AI-IR Toolkit: An Offline AI-Driven Security Incident Response System

This article introduces the AI-IR Toolkit project, a fully offline, locally deployed AI-driven incident response system. It combines the Gemma large model with Kali Linux security tools to enhance security response efficiency under strict human control, meet the special needs of high-security isolated environments, and explore a new paradigm of human-AI collaboration.

High-security environments (such as government, finance, and critical infrastructure) often use physical/logical isolation and prohibit external network access, making AI tools that rely on cloud APIs unusable. Traditional offline security tools have a steep learning curve and lack intelligent coordination; the AI-IR Toolkit proposes a new collaboration model: AI is responsible for reasoning and suggestions, while humans make decisions and execute actions, balancing the cognitive advantages of AI with humans' final control over critical operations.

1. Local deployment of Gemma: The open-source model allows local operation, with no risk of sensitive information leakage, low latency, and no vendor lock-in;
2. Kali Linux tool integration: Deeply understands tool purposes, parameters, and output formats, and intelligently recommends combinations (e.g., nmap for reconnaissance, Volatility for forensics);
3. Strict human control: AI only provides suggestions and does not execute operations automatically; manual confirmation is required to prevent errors, meet compliance requirements, and maintain analysts' capabilities;
4. Offline knowledge base: Built-in security knowledge (attack characteristics, response processes, etc.), supports RAG retrieval, and is updated regularly via secure media.

1. Intelligent threat analysis: Analyzes attack types and threat levels based on observed phenomena, and recommends verification and containment measures;
2. Tool recommendation and command generation: Recommends Kali tools based on tasks and generates commands with parameters;
3. Output interpretation and next-step guidance: Interprets tool outputs, extracts key information, and suggests investigation directions;
4. Response process orchestration: Assists in orchestrating the entire process (preparation, identification, containment, etc.) and provides checklists and operation suggestions.

1. Local model performance optimization: Needs quantization to reduce memory usage, GPU-accelerated inference, or fine-tuning of small models to handle hardware limitations;
2. Knowledge base maintenance and update: Offline environments require secure update mechanisms (signed packages, physical media) to ensure efficient retrieval;
3. False positive control and suggestion quality: Optimized through confidence thresholds, multi-model verification, and historical feedback;
4. Audit and traceability: Records AI suggestions, human decisions, and tool executions to form a complete timeline for auditing.

1. Lower response threshold: Junior analysts can use AI to complete complex tasks, alleviating the shortage of security talents;
2. Improve response consistency: Standardized processes avoid errors caused by experience fluctuations;
3. Support modernization of offline environments: Bring AI capabilities to isolated environments without sacrificing security isolation principles.

1. Multi-model collaboration: Integrate specialized models (malware analysis, forensics, etc.) for dynamic selection or collaboration;
2. Automated evidence collection: Automatically collect system snapshots, logs, and generate timelines under human control;
3. Collaborative knowledge sharing: Under secure mechanisms, different isolated networks share desensitized intelligence and experiences to enhance overall situational awareness.

The AI-IR Toolkit proves that AI can deliver value in offline environments while maintaining human control. This human-AI collaboration model (AI handles information and knowledge application, humans are responsible for judgment and decision-making) is the future direction of security operations, bringing modern AI tools to isolated environments to address increasingly complex security threats.