DEV Community

Qimin Zhao
Qimin Zhao

Posted on

How I would use local read-only AI for first-pass server incident response

#incidentresponse #security #opensource #ai

Disclosure: I maintain Open Investigator at Arvanta Cyber.

Most server incident response does not start with a clean incident narrative. It starts with a weak clue:

  • one suspicious IP
  • a weird login
  • a possible WebShell
  • a Java service behaving strangely
  • a host that simply "looks wrong"

The risky part is jumping from that clue straight to remediation. Before killing processes, blocking IPs, deleting files, or restarting services, I want a local, reviewable evidence package.

The first-pass workflow I like

1. Search for the clue across local evidence

For an IP, that means auth logs, web access logs, reverse proxy logs, application logs, current network connections, and nearby timestamps.

2. Expand from evidence, not guesses

If the IP appears in web logs, look at paths, status codes, user agents, recent web-root changes, web-user processes, and outbound connections. If it appears in auth logs, look at failed and successful logins, account state, sudo activity, and shell history.

3. Keep the model inside a bounded tool catalog

The AI should not get raw production-changing authority. It can ask for investigation tools, but those tools should be read-only and audited.

4. Write artifacts a human can review

The output should not just be "the AI says this is compromised." I want:

  • evidence.jsonl
  • commands.log
  • report.json
  • report.md

That lets another responder challenge the conclusion, inspect evidence IDs, and continue the case.

Where Open Investigator fits

Open Investigator is my Apache-2.0 implementation of this pattern. It runs locally on Linux and Windows hosts, exposes sealed read-only investigation tools for auth, process, network, persistence, services, web logs, Java clues, recent files, containers, packages, and history, and then writes a case report.

Example:

oi ip 1.2.3.4 -s 7d
Enter fullscreen mode Exit fullscreen mode

Or a broader first pass:

oi scan -s 7d
Enter fullscreen mode Exit fullscreen mode

The boundary is deliberate. It investigates, but it does not isolate hosts, block IPs, kill processes, delete files, disable accounts, restart services, or change firewall/registry state.

Practical walkthrough:
https://www.arvantacyber.com/open-investigator/articles/local-ai-server-incident-response/

Open-source repo:
https://github.com/SEc-123/open-investigator

Product page:
https://www.arvantacyber.com/open-investigator/

I would be interested in feedback from incident responders, Linux admins, SREs, and blue-team engineers: what evidence would you require before trusting a first-pass AI-assisted investigation report?

Top comments (0)