ANKIR Get access

Analyst Notes, Knowledge & Incidents Repository

Serious investigation tooling for DFIR teams

ANKIR is a local-first outliner and case management platform built for the way analysts actually work — fast and messy in private, structured and auditable when it counts. One environment instead of Obsidian, case tools, and shared drives stitched together.

Request early access See capabilities
Local-first
Private Vault, offline-capable
Block outliner
Keyboard-driven writing
Graph-native
Relationships as you work
DFIR-ready
IOCs, cases, STIX, timelines

One tool instead of four

Analysts today stitch together Obsidian for notes, case systems for tracking, shared drives for artifacts, and custom scripts for reporting. Each tool excels at one job and fights the rest.

ANKIR bridges private speed and team rigor in a single environment — capture messily in the Vault, promote cleanly to the Workspace, and produce evidence-grade output without re-platforming mid-incident.

  • Obsidian / Logseq

    Strong for private notes — weak for team cases and audit trails

  • TheHive / XSOAR

    Strong for ticketing — weak for narrative thinking and speed

  • ANKIR

    Outliner speed, investigation-native assets, graph, and optional team collaboration

Built for investigation workflows

ANKIR replaces the patchwork of note apps, case systems, and custom scripts with one analyst-native environment — without forcing you to choose between speed and rigor.

  • Outliner editor

    Block-level notes with nested structure, markdown, anchors, and stable IDs — built for investigation narratives, not generic journaling.

  • Case & asset management

    Cases, tasks, evidence, playbooks, and objectives in one model. Every record is a typed, linkable, auditable asset.

  • Knowledge graph

    Threat actors, malware, IOCs, and relationships become nodes automatically. Explore links without maintaining a separate graph tool.

  • Private Vault

    Brain dump, paste logs, rough theories — locally, offline, with no team visibility until you choose to promote findings.

  • STIX & MITRE

    STIX 2.1 import/export and ATT&CK-aware workflows for intelligence-grade tracking alongside operational notes.

  • Evidence-grade output

    Timelines, TLP markings, authorship, and audit trails designed for handoff to leadership and counsel.

Two realms, one tool

The Vault is not a draft folder — it is a permanent first-class environment for sensitive, fast work. The Workspace is where promoted findings become team-visible, auditable, and report-ready.

Vault

Private. Local. Yours.

  • Brain dump, paste logs, rough notes, half-formed theories
  • Works offline — no spinners, no sync anxiety
  • No team visibility, no audit trail by default
  • Some content never needs to leave the Vault

Workspace

Shared. Synced. Auditable.

  • Promote clean findings when you are ready
  • Real-time collaboration for active incidents
  • Full audit trail — timestamps, authorship, edit history
  • Evidence-grade output for leadership and legal

You control what crosses the boundary and when. No accidental exposure of raw analysis.

Product preview

A stylized look at the ANKIR client — local Vault, block outliner, and investigation graph in one surface.

Home / Welcome — Overview
+ Drop Anchor

Welcome to ANKIR

Analyst Notes, Knowledge & Incidents Repository

# Investigation scratchpad

Paste logs, rough notes, and half-formed theories here.

[[id:inc-solarwinds|INC-2020-001 · SUNBURST]]

- Host: ws-014.internal — suspicious PowerShell parent

- IOC: 192.0.2.44 — C2 beacon, T1071.001

Illustrative UI mock — not a live application instance.

Early access

ANKIR is in active development. A public browser demo is not available yet — we are hardening the client before hosting at demo.ankir.app. Contact us if you are evaluating ANKIR for your team.

ahoy@ankir.app