Network Forensics · AI-Native · pcaplm.com

Your packets
finally have a
voice.

Drop a .pcap. Get a forensic analyst, threat hunter, and incident responder — all powered by AI that actually understands network traffic.

Get Early Access See how it works
pcaplm — analysis session
Packets 47,329
Anomalies 3
Threats 1 HIGH
Analysis 2.1s
Process

From raw bytes to
actionable intelligence.

01 // INGEST
📥
Upload or Capture
Drag in a .pcap or .pcapng. Or pipe live traffic from eBPF. Any size, any source.
pcap pcapng eBPF live
02 // PARSE
⚙️
Zeek Pipeline
Deterministic extraction via Zeek. Flows, DNS, HTTP, TLS, SMB — structured into semantic JSON.
Zeek tshark JA3 IPFIX
03 // REASON
🧠
AI Analysis
Specialized AI roles reason over structured data. Not raw bytes — intelligence over context.
LLM 7 Roles OSINT context
04 // REPORT
📋
Forensic Output
MITRE ATT&CK-mapped reports. Timeline reconstructions. IOC extractions. Shareable briefs.
MITRE IOC timeline PDF
Intelligence Roles

Seven minds.
One investigation.

ROLE_01 // ANALYST
The Analyst
Answers precise questions about your traffic. Protocols, flows, endpoints — with surgical accuracy.
"Which hosts sent the most DNS queries?"
"What TLS versions are in use?"
ROLE_02 // HUNTER
The Hunter
Proactively searches for threats. Beacons, exfiltration, lateral movement, C2 patterns — before you ask.
"Is there C2 beacon activity?"
"Any signs of DNS tunneling?"
ROLE_03 // WRITER
The Writer
Generates incident reports, executive summaries, and technical write-ups — ready to ship.
"Write a SOC incident report."
"Generate an executive brief."
ROLE_04 // TEACHER
The Teacher
Explains what's happening and why it matters. From L3 basics to advanced attack techniques.
"Explain this ARP anomaly."
"What does this JA3 hash mean?"
ROLE_05 // BUILDER
The Builder
Creates Wireshark filters, Zeek scripts, Sigma rules, and Snort signatures from your findings.
"Write a Sigma rule for this pattern."
"Generate a Wireshark display filter."
ROLE_06 // BRIEFER
The Briefer
Synthesizes findings into audio briefings and narrative timelines for async communication.
"Give me a 2-minute audio brief."
"Reconstruct the attack timeline."
ROLE_07 // RESPONDER
The Responder
Translates findings into immediate containment actions. Block lists, firewall rules, isolation playbooks.
"What do I block right now?"
"Give me an iptables containment rule."
Capabilities

Built for analysts
who don't have time.

🔐
Encrypted Traffic Intelligence
Classify TLS 1.3, QUIC, and ESNI flows without decryption. JA3/JA3S fingerprinting built-in.
🗺️
MITRE ATT&CK Mapping
Every threat finding mapped to tactics and techniques. Structured for SIEM ingestion.
🌐
OSINT Enrichment
IPs, domains, and hashes automatically enriched with threat intel context.
Local LLM Support
Run fully air-gapped with Ollama. Your packets never leave your environment.
📡
Live Capture (coming)
eBPF-powered live traffic feed into the analysis pipeline. Real-time threat detection.
// Performance Benchmarks
Analysis Speed 2.1s
Threat Detection Rate 94%
False Positive Rate 0.8%
Max Pcap Size 10GB
Protocol Coverage 350+
// Early Access — Limited Spots

Stop grepping
through hex.

No spam. Early access + founder updates only.