{"slug": "how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response", "title": "How I would use local read-only AI for first-pass server incident response", "summary": "Arvanta Cyber has released Open Investigator, an Apache-2.0 licensed tool that uses local read-only AI to perform first-pass server incident response. The tool runs on Linux and Windows hosts, exposing sealed read-only investigation tools for auth logs, processes, network connections, and other evidence sources, then writes a case report without isolating hosts, blocking IPs, or killing processes. Open Investigator is designed to produce a reviewable evidence package that allows other responders to challenge conclusions and continue the investigation.", "body_md": "Disclosure: I maintain Open Investigator at Arvanta Cyber.\n\nMost server incident response does not start with a clean incident narrative. It starts with a weak clue:\n\nThe risky part is jumping from that clue straight to remediation. Before killing processes, blocking IPs, deleting files, or restarting services, I want a local, reviewable evidence package.\n\nFor an IP, that means auth logs, web access logs, reverse proxy logs, application logs, current network connections, and nearby timestamps.\n\nIf the IP appears in web logs, look at paths, status codes, user agents, recent web-root changes, web-user processes, and outbound connections. If it appears in auth logs, look at failed and successful logins, account state, sudo activity, and shell history.\n\nThe AI should not get raw production-changing authority. It can ask for investigation tools, but those tools should be read-only and audited.\n\nThe output should not just be \"the AI says this is compromised.\" I want:\n\nThat lets another responder challenge the conclusion, inspect evidence IDs, and continue the case.\n\nOpen Investigator is my Apache-2.0 implementation of this pattern. It runs locally on Linux and Windows hosts, exposes sealed read-only investigation tools for auth, process, network, persistence, services, web logs, Java clues, recent files, containers, packages, and history, and then writes a case report.\n\nExample:\n\n```\noi ip 1.2.3.4 -s 7d\n```\n\nOr a broader first pass:\n\n```\noi scan -s 7d\n```\n\nThe boundary is deliberate. It investigates, but it does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall/registry state.\n\nPractical walkthrough:\n\n[https://www.arvantacyber.com/open-investigator/articles/local-ai-server-incident-response/](https://www.arvantacyber.com/open-investigator/articles/local-ai-server-incident-response/)\n\nOpen-source repo:\n\n[https://github.com/SEc-123/open-investigator](https://github.com/SEc-123/open-investigator)\n\nProduct page:\n\n[https://www.arvantacyber.com/open-investigator/](https://www.arvantacyber.com/open-investigator/)\n\nI would be interested in feedback from incident responders, Linux admins, SREs, and blue-team engineers: what evidence would you require before trusting a first-pass AI-assisted investigation report?", "url": "https://wpnews.pro/news/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response", "canonical_source": "https://dev.to/sec123/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response-b96", "published_at": "2026-05-29 10:05:52+00:00", "updated_at": "2026-05-29 10:11:58.956120+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-agents", "artificial-intelligence", "ai-products"], "entities": ["Open Investigator", "Arvanta Cyber"], "alternates": {"html": "https://wpnews.pro/news/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response", "markdown": "https://wpnews.pro/news/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response.md", "text": "https://wpnews.pro/news/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response.txt", "jsonld": "https://wpnews.pro/news/how-i-would-use-local-read-only-ai-for-first-pass-server-incident-response.jsonld"}}