>SudoTrace, the free, self-hosted, AI-powered analyst workbench that helps you understand what really happened on a compromised endpoint, faster than MDE alone.

Update 25/06/2026 – I introduced a NEW module to >SudoTrace, the Business Email Compromise Checker, see more details at the bottom!

If you work in a SOC and use Microsoft Defender for Endpoint, you already know the frustration of how the telemetry is presented to you. It’s not visually appealing, and you have no clear picture of how processes are linked together. In the Timeline, events arrive in chronological order with no visual indication of parent-child relationships, no obvious compromise timeline, and no consolidated view of what IOCs are actually involved. You’re left stitching the story together manually, query by query, while the clock ticks. >SudoTrace is built to fix that!

>SudoTrace is a pure investigation and analysis tool. You submit a hostname or device ID and a process ID, and the tool loads your full process ancestry chain alongside telemetry from core MDE tables pulled in parallel via the Graph Security API.
From there, the analyst is in control. You review the process tree, flag the processes that look suspicious or malicious, and confirm the IOCs you want examined. Those flagged items can then be sent to Claude, which analyses the scoped data as a virtual blue team analyst, working backwards from the focal process to find the true root cause, identifying the delivery vector with a confidence level, flagging lateral movement indicators, and producing structured findings that reference exact PIDs, timestamps, and command lines. Every finding is grounded in the actual telemetry you selected.

  • Visual process tree with colour-coded flagging — suspicious (amber), malicious (red), benign (green)
  • Core telemetry tables loaded in parallel via the Microsoft Graph Security API
  • Claude Sonnet analysis: root cause, delivery vector, attack narrative
  • Four investigation tabs — Analysis, IOCs, Hunt, Timeline, AI analysis
  • Raw KQL editor with syntax highlighting
  • Analyst-confirmed IOC list integrated with VirusTotal for clean/malicious verdicts

Pivot to hunting from your curated IOC list:

Flag events as benign, suspicious, or malicious to build your timeline:

Timeline that can be modified and exported:

Once all entities are flagged (processes, IOCs, raw events), submit to the AI for analysis:

The AI will analyse the flagged entities and summarize if the activity is benign or malicious with a confidence level:

>SudoTrace is not a monitoring tool and it’s not a SIEM. It’s an investigation workbench, you bring it in when you have something to investigate.

v1 is now available on GitHub. It’s open source, free to use, and still a little rough around the edges. To get started, you’ll need a Microsoft Defender for Endpoint tenant with an Azure AD app registration and the appropriate API permissions configured.

v1 will be published on GitHub soon. It’s open source and free to use. I’m finishing a full security and stability review before release — I want to make sure it’s ready.

It’s out! https://github.com/Sudo-Savvy/SudoTrace

Update 25/06/2026 – New Business Email Compromise Checker

I built a BEC / account-compromise module into >SudoTrace to pull everything needed to understand what an attacker did while using the compromised account. Give it a user and a time window, and it reconstructs what the attacker did, in order, then hands you a phased incident-response runbook to work through.

SudoTrace groups every sign-in by source IP and flags the tells: adversary-in-the-middle token reuse, impossible travel, logins from hosting/datacentre ASNs, legacy auth. Each IP gets a one-click VirusTotal lookup, and device-trust chips show whether the login came from a registered/compliant device. The enrichment strip pulls Identity Protection risk and critically, whether the account is privileged (this one’s a Global Administrator).

>SudoTrace hunts persistence, mailbox manipulation, recon (which emails and files they opened), exfiltration, anti-forensics, and the outbound fraud mail itself. The results aren’t a wall of raw audit rows, they’re deduplicated and rewritten in plain English, in chronological order, each with the source IP and device.

Disabling an account doesn’t kill an already-stolen token, only revoking sessions does. The containment watcher checks both invariants (sessions revoked and holding, account disabled) and tells you plainly if containment isn’t actually in place. Useful for detecting failed or incomplete containment, synchronization issues in hybrid environments (where on-premises Active Directory can re-enable accounts in Entra), or manual changes that inadvertently restore access.
Timeline attacker activity and export for reporting purposes

No API access? No problem.
Not every responder has app credentials to hand. In offline mode, SudoTrace skips Graph entirely and generates copy-paste Advanced Hunting (KQL) queries pre-filled with the account and window. Add suspicious IPs as you find them and every query narrows to them.