>Sudo Trace May 23, 2026
Defence
Comments Off

>SudoTrace, the free, self-hosted, AI-powered analyst workbench that helps you understand what really happened on a compromised endpoint, faster than MDE alone.

If you work in a SOC and use Microsoft Defender for Endpoint, you already know the frustration. An alert fires. You open the MXDR portal and pivot to the device Timeline, but it’s not visually appealing, and you have no clear picture of how processes are linked together. Events arrive in chronological order with no visual indication of parent-child relationships, no obvious compromise timeline, and no consolidated view of what IOCs are actually involved. You’re left stitching the story together manually, tab by tab, query by query, while the clock ticks. >SudoTrace is built to fix that!

>SudoTrace is a pure investigation and analysis tool. You submit a hostname or device ID and a process ID, and the tool loads your full process ancestry chain alongside telemetry from core MDE tables pulled in parallel via the Graph Security API.
From there, the analyst is in control. You review the process tree, flag the processes that look suspicious or malicious, and confirm the IOCs you want examined. Those flagged items can then be sent to Claude, which analyses the scoped data as a virtual blue team analyst, working backwards from the focal process to find the true root cause, identifying the delivery vector with a confidence level, flagging lateral movement indicators, and producing structured findings that reference exact PIDs, timestamps, and command lines. Every finding is grounded in the actual telemetry you selected.

  • Visual process tree with colour-coded flagging — suspicious (amber), malicious (red), benign (green)
  • Core telemetry tables loaded in parallel via the Microsoft Graph Security API
  • Claude Sonnet analysis: root cause, delivery vector, attack narrative
  • Four investigation tabs — Analysis, IOCs, Hunt, Timeline, AI analysis
  • Raw KQL editor with syntax highlighting
  • Analyst-confirmed IOC list integrated with VirusTotal for clean/malicious verdicts

Pivot to hunting from your curated IOC list:

Flag events as benign, suspicious, or malicious to build your timeline:

Timeline that can be modified and exported:

Once all entities are flagged (processes, IOCs, raw events), submit to the AI for analysis:

The AI will analyse the flagged entities and summarize if the activity is benign or malicious with a confidence level:

>SudoTrace is not a monitoring tool and it’s not a SIEM. It’s an investigation workbench, you bring it in when you have something to investigate.

v1 is now available on GitHub. It’s open source, free to use, and still a little rough around the edges. To get started, you’ll need a Microsoft Defender for Endpoint tenant with an Azure AD app registration and the appropriate API permissions configured.

v1 will be published on GitHub soon. It’s open source and free to use. I’m finishing a full security and stability review before release — I want to make sure it’s ready.