Show HN: Syd – An offline-first, AI-augmented workstation for blue teams

(sydsec.co.uk)

10 points by paul24952 hours ago

2 comments

codethief1 hour ago
Came here because I thought this might be related to <a href="https://git.sr.ht/~alip/syd" rel="nofollow">https://git.sr.ht/~alip/syd</a> / <a href="https://gitlab.exherbo.org/sydbox/sydbox" rel="nofollow">https://gitlab.exherbo.org/sydbox/sydbox</a> , which has been discussed here on HN various times over the years.
- paul249546 minutes ago
 Thanks for the links different project though. Those are sandboxing and syscall-monitoring tools, while my Syd is an offline AI assistant built for security workflows (DFIR, pentesting, malware triage, tool-output reasoning, etc.).Completely unrelated codebases, just happens to share the same name.
paul24951 hour ago
Author here. Happy to answer questions!A bit more context on how Syd works: it uses Dolphin Llama 3 (dolphin-2.9-llama3-8b) running locally via llama-cpp-python. You'll need about 12-14GB RAM when the model is loaded, plus ~8GB disk space for the base system (models, FAISS index, CVE database). The full exploit database is an optional 208GB add-on.What makes this different from just wrapping an LLM, the core challenge wasn't the AI—it was making security tools output data that an LLM can actually understand tools like YARA, Volatility, and Nmap output unstructured text with inconsistent formats. I built parsers that convert this into structured JSON, which the LLM can then reason about intelligently. Without that layer, you get hallucinations and garbage analysis.Current tool integrations: - Red Team: Nmap (with CVE correlation), Metasploit, Sliver C2, exploit database lookup - Blue Team: Volatility 3 (memory forensics), YARA (malware detection), Chainsaw (Windows event log analysis), PCAP analysis, Zeek, Suricata - Cross-tool intelligence: YARA detection → CVE lookup → patching steps; Nmap scan → Metasploit modules ready-to-run commandsThe privacy angle exists because I couldn't paste potential malware samples, memory dumps, or customer network scans into ChatGPT without violating every security policy. Everything runs on localhost:11434—no data ever leaves your machine. For blue teamers handling sensitive investigations or red teamers on client networks, this is non-negotiable.Real-world example from the demo syd scans a directory with YARA, hits on a custom ransomware rule, automatically looks up which CVE was exploited(EternalBlue/MS17-010), explains the matched API calls, and generates an incident response workflow—all in about 15 seconds. That beats manual analysis by a significant margin.What I'd love feedback on:1. Tool suggestions: What other security tools would you want orchestrated this way? I'm looking at adding Capa(malware capability detection) and potentially Ghidra integration. 2. For SOC/IR folks: How are you currently balancing AI utility with operational security? Are you just avoiding LLMs entirely, or have you found other solutions? 3. Beta testers: If you're actively doing red/blue team work and want to try this on real investigations, I'm looking for people to test and provide feedback. Especially interested in hearing what breaks or what features are missing.<pre><code> The goal isn't to replace your expertise—it's to automate the tedious parts (hex decoding, correlating CVEs,explaining regex patterns) so you can focus on the actual analysis. Think of it as having a junior analyst who never gets tired of looking up obscure Windows API calls. Check out sydsec.co.uk for more info, or watch the full demo at the YouTube link in the original post.</code></pre>