This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.


External Tool
External Data Source
56 (lowest rank is 56)

Category & Restrictions

forensics, cyber defense


Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).
Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. "Diffy" helps human investigators identify the differences between instances. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.

Diffy is a differencing engine for digital forensics and incident response (DFIR) in the cloud. Collect data across multiple virtual machines and use variations from a baseline, and/or clustering, to scope a incident.

- Efficiently highlights outliers in security-relevant instance behavior. For example, you can use Diffy to tell you which of your instances are listening on an unexpected port, are running an unusual process, include a strange crontab entry, or have inserted a surprising kernel module.

- Uses one, or both, of two methods to highlight differences:
Collection of a "functional" baseline from a "clean" running instance, against which your instance group is compared, and
Collection of a "clustered" baseline, in which all instances are surveyed, and outliers are made obvious.

- Uses a modular plugin-based architecture. The program includes plugins for collection using osquery via AWS Systems Manager (formerly known as Simple Systems Manager or SSM).

Additional Details

diffy, 1346, external data source, corporation, external, source, inferlink, inferlink corporation, response, incident, cloud, dfir, digital, forensics, security, identify, triage, tool, suspicious, incidents, teams, centric, focus, hosts, instances, instance, running, baseline, systems, plugin, outliers, aws, differences, manager, multiple, scope, collect, helps, virtual, amazon, entry, port, focused, support, relevant, unexpected, compromise, clustering, followup, surveyed, structure, clean, osquery, process, listening, human, machines, engine, investigator, highlight, linux, providers, strange, variations, web, inserted, netflix, methods, other, functional, actions, intelligence, sirt, module, modular, based, differencing, investigators, ssm, program, behavior, compared, architecture, surprising, includes, crontab, unusual, features, platforms, forensic, developed, simple, obvious, efficiently, highlights, services, team, clustered, kernel, include, plugins