BreachSleuth is a local, offline tool for security practitioners. Scan datasets, score risk, redact PII, and run AI investigation without data leaving your machine.
Built for security practitioners who need fast, repeatable, offline-safe investigation workflows.
Recursively scans datasets of any size. Fingerprints files by magic bytes, detects mismatched extensions, and flags protected archives.
Opens ZIP, RAR, 7z, and tar archives automatically. Scans nested files for sensitive content without manual extraction.
Extracts and previews text from PDFs, Word documents, spreadsheets, emails, SQLite databases, and images via OCR.
Deterministic regex-based detection of credentials, PII, financial data, API keys, and confidentiality markers — no LLM required.
Deep-dive analysis using local Ollama models. Fully offline — no API keys, no cloud. Auto-detects available models.
Search with custom keywords or regex across all files. Export findings as HTML reports, CSV inventories, or IOC extracts.
Redact PII from the file preview before you read it, and optionally before it reaches any AI model. Originals are never modified.
Save and reload full investigation sessions as portable case files. SQLite-backed storage keeps your work between restarts.
Every practitioner action — file views, risk changes, AI calls, case saves — is logged with a timestamp. Exportable for compliance and handoff.
BreachSleuth is being developed use-case by use-case, with each phase focused on a complete practitioner workflow.
Full recursive scan with file fingerprinting, magic byte detection, type mismatch flagging, protected archive detection, and category breakdowns.
Automatic extraction and listing of contents inside ZIP, RAR, 7z, and tar archives. Risk scanning of nested files without manual unpacking.
Per-file content extraction (PDF, DOCX, XLSX, EML, SQLite, OCR), automatic risk scoring with highlighted previews, pattern search with regex support, and HTML/CSV report export.
Deep analysis using local Ollama models. Fully offline — no API keys required. Ask questions about individual files or the full dataset. Batch analysis across all scanned files.
HTML narrative reports, CSV file inventories, and IOC extraction. Export findings to any folder for handoff and record-keeping.
Save and reload full investigation sessions as portable case files. SQLite-backed storage keeps all scan results and triage decisions between restarts.
Session-level PII redaction keeps sensitive data out of previews and AI models. Every practitioner action is timestamped and logged to the case database, exportable for compliance.
One-click installers for macOS and Windows. Offline-capable deployment with no internet dependency after initial setup.
Breach data is sensitive by definition. BreachSleuth never sends your data anywhere.
Runs entirely on your machine. No cloud connectivity required for scanning, analysis, or reporting.
Integrates with Ollama for on-device AI analysis. Your data never leaves your environment.
Files are read and analysed in place. Nothing is copied, uploaded, or transmitted.
Designed for use in isolated environments. Suitable for sensitive investigations and classified datasets.
Redact PII from the practitioner's view and optionally from AI prompts. Three modes: off, preview-only, or full redaction before any LLM call.
BreachSleuth stores all scan results in a local SQLite database — a single file on your machine. No server, no shared storage, no memory that disappears when you close the app.
Close the app and reopen it — your scan results, triage decisions, and audit log are all still there. Nothing is held in memory.
The database is a single .db file. Copy it, back it up, or move it to another machine. Your investigation travels with it.
A file on disk can be retained, submitted, or reviewed as part of an investigation record. Suitable for formal IR engagements.
Point the database location at a different file to switch between investigations without data mixing. Each case is fully isolated.
You choose exactly where the data file lives — local drive, encrypted volume, or network share. Critical for air-gapped and classified environments.
Every scan result is written to disk immediately. If the app crashes mid-investigation, nothing is lost — reopen and continue.
BreachSleuth is currently in private beta. Request access for your security team and I'll be in touch.