Arvanta Cyber
Request access

Open Investigator · Local AI incident response

Use a local AI investigator for read-only server incident response.

Incident response often starts with weak clues: a strange host, a suspicious IP, a possible WebShell, a Java service anomaly, or a login that does not feel right.

Read-only toolsEvidence-backed reportFirst-pass triage
View source on GitHubRelated guideOverview
Open Investigator product mark
AI-driven server investigator: incident clues, host evidence, AI follow-up, timeline, and investigation report.

Why it matters

Use this guide when a team needs a practical first-pass server investigation workflow that keeps AI inside a read-only boundary.

Start from weak server clues instead of a fixed scanner checklist.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Let AI choose bounded follow-up evidence through sealed read-only tools.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Produce reviewable case artifacts instead of an unstructured terminal scrollback.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.

The investigation model

Open Investigator is not EDR, SOAR, or a remediation system. Its job is narrower: incident clue to read-only host evidence, AI-guided follow-up, and a report that another responder can review.

Install and configure

Build from source with git clone, cargo build --release, and run ./target/release/oi. Without an API key, deterministic collectors still run; with an AI key, the sealed tool loop can plan follow-up evidence requests.

Run a broad first pass

Use oi scan -s 7d when the only clue is that a host looks strange. The runtime gathers a first-pass picture across logs, authentication, accounts, processes, network, persistence, web activity, Java services, containers, packages, history, recent files, and platform checks.

Ask the case in plain language

Use oi ask when the operator has a rough case description, such as a web server compromise suspicion or a Java service anomaly. The AI turns the description into bounded evidence requests and keeps observations tied to the case.

Branch from concrete clues

Use oi ip for suspicious addresses, oi web for WebShell and web anomalies, and oi java or oi mem for Java service and memory-shell peripheral clues. The useful result is evidence, gaps, confidence, and follow-up points rather than a magic clean-or-infected answer.

Know the boundary

Open Investigator deliberately does not isolate hosts, block IPs, kill processes, delete files, disable users, change services, modify firewall rules, or correlate across a fleet. Those actions belong in existing response systems and human-approved playbooks.

Try it

git clone https://github.com/SEc-123/open-investigator.git
cd open-investigator
cargo build --release
./target/release/oi scan -s 7d

Open Investigator writes case artifacts such as evidence.jsonl, commands.log, report.json, and report.md so another responder can review the investigation path.

Read the source, run the CLI, and send collector or report feedback.

Open GitHub repositoryoi@arvantacyber.com