Use it after a clue
Start from an alert, IP, account, process, path, Java service, or vague anomaly that needs host-level evidence.
Open Investigator · Boundary comparison
Open Investigator is local host investigation, not SIEM, SOAR, or EDR.
Teams often ask whether Open Investigator replaces existing detection and response tools. It does not. It sits in the first-pass investigation gap after a clue appears and before humans choose containment, remediation, or escalation.
Apache-2.0Read-only toolsAI evidence reasoning
Search intent
For searches like Open Investigator vs SIEM, AI incident response vs SOAR, and local host investigation tool.
How it worksSIEM centralizes and searches telemetry. EDR monitors and can respond at endpoint scale. SOAR automates playbooks and actions. Open Investigator runs locally on a host, uses read-only collectors, lets AI correlate evidence, and writes auditable reports for human responders.
Investigation boundaryOpen Investigator collects and correlates evidence. It does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall or registry state.
Practical workflow
Use it as a first-pass host investigation loop.
Use it before remediation
The product deliberately avoids containment and cleanup actions so first-pass investigation can remain reviewable.
Use it alongside platforms
Reports and evidence can support SIEM notes, incident tickets, customer communication, escalation, and manual remediation planning.
Common searches
Queries this page answers.
Open Investigator vs SIEMOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
AI incident response vs SOAROpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
local host investigation toolOpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
read-only AI DFIROpen Investigator maps this search intent to local, read-only host evidence and a reviewable incident report.
Use Open Investigator beside your existing SOC stack when the missing step is local, evidence-backed host triage.
The source, usage examples, contribution notes, and issue tracker live in the public Open Investigator repository.