, hallucination, or evidence contamination that would make the findings unreliable?
Rob T. Lee addressed this directly at [un]prompted 2026 and outlined three architectural safeguards built into Protocol SIFT.
First, inference constraint. The protocol limits the AI's ability to fabricate evidence by tying every finding to a specific tool output and artifact location. The AI cannot claim a registry key exists unless a deterministic SIFT tool extracted it from the image. Speculation is structurally separated from evidence.
Second, human-in-the-loop checkpoints. Before executing commands that could modify state or access sensitive artifacts, Protocol SIFT pauses and requests analyst approval. The AI does not autonomously execute irreversible or high-risk operations.
Third, deterministic tool execution. Claude Code directs SIFT — it does not replace it. The forensic work is performed by court-vetted, peer-reviewed tools whose outputs are reproducible and verifiable. The AI's contribution is orchestration and synthesis, not evidence creation.
SANS has been transparent on one critical point: Protocol SIFT is explicitly not validated for courtroom use at this stage. The speed and triage value are proven. The evidentiary standard required for litigation is a separate bar that has not yet been reached. For the investigation and containment phases of incident response — which is where most enterprise IR teams spend the majority of their time and where speed has the most direct impact on damage limitation — the integrity model is sound. Every command executed is logged, every finding is tied to a verifiable artifact, and every output can be independently reproduced using the same SIFT tools.
What This Means for Your IR Team
The asymmetry problem in incident response is real and it is getting worse. At the same [un]prompted 2026 conference, Sergej Epp's talk documented AI-assisted attacks that moved from initial credential access to domain administrator privileges in 8 minutes. That is not enough time for most organizations to even detect the intrusion, let alone mount a response. The traditional model — detect, escalate, assemble the IR team, begin manual analysis — was built for a threat environment that no longer exists.
Protocol SIFT is not the only answer, but it represents the right category of answer: AI-augmented defense that compresses the investigative timeline to match the speed of the attack.
The cost barrier is lower than you might assume. The SIFT Workstation is free and open-source. Claude Code is available via Anthropic's API at costs that are minimal for the volume of work involved in a typical IR engagement. MCP is open-source. What you need to bring is forensic knowledge — the expertise to validate findings, direct the investigation toward the right questions, and interpret ambiguous results. Protocol SIFT amplifies that expertise; it does not substitute for it.
SANS is actively investing in building out this capability. As of April 2026, the organization is running a community hackathon from April 1 through May 15, 2026, with $22,000 in prizes for teams that build better MCP integrations for forensic tools. The goal is to expand the ecosystem of forensic capabilities that can be orchestrated through this model. If your team has forensic tool development skills, that is worth attention.
For teams that want to start immediately: download the SIFT Workstation, install Claude Code, and begin experimenting with Protocol SIFT's orchestrator approach on a test image. Start with a known-compromised image from a training environment where you already know what findings to expect. Build confidence in the workflow before you need it under pressure.
The Bigger Picture
Protocol SIFT is one example of a broader structural shift in security operations. The teams that thrive in the next five years will not be the ones with the most analysts typing commands. They will be the teams that have encoded their domain expertise — their forensic knowledge, their detection logic, their investigation playbooks — into AI-readable workflows that can be orchestrated at machine speed.
This principle extends well beyond DFIR. Dan Guido's Trail of Bits talked about rebuilding their entire security research operation around AI augmentation. The result was a jump from 15 to 200 bugs identified per week per engineer — not by replacing security researchers, but by eliminating the manual overhead that had previously limited what each researcher could accomplish. The same leverage is available in incident response when you stop treating AI as a novelty and start treating it as infrastructure.
Domain expertise does not become less valuable in this model. It becomes more valuable. The analyst who understands what a malicious persistence mechanism looks like, why a specific registry key is suspicious, and how to read a process tree for signs of lateral movement — that analyst, equipped with Protocol SIFT, is dramatically more capable than before. The analyst who does not have that foundation cannot compensate by prompting harder.
As Rob T. Lee put it at [un]prompted 2026: "Your adversary has an AI. You have tab-completion."
That gap is not sustainable. The good news is that the tools to close it are free, open-source, and available today.
Need help modernizing your incident response capability?
We help small and mid-size organizations build AI-augmented IR workflows, assess forensic readiness, and compress response timelines. Book a session with our team.