SARA is a free AI security analyst by SIRP. Ask about threats, enrich IOCs, triage alerts, manage incidents, and automate response — all from chat.
+ button to attach files, take a screenshot, load a template, pick a skill, or toggle Research / Web search. See Composer.+ button so you always know what's on.Click the + button to the left of the chat input to open the composer menu. It collapses file uploads, templates, capability toggles, and skills into one place.
+ menu New.eml, .pdf, .docx, .json, .csv, .txt, .html, .yaml, plus images (.png, .jpg, .gif, .webp). 5 MB per file.Whatever you've turned on in the menu shows as a chip next to the + button. Click any chip to toggle it off.
No account required. Ask any cybersecurity question.
Paste IPs, hashes, domains, or URLs for instant threat intelligence from 8+ sources.
Paste the full email with headers. SARA runs 25+ checks: SPF/DKIM/DMARC, DKIM signing-domain mismatch, RFC 2047 encoding, invisible Unicode, Base64 URL decoding, and auto-generates a Sigma detection rule.
Supports JSON, CEF, LEEF, syslog, Windows Event Log, and Kibana/ELK formats. Auto-decodes Base64 payloads, maps MITRE ATT&CK chain, and generates Sigma rules.
When you analyze a phishing email or triage an alert, SARA auto-generates a copy-paste-ready Sigma detection rule matching the attack pattern. Validated syntax — deploy to your SIEM.
SARA accepts uploaded files and auto-extracts their content into the next message.
Emails: .eml, .msg. Documents: .pdf, .docx, .doc, .html, .md. Data: .json, .csv, .yaml, .xml, .log, .txt, .conf, .ini, .cfg. Images: .png, .jpg, .jpeg, .gif, .webp. Max 5 MB per file.
Drag & drop or pick via the + menu. SARA extracts text, shows a chip above the textarea, and sends the content with your next message. Large files are truncated to fit the context window.
Extracted text is scanned for prompt-injection patterns. When something unusual is detected, SARA logs and tags the upload but never silently rejects it — legitimate samples (phishing emails, pen-test reports, documented prompt-attack analyses) often contain instruction-looking phrases verbatim.
Use Take a screenshot from the + menu. Your browser asks which window or screen to capture, then SARA attaches the PNG. No desktop app required.
A skill is a reasoning preset that customizes how SARA investigates. Pick one from the + menu's Skills › submenu; it stays active across messages until you deactivate it.
An 8-step NIST SP 800-61 framework: header auth checks, From/Reply-To/Return-Path mismatches, URL + domain reputation, urgency / impersonation language, new-domain flags, and cross-reference with known campaigns.
PICERL methodology (Preparation → Identification → Containment → Eradication → Recovery → Lessons). SARA structures its answer around the current phase and suggests concrete next actions.
Hypothesis-driven evidence assessment. SARA turns your query into a falsifiable hypothesis, maps the hunt to MITRE ATT&CK, and flags contradicting evidence.
CVE deep dive with exploit + exposure check. CVSS vector breakdown, EPSS interpretation, KEV status, affected components, fix paths, and compensating controls.
Connect your OmniSense tenant in Settings to unlock live incident management.
Modifiers you can append to any agent command:
just show — display results in chat without writing to OmniSense.
assist mode — same as above; produces a draft analyst response you can review.
don't save — skip all tenant-side persistence (comments, attachments, status changes).
Execute containment actions and automate response workflows.
Update any incident field directly from chat: priority, severity, status, state, disposition, category, and comments.
Persistent analyst workbench with SARA as your co-analyst. Open Workspaces →
Auto-creates a workspace with IOCs, assets, and timeline pulled from OmniSense.
Pin IOCs with verdict / score, build timelines, map MITRE ATT&CK, keep analyst notes, link related incidents, set verdicts (TP / FP / Ongoing), export as Markdown or HTML. Templates: Malware, Phishing, Insider Threat, Ransomware.
Plan — SARA proposes an investigation plan you approve step-by-step. Edit — SARA drafts changes; you review before they apply. Auto — SARA executes investigation steps directly, flagging high-risk actions for confirmation.
Chat panel with full workspace context. Ask "Enrich all IOCs", "Analyze attack pattern", "Summarize investigation", or "What's missing?" IOCs SARA finds auto-pin to the canvas.
Live threat intelligence dashboard. Open Pulse →
Shift-change summary pulling together CISA KEV additions, NVD criticals (CVSS ≥ 9), EPSS movers, and live headlines from 20+ configured feeds.
Trending IOCs (24h), active ransomware groups (feeds ransomware.live + abuse.ch), community spotlight (SANS ISC + advisories), and a rotating "detection rule of the day".
MITRE ATT&CK technique trends, Sigma rule corpus, and KEV-to-technique mapping.
Auto-classified security headlines, CVE advisories, and vendor PSIRT bulletins. Sidebar tracks new KEV additions and top EPSS movers in real time.
Export any chat as PDF report or Markdown. Share a read-only link to any conversation. PDF includes branded header, styled tables, verdict badges, and Sigma rules.
All chats save automatically to the sidebar. Group related sessions into Projects (Pro+) and rename any session on the fly.
Save frequently-used prompts as reusable templates. Click "Save" on any message, give it a name, and it appears as a pill above the composer.
Click the microphone button to dictate queries. Uses the browser's built-in speech recognition — no data sent to third parties.
Stop, regenerate, or copy any response mid-stream. Cancelled messages are clearly marked so you always know where you left off.
Toggle via the moon icon in the top bar. Follows your system preference by default.
Integrate SARA into your SOAR or SIEM. OpenAI-compatible endpoints. API docs →
Thumbs up / down on any response. Add an optional comment for context — it goes straight into SARA's quality-review pipeline.
How SARA handles your data, and what we do on the back end to keep responses honest.
Flip save_to_cloud off in the request body (or via the OmniSense embed's Cloud switch) to keep message content out of our trace logs. The query text is redacted to a sentinel so we still record latency / mode but never the raw input.
When Cloud is off, emails / IPs / hostnames are redacted before being sent to the LLM and fully masked in our audit trail.
A three-class prefilter (instruction extraction, raw attack payload, off-topic) short-circuits unsafe prompts before the LLM is called. Uploaded attachments are also scanned, tagged, and logged — but never silently rejected.
Every SARA response is scored against a gold-standard format contract (sections, MITRE pills, sigma rules, citations). Low-scoring responses surface in the admin dashboard for review.
Per-hour quotas by plan (see Plans). Anonymous users get a shared global budget; signed-in users get their own.
SARA Open routes simple queries through its own fine-tuned Llama-4 deployment and complex reasoning through Anthropic Claude. No OpenAI, no Google — see Privacy for the full list.
10 messages / hr. Basic IOC enrichment. 7-day chat history. No account required.
50 messages / hr. Web search. 7-day history. Sign in with a company email for a free 7-day Pro trial.
200 messages / hr. Full enrichment. OmniSense tenant connect. Custom plugins (5). API keys (3). Unlimited history.
500 messages / hr, per seat. Up to 5 seats per team. Everything in Pro. Custom plugins (20). API keys (10).