Arvanta Cyber
Request access

Open Investigator · AI incident report checklist

How to review an AI incident report before acting on it.

An AI-assisted incident report is useful only when responders can trace each claim back to evidence, commands, gaps, confidence, and a clear safety boundary.

Read-only toolsEvidence-backed reportFirst-pass triage
View source on GitHubRelated guideOverview
Open Investigator product mark
AI-driven server investigator: incident clues, host evidence, AI follow-up, timeline, and investigation report.

Why it matters

Use this checklist when a team needs to decide whether an AI-assisted incident report is ready for human response review.

Tie every conclusion to evidence IDs and raw case artifacts.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Separate confirmed findings from gaps, hypotheses, and confidence limits.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Keep remediation decisions outside the AI investigator.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.

Start with the case artifacts

A useful Open Investigator run produces case.json, evidence.jsonl, commands.log, report.json, and report.md. Before acting on the report, check that the narrative can be traced back to those artifacts instead of relying on unsupported model text.

Check evidence IDs before conclusions

Every finding should point to evidence records, command observations, or explicit gaps. If a conclusion cannot be tied to evidence, treat it as a hypothesis for human review rather than an operational decision.

Review the command trail

commands.log should show bounded investigation activity: log reads, process and network inspection, account review, persistence checks, web evidence, Java context, and other read-only collection. Mutation commands do not belong in the AI investigation loop.

Read gaps as first-class output

Missing auth logs, rotated web logs, unreadable directories, absent endpoint coverage, or unverified hosts should be visible in the report. Gaps are not failures; they are the boundary of what the current evidence can support.

Separate confidence from severity

Severity is about potential business impact. Confidence is about how completely the evidence supports the claim. A high-impact suspicion with low confidence should trigger careful follow-up, not automatic remediation.

Keep action approval human

The report can recommend preserving logs, reviewing EDR alerts, checking adjacent systems, or escalating to an incident owner. It should not isolate hosts, kill processes, delete files, disable users, or change firewall rules by itself.

Try it

git clone https://github.com/SEc-123/open-investigator.git
cd open-investigator
cargo build --release
./target/release/oi scan -s 7d

Open Investigator writes case artifacts such as evidence.jsonl, commands.log, report.json, and report.md so another responder can review the investigation path.

Read the source, run the CLI, and send collector or report feedback.

Open GitHub repositoryoi@arvantacyber.com