Kanvas: Open-source incident response case management tool

Kanvas is an open-source incident response case management tool with a simple desktop interface, built in Python. It gives investigators a place to work with SOD (Spreadsheet of Doom) or similar files, so they can handle key tasks without jumping between different programs.

“At its core, the tool leverages Excel as the backend. It includes a note-taking features that uses Markdown, allowing investigators to write structured, portable notes. These notes can be easily exported or shared in .md format, ensuring that documentation remains accessible even without the tool,” Jinto Antony, the author of the tool and Senior Investigator, Incident Response at WithSecure, told Help Net Security.

Kanvas supports many external lookups, making it easier to add context during investigations. Analysts can get the information they need without switching between tools.

“A standout feature is the data visualization capability. Timelines and lateral movement can be inferred from case data and generated instantly with a single click. These visualizations are exported as images for reporting and presentations, saving analysts valuable time. The integration of the MITRE D3FEND matrix helps analysts quickly map threat actor TTPs to defensive strategies. This provides a structured way to not only record what happened but also to guide response planning,” Antony explained.

By keeping everything in Excel, the tool makes it easy to collaborate, share data, and work without being tied to the app itself. It’s a straightforward approach that goes a long way in improving how incident response actually gets done.

Future plans and download

“In the upcoming release, I plan to introduce additional visualizations and Diamond Model mapping for the data. I am also working on reporting capabilities by integrating an LLM, which will allow draft reports to be generated from spreadsheet data with improved accuracy,” Antony said.

The release will also introduce integration with threat intelligence platforms like MISP and OpenCTI, allowing analysts to push data to these platforms directly from within the tool. In addition, macOS users can look forward to a range of UI enhancements designed to improve usability and performance.

Kanvas is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!