FAQ
Rocheston ZelKill is an AI-driven threat hunting, investigation, and response orchestration platform inside the Rocheston Zelfire Suite. It ingests logs from almost any environment, normalizes them into one hunting schema, correlates activity across sources, visualizes attack paths, produces evidence-linked outputs, and enables controlled containment actions.
Most threat hunting tools are too complex and slow: painful integrations, hard query languages, siloed ecosystems, and investigations that turn into manual spreadsheets. ZelKill solves this by making ingestion universal, hunting visual, correlation fast, AI evidence-driven, reporting defensible, and response orchestration integrated.
ZelKill is a threat hunting and investigation platform that can ingest SIEM exports and streams, but it is built for hunting velocity and investigation clarity, not just log warehousing. Its priority is correlation, pivots, narratives, evidence integrity, and fast containment workflows.
No. ZelKill is designed to avoid vendor lock-in. You can ingest from any SIEM, any server, any cloud, any identity provider, any network device, and offline incident bundles.
ZelKill can ingest SIEM logs, web server logs (Apache/Nginx/IIS), Windows logs (Security/Sysmon/PowerShell), Linux logs (auth/syslog/auditd/sudo/cron), network logs (DNS/proxy/firewall/VPN/IDS/IPS/flows), identity logs (sign-ins/MFA/OAuth/privilege), cloud audit logs, endpoint/EDR exports, email/SaaS audit exports, and incident ZIP/GZ bundles.
API pull connectors, webhook push endpoints, syslog receiver (UDP/TCP/TLS), SSH/SFTP file pulls, cloud bucket pulls (S3/Azure Blob/GCS), folder watchers, manual uploads (CSV/JSON/NDJSON/EVTX/ZIP/GZ), and optional log bus integrations like Kafka for advanced deployments.
JSON, NDJSON, CSV, Syslog variants, CEF, LEEF, Apache/Nginx combined formats, IIS W3C, EVTX bundle imports, and compressed archives (ZIP/GZ).
ZelKill parses and normalizes logs into a unified schema, indexes them for fast search, extracts entities (IPs/domains/URLs/hashes/users/hosts/processes), computes first-seen/last-seen/prevalence, applies enrichment where configured, and prepares data for hunts, correlations, and AI analysis.
A consistent hunting schema such as time, source type, host, user, src_ip/dest_ip, domain/url, process/parent_process/commandline/hash (when available), action/outcome, severity/confidence, tags, and technique/tactic mapping where possible.
ZelKill uses a no-code field mapping wizard that lets users map key fields (timestamp, host, user, IPs, domain/url, action/outcome, severity/confidence). The mapping is saved as a reusable parser template per integration.
A visual pipeline builder where users drag blocks into a hunt plan: scope, filters, correlation/sequence, outputs, and optional actions. It validates the plan, estimates cost, runs it, and returns results with pivots and evidence capture.
Hunt Packs are prebuilt hunt “boxes” that cover major threats (ransomware, brute force, web attacks, lateral movement, persistence, C2, exfiltration, identity abuse, cloud compromise). Users can preview, load into the builder, and run instantly.
ZelKill is designed to ship with about 100+ hunt packs by default, covering practical attack patterns across web, identity, endpoint, network, and cloud sources.
ZelC is Rocheston’s modern cybersecurity language for the agentic era. Users write intent-based scripts that go through a safety check, then execute in a controlled way to produce structured, evidence-linked results. ZelC can also generate hunt programs, recommended pivots, and report drafts.
Yes. ZelKill correlates across Apache, Windows, Linux, DNS, firewall, proxy, cloud, and identity sources by linking activity through shared entities (IP, user, host, domain, hash) and time windows.
Yes. ZelKill supports sequence logic such as “Event A then Event B within X minutes,” enabling detection of attacker progression rather than isolated signals.
Rarity Mode highlights first-seen and low-prevalence entities and behaviors so the unusual rises above the noise. This is especially powerful for new domains, rare processes, and unusual admin access patterns.
Yes. ZelKill compares current activity to historical behavior to show what changed, where spikes occurred, and which entities are newly abnormal.
Yes. ZelKill maps observed behavior to tactics and techniques, provides an activity heat view, and offers drilldowns to technique evidence, impacted hosts/users, and technique timelines.
Yes. ZelKill can show which techniques are covered by current telemetry and hunts, which are blind spots, what data sources are missing, and which hunts/templates should be enabled next.
A dedicated ransomware command center with indicator feeds, patient zero ranking, spread mapping, kill chain phase timeline, containment recommendations, and ransomware-specific reporting.
ZelKill ranks patient zero candidates using earliest indicator timestamps, indicator volume and severity, correlation strength to lateral movement, and the number of linked suspicious entities.
Yes. ZelKill builds spread maps from auth paths, SMB/RDP patterns, remote service creation signals, and correlated host-to-host edges.
An interactive relationship map connecting IPs, hosts, users, domains, URLs, processes, and hashes. Clicking nodes and edges reveals evidence, pivots, and investigative pathways.
A from-to visual that shows Source → Host → Destination patterns, making exfil routes, suspicious outbound paths, and C2 flows easier to spot.
A timeline command center with hour/day/week views, swimlanes by host/user/source/technique, phase overlays, fast filtering, and selection-to-case narrative building.
A forensic-grade evidence vault where every evidence item is hashed (SHA-256), tracked with chain-of-custody logs, linked to cases/leads/hunts/playbooks/actions, and exportable as evidence packs with manifests and verification hashes.
Evidence Packs bundle multiple evidence items into a verifiable export package with manifest.json (including per-item hashes), a manifest hash, and a structured export bundle with verification instructions.
Yes. ZelKill converts leads into cases, builds incident timelines, attaches evidence and tasks, tracks actions taken, and exports full case packages and reports.
ZelKill includes about 100 built-in response playbooks with step-by-step workflows across ransomware, phishing, brute force, lateral movement, persistence, C2, exfiltration, and cloud incidents, with approvals and evidence attachment.
The Action Broker is ZelKill’s response orchestration layer. It queues and tracks actions like blocking IPs/domains, isolating hosts, disabling users, scanning artifacts, and triggering automation playbooks, all with confirmations and audit trails.
ZelKill can recommend actions instantly, but execution requires explicit confirmation, a reason entry, linked evidence IDs, and audit logging. This keeps response safe and defensible.
Yes. ZelKill supports native integrations with ZelAccess, ZelWall, ZelXDR, ZelSOAR, ZelScan, ZelMap, ZelPosture, Vulnerability Vines, ZelTester, ZelCloud, ZelDrift, ZelRank, ZelZero-Trust, and ZelExploits.
AINA is Rocheston’s AI intelligence layer integrated into ZelKill. It translates questions into hunt steps, analyzes evidence context, explains findings clearly, suggests pivots, and generates structured outputs and remediation plans.
No. ZelKill builds an evidence context pack from database queries: aggregates plus bounded representative samples, always with evidence IDs. This prevents hallucinations and keeps AI outputs precise.
AINA Fractures are specialized modes like Threat Hunter, IOC Analyst, Ransomware Analyst, MITRE Mapper, Coverage Gap Advisor, Executive Brief Writer, and Remediation Planner, each with a strict output format and purpose.
Yes. Users can ask AINA questions like “Investigate this IP,” “Build a kill chain timeline,” or “Show coverage gaps,” and receive structured results with evidence chips and pivot buttons.
ZelKill renders AI outputs into structured sections (Summary, Findings, Evidence, Pivots, Recommended Actions, Confidence, Next Questions) instead of dumping raw text. Evidence is always shown as clickable ID chips.
Executive briefs, technical incident reports, IOC reports, MITRE mapping reports, threat graph reports, ransomware war room reports, hunt run summaries, telemetry health reports, coverage gap reports, and post-mortem reports.
Yes. Reports include report IDs, report hashes, manifest hashes, optional classification markings, and export bundles with verification instructions.
Yes. ZelKill can run scheduled hunts and generate alerts, notifications, and leads based on thresholds and anomaly rules.
Yes. ZelKill tracks ingestion job status, parser errors, event volume trends, and missing sources to prevent blind hunting.
All tenant data is stored with user_id and every query is scoped accordingly. Each user sees only their own events, hunts, cases, evidence, reports, integrations, and AI history.
Yes. Roles like Admin, Hunter, Analyst, Auditor, and Read-only control access to exports, actions, configuration, and sensitive features.
Yes. Users can enable TOTP-based 2FA and store backup codes securely.
Integration tokens, webhook secrets, and AI keys are stored encrypted at rest and never shown in plain text after saving. Changes are recorded in the audit log.
Yes. Users can upload ZIP/GZ incident bundles (web logs, auth logs, firewall/proxy logs, EVTX exports). ZelKill parses, normalizes, and builds investigations from them.
Yes. Hunt results can be exported as CSV/JSON, added to Evidence Locker, bundled into evidence packs, or converted into branded reports with integrity hashes.
Yes. Hunts can include thresholds (results > X, severity >= Y) that automatically create leads with evidence attached.
Rocheston ZelKill is licensed exclusively to RCCE students as part of the Rocheston advanced cybersecurity training ecosystem.
Rocheston ZelKill is built by Haja Mo and is part of the Rocheston Zelfire Suite.
Because it removes friction: universal ingestion, visual hunt building, prebuilt hunt packs, instant pivots, correlation, clean AI outputs, evidence integrity, and integrated orchestration all in one flow.
ZelKill focuses on investigation speed and defensible conclusions: correlation, narratives, evidence packs, MITRE drilldowns, ransomware war room, and safe orchestration—without drowning users in disconnected dashboards.
Yes. Evidence hashing, chain-of-custody logging, branded reports with hashes, and export bundles are designed for defensible documentation and audit readiness.
Yes. ZelKill can recommend blocks, isolation, account actions, and playbooks, always tied to evidence and requiring confirmation before execution.
Users select an integration box, choose a connection method (API/webhook/syslog/SFTP/bucket/upload), test connection, map fields if needed, schedule ingestion, and run now to populate events.
A full catalog of connectors, multiple ingestion methods, mapping templates, job scheduling, telemetry health monitoring, and the ability to ingest from SIEMs and raw infrastructure logs without lock-in.
Yes. Even if logs come from external SIEMs or systems, ZelKill can still orchestrate containment through Zelfire products (ZelWall, ZelXDR, ZelAccess, ZelSOAR) using the Action Broker.
Yes. Executive templates, executive brief fracture mode, branded report shells, and clean narratives make ZelKill output board-ready while still linking to technical evidence.
Connect 3 sources first: Apache/IIS web logs, Windows auth logs, and firewall/DNS logs. Then run Hunt Packs, enable scheduled hunts, and use AINA to guide pivots and produce evidence-linked reports.