Login and account evidence
Successful and failed logins, brute-force patterns, privileged users, sudo or admin indicators, SSH authorized keys, and account context.
Open Investigator · Open-source AI server investigator
AI-driven server investigator for incident response and intrusion tracing.
Open Investigator turns login records, accounts, processes, network connections, persistence entries, Web logs, Java services, containers, packages, files, and command history into investigation context that AI can use. Start from an IP, account, path, web root, Java service, process, or anomaly description; the investigator plans checks, calls tools, correlates evidence, and produces a timeline and report.
Incident responseIntrusion tracingAI evidence reasoning
Investigation coverage
It knows where to look on a suspicious server.
The product packages common server incident evidence into AI-callable investigation tools, so a vague alert can become a focused host investigation.
Process and network evidence
Command lines, parent-child process context, temp-directory execution, interpreters, web-user shells, listeners, outbound connections, and remote-IP matches.
Web and Java evidence
Access and error logs, POST and upload activity, suspicious keywords, recent web-root changes, Java process options, javaagent, JDWP, JAR/WAR/JSP/CLASS changes, and memory-shell clues.
Persistence and environment evidence
Cron, systemd timers, services, scheduled tasks, Run/RunOnce, WMI, startup scripts, packages, containers, shell history, PowerShell history, and recent files.
AI understanding
It turns host signals into investigation context.
Clue interpretationAn IP, account, path, web root, Java service, process name, package change, or natural-language anomaly becomes an investigation scope and first hypothesis.
Cross-evidence correlationThe AI links login events to processes and network sessions, web requests to file changes, Java options to service context, and persistence entries to command history.
Timeline reconstructionEvidence records are organized into a case timeline with findings, severity, confidence, affected host context, and supporting evidence IDs.
Report synthesisThe investigation produces Markdown and JSON reports that summarize what was found, what evidence supports it, and what the response team should review next.
AI investigation engine
Give AI a server-investigation toolbox.
Open Investigator exposes host evidence tools as OpenAI-compatible function calls. The model plans the next check from the current case context, receives compact observations, and continues until it can assemble a case narrative.
Input the incident clue
Start with a suspicious IP, account, URL path, web directory, Java process, service name, command, file path, or broad server anomaly.
AI chooses the next check
The AI can call IOC, auth, account, process, network, persistence, service, web, Java, memory-signal, file-recency, package, container, history, Linux, and Windows tools.
Evidence returns to the model
Each tool observation becomes fresh context, allowing the AI to narrow the question, branch into related evidence, and connect weak signals into a stronger finding.
Case artifacts are produced
The run creates case metadata, evidence JSONL, command audit records, a structured JSON report, and a readable Markdown investigation report.
Work loop
From alert clue to response-ready report.
1. Clue intakeOperators provide the clue they have: IP, account, process, path, web root, Java service, recent change, or natural-language alert summary.
2. Host evidence collectionThe runtime gathers focused evidence across logs, accounts, process, network, persistence, web, Java, containers, packages, and history.
3. AI correlationThe model compares tool observations, builds the event chain, identifies suspicious joins, and decides which evidence category to inspect next.
4. Findings and timelineFindings, supporting evidence IDs, risk level, confidence, affected components, and incident timeline are assembled into case output.
5. Report handoffMarkdown and JSON reports give the response team a shareable record for review, escalation, customer communication, or follow-up investigation.
Use cases
Built for server-side emergency response and tracing.
Emergency response first pass
Quickly establish host posture after an alert: recent logins, suspicious processes, network connections, persistence, web activity, and service context.
Intrusion tracing
Reconstruct possible entry point, execution path, privilege context, persistence route, outbound behavior, and timeline from local host evidence.
WebShell and web anomaly
Investigate web logs, upload and POST behavior, suspicious request keywords, recent JSP/PHP/ASP/JAR/WAR changes, web user processes, and outbound links.
Java service investigation
Inspect Java processes, JVM options, javaagent, agentlib, JDWP, jps, jcmd command-line context, middleware logs, and memory-shell peripheral clues.
Suspicious login and account change
Review failed and successful login chains, source IPs, privileged users, SSH keys, sudo/admin indicators, and related process or network activity.
Persistence, container, package, and history review
Check scheduled jobs, services, startup entries, Docker/CRI/Kubernetes local state, package lists, recent files, shell history, and PowerShell history.
Searchable guides
Find the page that matches the incident question.
These focused pages help responders and search engines understand what Open Investigator can investigate and where it fits beside existing security tools.
Investigate a suspicious server with local AI and read-only evidence.
Use Open Investigator as a local AI incident response tool for Linux and Windows hosts. Collect read-only evidence, correlate clues, and produce auditable reports without giving AI remediation authority.
Give AI an investigation toolbox, not production-changing authority.
Open Investigator gives AI sealed read-only server investigation tools instead of raw shell or remediation authority.
Trace WebShell clues from requests to files, processes, and outbound behavior.
Investigate WebShell and web server anomaly clues with local host evidence, web logs, process context, recent file changes, and AI-assisted correlation.
Investigate Java service anomalies and memory-shell peripheral clues.
Investigate Java service anomalies, javaagent, JDWP, JAR/WAR/CLASS changes, and memory-shell peripheral clues with Open Investigator.
Turn Linux host evidence into an AI-assisted incident report.
Open Investigator helps investigate Linux host login, process, network, persistence, package, container, file, and shell-history evidence.
Use AI-assisted read-only investigation for Windows host triage.
Open Investigator supports Windows host investigation for accounts, processes, network, persistence, services, recent files, and PowerShell history.
Open Investigator is local host investigation, not SIEM, SOAR, or EDR.
Compare Open Investigator with SIEM, SOAR, and EDR workflows. Open Investigator is a local read-only AI host investigator, not a detection platform or remediation system.
Produce incident reports that point back to evidence.
Generate evidence-backed incident investigation reports with Open Investigator: evidence.jsonl, commands.log, report.json, and report.md.
Practical articles
Content people can find, read, and share.
These pages turn the product into practical technical material for responders, security engineers, SREs, and CTOs evaluating safe AI-assisted investigation.
Use a local AI investigator for read-only server incident response.
A practical guide to using Open Investigator for local AI-assisted server incident response without giving AI remediation authority.
Investigate a suspicious IP on a Linux server with read-only evidence.
A practical walkthrough for using Open Investigator to investigate a suspicious IP on a Linux host with read-only evidence collection.
Give AI an investigation toolbox, not production-changing authority.
A practical safety-boundary article for AI-assisted incident investigation, sealed read-only tools, and auditable evidence collection.
Open-source project
A maintainable investigation engine for the community.
Apache-2.0 sourceThe repository contains the oi CLI, local investigation runtime, AI tool-loop implementation, collectors, docs, examples, and checks.
Contribution areasContributions are welcome around collector coverage, report quality, AI investigation behavior, platform compatibility, and operational documentation.
Project feedbackUse GitHub issues for feature requests and oi@arvantacyber.com for project feedback or sensitive reports.
Use Open Investigator to turn server clues into AI-assisted incident evidence.
Source, configuration, quick-use commands, security policy, and issue tracking live in the public repository.