Where every log source agrees.
Drag in syslog, web logs, packet captures, and email threads. Loupe correlates them, finds the moment every source converges on the same root cause, and exports a hash-verified bundle your auditors will accept without revisions.
Timeline · 13:00 → 15:00
7,229 eventsFindings — 3 rules fired
- highweb.upstream.5xx_burst× 47
- highdb.connection_refused× 23
Events
| 14:02:41 | nginx | GET /api/orders → 502 upstream timeout | |
| 14:02:41 | syslog | pgsql[1924]: connection refused (db-primary) | |
| 14:02:42 | app | circuit_breaker.open service=orders | |
| 14:02:42 | eml | [oncall] paged: 5xx > 30/min sustained |
- Network calls
- Zero
- Chain of custody
- SHA-256
- Pricing
- One-time
Reports that survive the audit.
Every export is a sealed bundle: the rendered RCA, the IODEF machine-readable feed, the source CSV, and a SHA-256 chain that ties every claim back to the byte offsets in your raw logs. Auditors re-derive the chain in 30 seconds. No vendor lookups, no broken links.
- Each finding cites byte offsets in the original log files.
- Hash-chained audit log records every action taken on the case.
- PDF + IODEF XML + CSV ship together with Hashes.txt for verification.
- Recipient verifies with a single shasum -a 256 -c command.
db-outage-2026-04-27.loupebundle.zip
RCA.pdf: OK
Findings.iodef.xml: OK
…all 8 files OK
Built for serious investigations
Eight log formats. One signed report. Zero phone-homes.
Multi-source correlation
Drop in syslog, nginx, JSON Lines, .pcap, .eml. Loupe lines them up onto one timeline and surfaces the moments every source agrees on.
Eight log formats
RFC 5424 syslog, RFC 3164, Apache/nginx CLF + Combined, JSON Lines, RFC 5322 email, macOS unified log, libpcap captures.
100% on-device
No network.client entitlement. The OS itself prevents Loupe from talking to us — verifiable in tcpdump or via codesign -d.
Hash-verified bundles
SHA-256 chain of custody at ingest. Every claim cites byte offsets. Recipients run shasum -a 256 -c to confirm nothing was edited.
Five RCA templates
5 Whys, fishbone, fault tree, technical debrief, regulator-ready. Pre-formatted for the audience that's about to read it.
Apple Intelligence narrator
Optional on-device Apple Intelligence drafts the executive summary. Cited to your data, never sent to a vendor.
Three professions, one report format.
Engineering Managers
Postmortems your VPE will sign off on
Multi-source RCAs from your incident logs. Five RCA templates. Hash-verified so no one in legal questions whether the report was tampered with.
Consultants
Reports your customers can verify independently
Bundle the artifacts your customer can re-derive. Auditors love hashes; clients love a 4-page summary that holds up.
IT Auditors
Chain-of-custody bundles that hold up to review
IODEF-formatted findings. SHA-256 chain. Original log files preserved alongside the analysis. Compliance-ready out of the box.
No telemetry. No analytics. No phone-home.
Loupe ships without the com.apple.security.network.client entitlement. The macOS sandbox prevents the application from reaching any network endpoint, period. We can't get telemetry even if we wanted it. You don't have to trust us — verify yourself:
✓ no network.client entitlement found
Try Loupe for 14 days.
Full features. Real signed activation envelope. No card required.
Loupe is a Mac-native application distributed as a notarized Developer ID DMG (Apple Team 5UF3Q334K6). Requires macOS 26 or later. Loupe is not a SOC and not a SIEM — it is a desktop forensics workstation operated by a single skilled human. Optional on-device narrator requires Apple Intelligence-capable silicon.