_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Show HN: Syd â An offline-first, AI-augmented workstation for blue teams
codethief wrote 43 min ago:
Came here because I thought this might be related to [1] / [2] , which
has been discussed here on HN various times over the years.
URI [1]: https://git.sr.ht/~alip/syd
URI [2]: https://gitlab.exherbo.org/sydbox/sydbox
paul2495 wrote 13 min ago:
Thanks for the links different project though. Those are sandboxing
and syscall-monitoring tools, while my Syd is an offline AI assistant
built for security workflows (DFIR, pentesting, malware triage,
tool-output reasoning, etc.).
Completely unrelated codebases, just happens to share the same name.
paul2495 wrote 1 hour 5 min ago:
Author here. Happy to answer questions!
A bit more context on how Syd works: it uses Dolphin Llama 3
(dolphin-2.9-llama3-8b) running locally via llama-cpp-python. You'll
need about 12-14GB RAM when the model is loaded, plus ~8GB disk space
for the base system (models, FAISS index, CVE database). The full
exploit database is an optional 208GB add-on.
What makes this different from just wrapping an LLM, the core challenge
wasn't the AIâit was making security tools output data that an LLM
can actually understand tools like YARA, Volatility, and Nmap output
unstructured text with inconsistent formats. I built parsers that
convert this into structured JSON, which the LLM can then reason about
intelligently. Without that layer, you get
hallucinations and garbage analysis.
Current tool integrations:
- Red Team: Nmap (with CVE correlation), Metasploit, Sliver C2,
exploit database lookup
- Blue Team: Volatility 3 (memory forensics), YARA (malware
detection), Chainsaw (Windows event log analysis),
PCAP analysis, Zeek, Suricata
- Cross-tool intelligence: YARA detection â CVE lookup â patching
steps; Nmap scan â Metasploit modules ready-to-run commands
The privacy angle exists because I couldn't paste potential malware
samples, memory dumps, or customer network scans into ChatGPT without
violating every security policy. Everything runs on
localhost:11434âno data ever leaves your
machine. For blue teamers handling sensitive investigations or red
teamers on client networks, this is non-negotiable.
Real-world example from the demo syd scans a directory with YARA, hits
on a custom ransomware rule, automatically looks up which CVE was
exploited(EternalBlue/MS17-010), explains the matched API calls, and
generates an incident response workflowâall in about 15 seconds. That
beats manual analysis by a significant margin.
What I'd love feedback on:
1. Tool suggestions: What other security tools would you want
orchestrated this way? I'm looking at adding Capa(malware capability
detection) and potentially Ghidra integration.
2. For SOC/IR folks: How are you currently balancing AI utility with
operational security? Are you just avoiding
LLMs entirely, or have you found other solutions?
3. Beta testers: If you're actively doing red/blue team work and want
to try this on real investigations, I'm
looking for people to test and provide feedback. Especially
interested in hearing what breaks or what features are
missing.
The goal isn't to replace your expertiseâit's to automate the
tedious parts (hex decoding, correlating CVEs,explaining regex
patterns) so you can focus on the actual analysis. Think of it as
having a junior analyst who never gets tired of looking up obscure
Windows API calls.
Check out sydsec.co.uk for more info, or watch the full demo at the
YouTube link in the original post.
DIR <- back to front page