Precursor logo Precursor pre-protocol payload triage

precursor.hashdb.io

Find structure in raw payloads before protocol parsers exist.

Precursor tags, clusters, and prioritizes packet, log, and firmware payloads with one JSON-first CLI. It is built for early-stage triage where you need signal now, not after parser engineering.

Install Precursor GitHub Explore Demos

Why Teams Use It

Precursor is the bridge between "we have weird bytes" and "we can confidently scope response or build deeper detection."

Security Ops

Collapse noisy probe traffic into families and rank suspicious payload clusters before writing full parser logic.

DFIR + Firmware

Tag binary fragments and filesystem magic quickly so analysts can prioritize which artifacts deserve deeper reverse engineering.

Detection Engineering

Start with Sigma/PCRE labeling, then use similarity + stats to refine into stable, explainable signal.

Workflow at a Glance

  1. Ingest String, base64, hex, or raw binary blobs from stdin or folders.
  2. Label Named PCRE captures (or Sigma selectors) become portable tags.
  3. Cluster TLSH, LZJD, FBHash (optional MRSHv2 adapter) group near-neighbor payloads.
  4. Refine `--stats` and protocol hints feed analyst/LLM refinement loops.

Interactive Scenario Explorer

Click a scenario to inspect command, real output, and run stats captured from public sample corpora.

Analyst Refinement Loop

This visual shows how adding targeted tags changes measurable signal across iterations, not just intuition.

Step Stats JSON (excerpt)

LLM-Guided Discovery Demo

Local Codex CLI consumed Precursor stats + sample NDJSON, proposed a new pattern, then we validated the command on the same corpus.

Codex Suggestion

    Suggested Pattern
    Suggested Command

    Measured Outcome

    Risk:

    Runtime Note

    How to Read --stats

    Input

    Track payload volume and size distribution so performance regressions or capture shifts are obvious.

    Match

    See which tags dominate and whether new patterns add precision or just noise.

    Compare + Environment

    Validate similarity mode, distance behavior, and runtime context when sharing findings or benchmarking.

    Install and Run in Under 60 Seconds

    Quick Start 
    cargo install precursor
cat samples/scenarios/pre-protocol-packet-triage/payloads.b64 \
  | precursor -p samples/scenarios/pre-protocol-packet-triage/patterns.pcre \
      -m base64 -t -d --similarity-mode lzjd -P --protocol-hints --stats
    Download on GitHub Crates.io

    Background inspiration and historical context: blog post 1 and blog post 2.