This page brings together the current public prototype materials for GIFTS. They now show a live reference-implementation shape: provider-style event conversion, scoring, analyst review, dashboard output, dry-run response planning, and public-data conversion auditing.
For most technical readers, the best starting point is now the cloud identity demo because it shows the current workflow end to end. The paper and prototype report still explain the research lineage; the repository and reference archive show the current implementation.
Best first stop for seeing the current implementation convert CloudTrail-style records into findings, dashboard state, triage context, and a response plan.
Best option for readers who want a snapshot of the current public reference implementation, including docs, examples, tests, Docker path, and CLI workflows.
Best follow-up for readers who want commit history, current docs, tests, and the implementation roadmap.
GIFTS is currently presented as a read-only reference implementation for technical evaluation. It shows provider-style ingestion, sessionization, scoring, analyst reporting, dashboard output, dry-run response planning, and a bounded deep-path research layer. It should be read as a serious reference implementation, not yet as a finished enterprise product.
The bundled cloud identity incident demo converts CloudTrail-style records into GIFTS sessions, scores them with the balanced policy, writes SOC/export artifacts, builds a dry-run response plan, stores findings locally, and renders a static dashboard.
The public artifacts show the review path without exposing customer data or executing provider actions.
GIFTS also ran against the selected Splunk AWS CreateAccessKey public scenario: 75 raw CloudTrail records became 39 valid sessions. The conversion audit records that one oversized session was capped, so this remains validation evidence rather than a benchmark claim.
This short walkthrough shows the current public adoption path in sequence: start from CloudTrail-like raw records, convert them into the GIFTS session contract, score the sessions into analyst findings, then inspect the structured outputs from a small reference run.
Begin with session-tagged CloudTrail-like records that preserve action name, source, principal identity, IP, region, user agent, and resource context.
Convert those records into the stable sessionized GIFTS contract. That is the current public handoff between provider-specific logs and the reference package.
Score validated sessions into JSONL, CSV, and markdown findings that can be used for SOC triage, identity-control review, incident reconstruction support, or red-team evaluation.
A small reference run can emit both a human-readable forensic report and a machine-readable JSON summary for comparison and downstream review.
In the sample output, the suspicious session includes a blackout interval where events are intentionally hidden. GIFTS now has two public review layers: a workflow scoring layer that ranks the session for analyst review, and a prototype reconstruction layer that can produce multiple candidate reconstructions, a recommended consensus sequence, and per-slot uncertainty values.
This is still prototype evaluation output, not a production forensic claim. The goal is to make the current method reviewable, interpretable, and easier to adapt.
The current prototype demonstrates mechanics, structure, and evaluation logic through public materials. It is best read as a technical reference package rather than as a claim about production scale or enterprise deployment.
The contact page is the best route for technical questions, clarification requests, or collaboration inquiries related to the public materials.