cd /news/ai-tools/how-i-would-use-local-read-only-ai-f… · home topics ai-tools article
[ARTICLE · art-17449] src=dev.to pub= topic=ai-tools verified=true sentiment=· neutral

How I would use local read-only AI for first-pass server incident response

Arvanta Cyber has released Open Investigator, an Apache-2.0 licensed tool that uses local read-only AI to perform first-pass server incident response. The tool runs on Linux and Windows hosts, exposing sealed read-only investigation tools for auth logs, processes, network connections, and other evidence sources, then writes a case report without isolating hosts, blocking IPs, or killing processes. Open Investigator is designed to produce a reviewable evidence package that allows other responders to challenge conclusions and continue the investigation.

read1 min publishedMay 29, 2026

Disclosure: I maintain Open Investigator at Arvanta Cyber.

Most server incident response does not start with a clean incident narrative. It starts with a weak clue:

The risky part is jumping from that clue straight to remediation. Before killing processes, blocking IPs, deleting files, or restarting services, I want a local, reviewable evidence package.

For an IP, that means auth logs, web access logs, reverse proxy logs, application logs, current network connections, and nearby timestamps.

If the IP appears in web logs, look at paths, status codes, user agents, recent web-root changes, web-user processes, and outbound connections. If it appears in auth logs, look at failed and successful logins, account state, sudo activity, and shell history.

The AI should not get raw production-changing authority. It can ask for investigation tools, but those tools should be read-only and audited.

The output should not just be "the AI says this is compromised." I want:

That lets another responder challenge the conclusion, inspect evidence IDs, and continue the case.

Open Investigator is my Apache-2.0 implementation of this pattern. It runs locally on Linux and Windows hosts, exposes sealed read-only investigation tools for auth, process, network, persistence, services, web logs, Java clues, recent files, containers, packages, and history, and then writes a case report.

Example:

oi ip 1.2.3.4 -s 7d

Or a broader first pass:

oi scan -s 7d

The boundary is deliberate. It investigates, but it does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall/registry state.

Practical walkthrough:

https://www.arvantacyber.com/open-investigator/articles/local-ai-server-incident-response/

Open-source repo:

https://github.com/SEc-123/open-investigator

Product page:

https://www.arvantacyber.com/open-investigator/

I would be interested in feedback from incident responders, Linux admins, SREs, and blue-team engineers: what evidence would you require before trusting a first-pass AI-assisted investigation report?

source & further reading
dev.to — original article Designing a Resilient Media Orchestration System: Event-Driven Architecture with Real-Time AI The Age of Architecture: AI Coding Agents Are Forcing Us to Build Better Systems Interesting links - May 2026
── more in #ai-tools 4 stories · sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/how-i-would-use-loca…] indexed:0 read:1min 2026-05-29 ·