Investigate a database outage.

⌘N opens the New Case sheet. Name it db-outage-2026-04-27 and pick the matching window — Loupe will use the case window to seed the timeline crop.

Cases are AES-256-GCM encrypted on disk with a per-case Keychain key. There's no "save" button; every action appends to the hash-chained audit log.

Drag the four files into the sources sidebar. Loupe streams each through SHA-256 at ingest, detects the format, and runs the right parser. For this case:

• nginx-access.log → combined-log parser
• syslog.log → RFC 5424 parser (auto-falls-back to RFC 3164)
• app.jsonl → JSON Lines parser (one event per line)
• incident-thread.eml → RFC 5322 email parser (one event per message)

If a source landed with a wrong timezone (e.g. the app server emits UTC but the syslog stream is in PT), open Source → Adjust Clock and shift it. Loupe stores the offset as a TimestampAdjustment and re-derives the unified timeline.

Switch the sidebar to All sources. The density chart at the top shows event volume binned by minute. The two bars dominating from 14:00–14:11 are the actual incident window.

Click-and-drag in the density chart to crop the table to that window. The event table now shows ~7,200 events from four sources, in chronological order.

The Findings panel below the chart shows which detection rules fired during the cropped window. For this case, Loupe surfaces three:

• high web.upstream.5xx_burst (47 events)
• high db.connection_refused (23 events)
• medium auth.token_expiry_clustering (8 events)

The auth_token_expiry rule is a coincidence in this case — the two high-severity rules fired in lockstep and from the same second mark. That's the multi-source agreement Loupe is designed to surface.

Open the RCA editor (sidebar → right tab). Pick a template that matches your audience:

• 5 Whys — for engineering postmortems, lightweight
• Fishbone — for cross-functional postmortems with multiple contributing factors
• Fault tree — for safety-critical or compliance reviews
• Technical debrief — for the team that needs to fix the bug
• Regulator-ready — for an external auditor (defaults to the IODEF schema)

For an auditor handoff, pick Regulator-ready. The template pre-fills sections from the rule fires; you fill in the narrative.

With Apple Intelligence available, click the Narrator button. Loupe drafts an executive-summary paragraph based on the rule fires and your edits, with citations to specific events. Output stays on-device — no cloud round-trip.

The narrator is optional. The RCA is yours to write either way.

File → Export Case Bundle (or the share button in the toolbar). Loupe writes a sealed .loupebundle.zip containing:

• RCA.pdf — rendered report
• Findings.iodef.xml — machine-readable findings
• Events.csv — every event in the cropped window
• Sources/* — original log files, unmodified
• Audit.log — hash-chained mutation history
• Hashes.txt — shasum -c verifier file
• Manifest.json — license tier + Loupe version

Hand the entire .zip to your auditor. They confirm bytes match with shasum -a 256 -c Hashes.txt — see the recipient verification flow.