Member-only story
THM - AppSec IR
4 min readSep 22, 2025
A writeup for “AppSec IR” on TryHackMe
This article only covers the practical challenge.
An introduction into the overlapping worlds of AppSec and IR.
The challenge involves analyzing log files in order to answer some questions about a security incident.
Footprinting
In order to answer the questions, we need to connect to the machine and analyze the logs.
However, I suggest copying the log file to your host and processing it with jq, as it is in JSONL format.
# Copy the log file on your machine
scp appsecir@MACHINE_IP:/home/appsecir/Documents/Logs/application-incident-logs.jsonl logs.jsonl
# Parse it with jq
jq . logs.jsonlPress enter or click to view image in full size![]()
Here are some commands that could be helpful:
# Print everything
jq . logs.jsonl
# Get only login requests
jq 'select(.path | test("/auth/login"))'…
