{"id":11809,"date":"2026-05-05T15:29:35","date_gmt":"2026-05-05T14:29:35","guid":{"rendered":"https:\/\/www.withsecure.com\/?p=11809"},"modified":"2026-06-04T06:36:29","modified_gmt":"2026-06-04T05:36:29","slug":"kanvas-ir-case-management-that-works-with-your-spreadsheet-sod","status":"publish","type":"post","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/blog\/kanvas-ir-case-management-that-works-with-your-spreadsheet-sod\/","title":{"rendered":"Kanvas: IR case management that works with your spreadsheet (SOD)"},"content":{"rendered":"\n
\n
\n

\n Kanvas: IR case management that works with your spreadsheet (SOD)<\/span><\/h1>
\n
\n \n \n Incident Response <\/span>\n <\/span>\n \n 05 May, 2026 <\/span>\n <\/div>\n <\/div>\n <\/div>
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n

The spreadsheet never went away in IR. It just grew a pile of workarounds around it. Kanvas replaces the workarounds \u2013 timelines, network graphs, one-click reports and more \u2013 without replacing the spreadsheet.<\/p>\n

How Kanvas Solves the SOD Problem<\/h2>\n

The Spreadsheet of Doom (SOD) is a structured spreadsheet that Incident Response teams have used for over a decade to run active investigations. Tabs for scoped assets, evidence, IOCs, timelines and ATT&CK mapping, all in one file. It survived this long for one reason: it works without anything extra. Every analyst, Incident Response lead and CISO can open it on any machine and immediately understand what’s happening. Purpose-built IR platforms with custom databases and web UIs have come and gone. The SOD is still here.<\/p>\n

\"\"<\/p>\n

The SOD holds all the right data. But getting that data\u202fout\u202fof the SOD and\u00a0visualising\u00a0an\u00a0incident\u00a0timeline, lateral movement, or a\u00a0debrief\u00a0report requires\u00a0a\u00a0significant\u00a0amount of analyst time and every one of those handoffs is a source of friction, errors, and\u00a0delays.<\/p>\n

Why Kanvas does not try to replace the SOD<\/h2>\n

The SOD outlasted every tool built to replace it. It will outlast the next ones too. Kanvas<\/a> (open-source) doesn’t fight that. It treats the SOD as what it already is \u2013 the source of truth \u2013 and builds everything missing on top of it. Automated timelines. One-click network graphs. Reports that take minutes, not hours. No new infrastructure. No migration. Just the file format that already works, with the capabilities it was always missing. For IR teams who want tighter operational workflows without introducing new infrastructure risk, and who want to keep using the file format that has worked for a decade \u2013\u202fKanvas is the missing layer.<\/p>\n

\"\"<\/p>\n

There are great commercial and open-source case-management tools out there, but in practice many open-source projects eventually get dropped. When that happens, your data is locked into an application-specific format. Excel does not have that problem. The design principle was simple: define what any new tool absolutely had to avoid, and what it had to\u202fachieve. That brief is what makes Kanvas different from every previous attempt.<\/p>\n

\"\"<\/p>\n

The core of Kanvas tool is a spreadsheet, a few Markdown files and YAML config. No extra infrastructure, no complicated setup.\u202fIt runs on Windows, macOS, and Linux. Download it, open it, start working. The architecture is deliberately minimal. Case files are fully portable. Hand one to a colleague and they can open the\u202f.xlsx\u202fin any spreadsheet application without Kanvas installed. The tool adds workflow capability on top of universally readable, durable data formats.<\/p>\n

\"\"<\/p>\n

What if we could use the same Excel-based approach for IR case management\u00a0\u2013 with a UI that makes it easier to manage spreadsheets, handle workflows and note-taking\u00a0\u2013 all without switching between multiple tools?<\/h4>\n

Kanvas is built in Python\/Qt and works as a standalone desktop app. Download the release for your platform, point it at an existing SOD or start a new case everything works out of the box.<\/p>\n

\"\"<\/p>\n

Custom SOD templates are supported\u00a0as long as\u00a0the expected column structure is present\u00a0(as shown below). The full schema spec and compatible templates are on the GitHub page.<\/p>\n

\"\"<\/p>\n

Below are some of the key features that make\u00a0Kanvas\u00a0worth trying. Head over to the GitHub page for the complete\u00a0picture.<\/p>\n

\"\"<\/p>\n

Incident\u00a0timeline:<\/b>\u00a0Building an incident timeline manually from a spreadsheet is one of those tasks that sounds simple until\u00a0you’re\u00a0three hours deep, moving rows around and second-guessing the chronology.\u00a0Kanvas\u00a0generates the timeline automatically from the SOD. It pulls only the relevant events rather than dumping every row, segments them by day so the attack progression reads clearly and lets you export to PNG or CSV in a single click\u00a0\u2013 ready for a client report or debrief deck without any extra formatting work.<\/p>\n

\"\"<\/p>\n

Lateral\u00a0movement:<\/b>\u00a0Describing a complex lateral movement chain without a visual is a hard sell\u00a0\u2013 for the analyst\u00a0writing\u00a0the report and the client trying to understand what happened on their network.\u00a0Kanvas\u00a0generates the network graph automatically from the SOD. System types get matched to\u00a0icons,\u00a0so the diagram is readable\u00a0at a glance,\u00a0and the whole thing exports in one click\u00a0\u2013 ready to drop into a report or a debrief slide.<\/p>\n

\"\"<\/p>\n

\n

MITRE\u00a0ATT&CK\u00a0Flow\u00a0builder:<\/b>\u00a0Attack Flow\u00a0(MITRE Project<\/a>)\u00a0lets you map the sequence of adversary actions\u00a0observed\u00a0during an incident.\u00a0Kanvas\u00a0lets you build these flows directly from the case, add context around each TTP, and draw the connections that tell the full attack story. The output is interactive and embeddable for sharing threat intel, and exports as an image.<\/p>\n<\/div>\n

\"\"<\/a><\/div>\n
<\/div>\n

\nReporting: <\/b>The report output is a single self-contained HTML file. Every image is Base64-encoded and embedded directly\u00a0\u2013 no separate assets. Share it, archive it, or open it offline. One file is all you need.\u00a0File size scales with the number of images in your recommendations and investigation summary.<\/div>\n
<\/div>\n
<\/div>\n
\"\"<\/a><\/div>\n
<\/div>\n
\n

Kanvas\u00a0takes three inputs to generate a report: the SOD file, an optional recommendations file, and an optional investigation summary file. Both optional files are Markdown-based\u00a0\u2013 the recommendations file is reusable across multiple investigations, saving time on repeat engagement types.\u00a0From there, the report UI lets you choose and customise what gets included.<\/p>\n<\/div>\n

\"\"<\/a><\/div>\n

\nQuick Reference:\u00a0<\/b>Having the right reference material at hand during an investigation saves time when it matters most.\u00a0Kanvas\u00a0Quick Reference pulls from well-known open-source datasets and GitHub projects, surfacing them directly inside the tool.\u00a0When the upstream projects update, the data gets pulled into the\u00a0Kanvas\u00a0repository, keeping the references current.\u00a0Projects currently supported\u00a0are:<\/div>\n
<\/div>\n
\"\"<\/a><\/div>\n

Here is a quick summary of what\u00a0Kanvas\u00a0offers for incident response case management.<\/p>\n

\"\"<\/div>\n
\n

How Kanvas Solves the SOD Problem<\/h2>\n<\/div>\n

The next major addition is the Analysis Module.<\/p>\n

During an IR engagement, analysts regularly encounter high-volume log sources beyond standard forensic artefacts – Windows Event Logs, firewall logs, DNS exports, and more – often in CSV, JSON, or plain text format. Getting useful signal out of those files typically means standing up infrastructure like OpenSearch or Elasticsearch, which takes time.<\/p>\n

The Analysis Module removes that dependency. Large log files are converted to Parquet format, which reduces file size by 10x to 50x. Those files can then be queried locally using DuckDB – SQL directly against the data, no server required, no additional infrastructure, and the files stay in their original format throughout. It is a practical addition and we expect to ship it in a future Kanvas release.<\/p>\n

\"\"<\/a><\/p>\n

If you are using Claude Code for log analysis and surface interesting timeline events, you can instruct Claude Code directly to update the SOD file in the correct column format. This keeps the SOD as the\u00a0single source\u00a0of truth – no manual entry, no copy-paste between tools. Once the data is in the SOD, every\u00a0Kanvas\u00a0workflow picks it up automatically: timeline visualisation, lateral movement graph, ATT&CK mapping, and one-click reporting all reflect the updated case data without any\u00a0additional\u00a0steps.<\/p>\n<\/div>\n <\/div>\n<\/section>\n\n\n\n

\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n \"\"

Blog<\/p>\n <\/div>\n

\n
\n
\n Incident Response<\/span>\n <\/div>\n <\/div>\n

Kanvas: IR case management that works with your spreadsheet (SOD)<\/h3>\n
\n Read more<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/posts\/11809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/comments?post=11809"}],"version-history":[{"count":7,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/posts\/11809\/revisions"}],"predecessor-version":[{"id":11910,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/posts\/11809\/revisions\/11910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/11812"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=11809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=11809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/tags?post=11809"},{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/content_type?post=11809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}