Disclosure: I maintain Open Investigator at Arvanta Cyber.
Most server incident response does not start with a clean incident narrative. It starts with a weak clue:
- one suspicious IP
- a weird login
- a possible WebShell
- a Java service behaving strangely
- a host that simply "looks wrong"
The risky part is jumping from that clue straight to remediation. Before killing processes, blocking IPs, deleting files, or restarting services, I want a local, reviewable evidence package.
The first-pass workflow I like
1. Search for the clue across local evidence
For an IP, that means auth logs, web access logs, reverse proxy logs, application logs, current network connections, and nearby timestamps.
2. Expand from evidence, not guesses
If the IP appears in web logs, look at paths, status codes, user agents, recent web-root changes, web-user processes, and outbound connections. If it appears in auth logs, look at failed and successful logins, account state, sudo activity, and shell history.
3. Keep the model inside a bounded tool catalog
The AI should not get raw production-changing authority. It can ask for investigation tools, but those tools should be read-only and audited.
4. Write artifacts a human can review
The output should not just be "the AI says this is compromised." I want:
- evidence.jsonl
- commands.log
- report.json
- report.md
That lets another responder challenge the conclusion, inspect evidence IDs, and continue the case.
Where Open Investigator fits
Open Investigator is my Apache-2.0 implementation of this pattern. It runs locally on Linux and Windows hosts, exposes sealed read-only investigation tools for auth, process, network, persistence, services, web logs, Java clues, recent files, containers, packages, and history, and then writes a case report.
Example:
oi ip 1.2.3.4 -s 7d
Or a broader first pass:
oi scan -s 7d
The boundary is deliberate. It investigates, but it does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall/registry state.
Practical walkthrough:
https://www.arvantacyber.com/open-investigator/articles/local-ai-server-incident-response/
Open-source repo:
https://github.com/SEc-123/open-investigator
Product page:
https://www.arvantacyber.com/open-investigator/
I would be interested in feedback from incident responders, Linux admins, SREs, and blue-team engineers: what evidence would you require before trusting a first-pass AI-assisted investigation report?
