Welcome to the Falcon user manual.
Use the left navigation to open sections and jump to specific workflows.
Falcon is a comprehensive investigation management system (IMS) designed to support the full investigation lifecycle. All system activities are organized within a structured workflow based on Clients, Investigations, and Searches.
Workflow: Client → Investigation → Search
This allows users to start running searches immediately without additional setup.
To access Falcon, open the system URL, enter your login credentials, and then confirm access with the required Access Card code.
Go to the system login page.
Provide your login and password.
Enter the requested 8-digit code from the corresponding Access Card line.
After successful verification, the Dashboard opens automatically.
The Dashboard provides a role-based overview of key system information and available actions. The set of visible sections depends on the user role.
Displays the current status of core system servers, including Phoenix and Falcon.
Shows license limits and available resources, including clients, investigations, operators, and search queries.
Shows active searches and provides quick access to start a new search.
Summarizes investigation activity by status and provides an overview of operator roles.
The notification bell
displays system events relevant to the user role.
Databases search has been completed for query "[email protected] started by investigator_4l32a9z (investigator).
AI Summary search has been completed for query "[email protected]" started by investigator_2l9ds (investigator).
The Search List page is the main workspace for monitoring existing searches, filtering them, creating new searches, archiving completed results, and removing selected records.
| Default Columns | Description |
|---|---|
| Query | The phrase or value that was searched. |
| Scope | The source type: Databases, Logs, Documents, or Find in Investigation. |
| Created At | The date and time when the search was created. |
| Finish At | The date and time when the search completed. |
| Starter | The user who started the search. |
| Status | Pending, In Progress, Done, Canceled, or Problem. |
| Actions | Available actions such as cancel, progress, or open results. |
Every search moves through a defined status flow from creation to completion or failure.
The New Search page allows users to create and execute search queries within an investigation. All searches are performed within the context of a specific investigation, which serves as a container for related queries and results.
To start a search, the following fields must be completed:
Falcon supports multiple query types depending on the required search logic. Each type defines how the system processes and matches the provided query.
| Query Type | Description |
|---|---|
| Single | The primary query type used for searching a single value or phrase. Available across all Search Scope types. The matching mode (exact or partial) is controlled by the Search Accuracy setting. |
| OR |
Max three phrases combined using the OR operator.
Returns results where each result row contains at least one of the specified phrases. Available only for Search Scope: Databases and requires Search Accuracy: ON. |
| AND |
Two or three phrases combined using the AND operator with a defined distance ( from 1 to 300 characters).
All specified phrases must appear in each result row within the defined character distance. The distance parameter sets the maximum allowed number of characters between phrases and applies to all specified phrases. Example: [apple] [tree] [green leaves] [75] → Returns results where all phrases appear within 1–75 characters of each other, in any order like as: "The apple tree in the garden has bright green leaves during spring.". Available only for Search Scope: Databases and requires Search Accuracy: ON. |
| Search Scope | Description * |
|---|---|
| Databases |
Searches across database leak data.
Standard search supports all query variations, including usernames and free-form queries. Usernames: @username, username These are different queries with different results.Quick search is supported for the following data types:
|
| Logs |
Searches across leaked system and personal device snapshots. Capabilities:
|
| Documents |
Searches across OSINT-collected documents and files. Supported query formats:
Advanced query types (OR / AND) are not supported. |
* All data is sourced from publicly available open-source intelligence (OSINT).
Wildcard search allows partial matching using the * symbol.
* matches any single character or digit5345**67*87 — matches variations of numeric values (e.g. phone numbers)S**[email protected] — matches variations of the email username* replaces digits only* works only in the part before @Search Accuracy controls how precisely Falcon matches the provided query.
[ ], space, tab, or punctuation characters (e.g. ! " # $ % & ( ) , / : ; < = > ? \ ^ { | } ~ +).Examples:
[email protected] → returns only [email protected]+972543322211 → returns only +9725433222110543223444 → returns only 0543223444Examples:
[email protected] → may return:
mary.[email protected]fry.[email protected].br[email protected]3331234567 → may return:
+393331234567abc3331234567xyz8q037569ey580008877676755433333123456713489774hjfjjfj3331234567The Schedule setting defines when the search will be executed.
| Option | Behavior |
|---|---|
| Now | Runs immediately after submission. |
| Pick Date & Time | Runs once at the selected date and time. |
| Daily | Runs immediately, then every day at 00:00 UTC. |
| Weekly | Runs immediately, then every Monday at 01:00 UTC. |
| Monthly | Runs immediately, then on the 1st day of each month at 02:00 UTC. |
All scheduled executions are based on UTC.
The Upload a ".txt" file button allows you to import multiple search queries at once instead of entering them manually.
Supported separators:
,);)|)Behavior:
Example:
john smith jane doe [email protected], +1 234 567 890 company name; username123 passport number | tax id
The Search Results page displays the output of a completed search and provides tools for reviewing, filtering, analyzing, and exporting the data. Each search run generates a result set that can be explored through multiple tabs.
Provides key details about the executed search:
Each completed search execution is stored as a separate result file. For scheduled searches, multiple result files may be generated over time.
Displays up to 500 rows from the result file. Used for quick inspection of raw data without loading the full dataset.
Export: CSV, XLSX, PDF. A one-time share link can also be generated where permitted and remains valid for 24 hours.
Shows structured data extracted from the results (Phones, Emails, Domains, IPs, Card, BTC.) with occurrence counts.
Displays extracted credential data grouped by domain, including login-password pairs. Shows up to 500 rows.
Export: CSV, TXT.
Runs AI analysis on the result file data to generate a structured, human-readable summary.
Cost: 1 token per analysis.
| Role | Main Capabilities |
|---|---|
| License Owner | Full system access. Can manage license settings, clients, investigations, operators, and all searches within the license. |
| Curator | Includes Manager permissions and can create and edit operators. |
| Manager | Includes Investigator permissions and can create clients and investigations. |
| Investigator | Can create searches and view their own searches. |
The Clients module allows users to create and manage client profiles that can be linked to investigations and searches.
An Investigation is a central workspace used to organize all operational activity related to a specific case. It serves as a place to store case-related information and brings together all search queries performed within the investigation.
All searches in Falcon must be created within an investigation, making it the primary container for executing searches and managing results.
This feature helps the user locate a query inside completed search results within a selected investigation.
Use this function when you remember that a phrase appeared in one of the investigation results, but you do not know which search contains it.
| symbol is not allowed. Search show in the Search List and does not comsume tokens.AI Detective is an automated investigation workflow that performs search and analysis based on a single query. It simplifies the investigation process by automatically collecting and structuring relevant data.
The New AI Detective page allows creating a smart investigation based on a single query. The system automatically launches multiple related searches, aggregates the data, and structures the results for analysis.
The AI Detective Details page provides full information about a specific smart investigation, including its configuration, metadata, and execution status.
The AI Detective Results page displays processed data generated by the smart investigation. It provides a structured overview of key findings and visualizes relationships between entities discovered during automated searches.
Displays the most frequently identified data points extracted from all processed search results.
A visual relationship graph that shows connections between entities such as emails, phone numbers, and other extracted data.
New searches stay in Pending for up to 5 minutes before entering the processing queue. During this period, the request can still be canceled.
Archiving is available only for searches that have already finished successfully with the Done status.
OR and AND query types work only when Search Accuracy is enabled (ON).
With partial match enabled, Falcon can find the query inside longer strings and mixed alphanumeric values.