A collection of CLI tools for cybersecurity workflows, maintained under the nlink-jp organisation.
Each tool is a standalone project with its own repository, release cycle, and documentation. This umbrella repository tracks them together as git submodules and hosts shared conventions.
| Tool | Description |
|---|---|
| ioc-collector | Autonomously researches security incidents from URLs, CVE IDs, or natural language — extracts IoCs into Markdown reports and STIX 2.1 bundles |
| product-research | Researches products and services on the web — outputs ToS, privacy, and data security analysis as structured reports |
| ai-ir | AI-powered incident response analysis — analyzes Slack IR conversation exports to generate summaries, activity reports, role inference, and reusable investigation tactics |
| ir-timeline | IR timeline recorder — single-binary, browser-based tool for tracking IR events with text, images, tags, and time deltas (Go) |
| ir-tracker | Live IR tracker — continuous ingestion, segmented analysis, and timeline visualization for ongoing incidents via Gemini |
| news-collector | News collection agent — collects, tags, summarizes, translates, and delivers curated news digests via Gemini + Slack integration |
- AI-augmented: Tools use LLMs (Gemini, Claude, OpenAI-compatible endpoints) as the intelligence layer for research and analysis tasks.
- Structured output: All tools produce machine-readable JSON alongside human-readable Markdown — suitable for downstream automation.
- Security-first: IoC defanging, prompt injection defense, and no-exfiltration-by-default are built-in design constraints.
- Pipe-friendly: Tools read from files or stdin and write to files or stdout; composable with
jqand each other.
Most tools are Python projects managed with uv:
uv sync && uv run <tool-entrypoint> [args]Go tools (ir-timeline) build as single binaries:
make build # → dist/<tool-name>See CONVENTIONS.md for coding, documentation, and release standards that apply across all tools in this series.