1. Start with the clue
Operators can ask about a suspicious IP, account, command, Java service, web path, recent file, or broad alert summary. The AI turns that clue into scope, hypotheses, and a first evidence path.
Open Investigator · Local AI incident response
Investigate a suspicious server with local AI and read-only evidence.
Open Investigator helps response teams start from a weak alert, suspicious IP, account, process, path, web root, Java service, or anomaly description, then collect host evidence through sealed tools and write evidence-backed case reports.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like local AI incident response tool, AI server investigation, and AI DFIR first pass.
How it worksThe tool runs on the host under investigation and exposes bounded collectors for auth, accounts, process, network, persistence, services, web, Java, recent files, containers, packages, and command history. The AI can plan checks and correlate observations, but the product boundary stays investigation-only: no isolation, blocking, deletion, service restart, firewall change, registry change, or account disable.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
2. Collect read-only host evidence
Open Investigator records tool observations into evidence.jsonl and command audit logs so every AI-assisted step can be reviewed later.
3. Produce report artifacts
The run produces Markdown and JSON reports with findings, timeline context, supporting evidence IDs, confidence, and human follow-up points.
Common searches
Queries this page answers.
local AI incident response toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI server investigationOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI DFIR triageOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
host incident response reportOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Run the open-source CLI from GitHub and start with oi scan -s 7d or a natural-language oi ask prompt.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.