IterativeIR is built as a direct extension of Protocol SIFT's existing agent architecture — the "Direct Agent Extension" track. No new MCP servers, no multi-agent frameworks. The insight was that the hardest problem wasn't capability, it was verification. Claude Code can already run Volatility and Plaso. The missing piece was a system that checked whether it had done so correctly.
What we learned
Accuracy in autonomous DFIR isn't a prompt engineering problem. A longer, more detailed system prompt does not reliably reduce hallucinations — it just makes the model more confident when it hallucinates. The only reliable fix is a feedback mechanism that makes wrong answers cost something. The hallucination penalty in the scorer is what does this: each unanchored claim deducts from the score the agent needs to stop looping, creating a direct incentive to run the tool rather than infer the answer.
Built With
- protocolsift
- pydantic
- python
- vectordb
- vercel
Log in or sign up for Devpost to join the conversation.