A bit more context on how Syd works: it uses Dolphin Llama 3 (dolphin-2.9-llama3-8b) running locally via llama-cpp-python. You'll need about 12-14GB RAM when the model is loaded, plus ~8GB disk space for the base system (models, FAISS index, CVE database). The full exploit database is an optional 208GB add-on.
What makes this different from just wrapping an LLM, the core challenge wasn't the AI—it was making security tools output data that an LLM can actually understand tools like YARA, Volatility, and Nmap output unstructured text with inconsistent formats. I built parsers that convert this into structured JSON, which the LLM can then reason about intelligently. Without that layer, you get
hallucinations and garbage analysis.
The privacy angle exists because I couldn't paste potential malware samples, memory dumps, or customer network scans into ChatGPT without violating every security policy. Everything runs on localhost:11434—no data ever leaves your
machine. For blue teamers handling sensitive investigations or red teamers on client networks, this is non-negotiable.
Real-world example from the demo syd scans a directory with YARA, hits on a custom ransomware rule, automatically looks up which CVE was exploited(EternalBlue/MS17-010), explains the matched API calls, and generates an incident response workflow—all in about 15 seconds. That beats manual analysis by a significant margin.
What I'd love feedback on:
1. Tool suggestions: What other security tools would you want orchestrated this way? I'm looking at adding Capa(malware capability detection) and potentially Ghidra integration.
2. For SOC/IR folks: How are you currently balancing AI utility with operational security? Are you just avoiding
LLMs entirely, or have you found other solutions?
3. Beta testers: If you're actively doing red/blue team work and want to try this on real investigations, I'm
looking for people to test and provide feedback. Especially interested in hearing what breaks or what features are
missing.
The goal isn't to replace your expertise—it's to automate the tedious parts (hex decoding, correlating CVEs,explaining regex patterns) so you can focus on the actual analysis. Think of it as having a junior analyst who never gets tired of looking up obscure Windows API calls.
Check out sydsec.co.uk for more info, or watch the full demo at the YouTube link in the original post.
Hey, I watched your video a few times and really like the idea. Is the inferencing being done on the CPU, do you support GPU as well?
The idea is solid and I like the direction you’re going with it, but the demo doesn’t really show it off. There’s a lot of jumping around in the UI and it’s hard to follow what’s happening without any audio. The interesting bit is right at the end when the rule gets generated, but it’s over so fast that you don’t really get a feel for what Syd is actually doing under the hood.
It was a bit hard to follow with no audio, just a simple “here’s the scan running, here’s the parser kicking in, here’s where the model steps in” kind of thing. Even speeding up the slower parts would make it easier to see the flow. Right now it feels more like a screen recording than a walkthrough. When you’ve spent hundreds of hours inside something it all feels obvious, but for someone seeing it for 3 minutes it’s tough to piece together what’s happening. Been there myself.
The automation angle you mentioned in the post is the part that really sells it. If the tool can take a directory, scan it, parse, correlate and then spit out the rule with almost no manual copying, that’s the kind of workflow improvement I (and maybe others?) care about. The video doesn’t quite show that yet, so it’s hard to judge how smooth the actual experience is.
I’m not against backing something like this, especially as it runs locally and handles the annoying parts. £250 is fine, but at the moment the payment page is just a Stripe form with no real signal that the thing is ready or actively maintained. A clearer demo, a roadmap, or even a short narrated “here’s the state of it today” would go a long way in building confidence.
Apologies if this comes across a bit direct. The idea is solid though. Local LLM + structured output from real security tools is genuinely useful. Keep going.
Really appreciate the detailed feedback—this is exactly what I need to hear.
GPU/CPU question: Yes, Syd supports both. It auto-detects CUDA if available and falls back to CPU if not. With GPU (tested on RTX 3060), inference runs at 30-50 tokens/sec. On CPU it drops to 5-10 tokens/sec, which is usable but noticeably slower for larger responses. The model is quantized (Q4_K_M) to keep VRAM requirements reasonable(6GB).
On the video: You're absolutely right Ive been staring at this for months and forgot what it looks like to someone seeing it fresh. The lack of audio and the jumpy editing makes it hard to follow the actual workflow there are more videos on the website 5 in total I'll
redo the demo with:
- Narration or at least on-screen captions explaining each step
- Slower pacing on the important bits (the parsing LLM rule generation flow)
- A clear "here's the input here's what Syd does here's the output" structure
- Maybe a side-by-side showing manual workflow vs. Syd's automation
The automation is the whole point—scan directory, hit YARA match, auto-parse, explain in plain English, suggest next steps—and the current video completely fails to demonstrate that smoothly.
On the payment page: Fair point. It's bare-bones right now because I've been heads-down on the tool itself, but that doesn't inspire confidence if you're considering backing it. I'll add:
- Current development status (what's working today vs. what's planned)
- Roadmap with realistic timelines
- Maybe a shorter "state of the project" video or changelog
- Clearer communication on what backers get and when you will recieve weekly or monthly updates and obviously ill answer any questions
Current state for transparency:
- Core features working: YARA, Nmap, Volatility, Metasploit, PCAP analysis with RAG-enhanced explanations
- 356k chunk knowledge base indexed and searchable
- Exploit/CVE database integrated
- GUI and CLI both functional
- Still refining: UX polish, additional tool integrations, documentation
I'm actively developing this (clearly evidenced by me responding to HN feedback at [current time 10:38am). The idea of local LLM + security tool orchestration is genuinely useful—I use it daily—but I need to do a better job showing how it's useful and building confidence that it's not vaporware.
Thanks for being direct. This kind of feedback makes the product better. I'll update the demo and payment page this week and can ping you when it's improved if you're interested. and if you sign up on the website thats a great way for me to keep in touch
Thanks for the links different project though. Those are sandboxing and syscall-monitoring tools, while my Syd is an offline AI assistant built for security workflows (DFIR, pentesting, malware triage, tool-output reasoning, etc.).
Completely unrelated codebases, just happens to share the same name.
A bit more context on how Syd works: it uses Dolphin Llama 3 (dolphin-2.9-llama3-8b) running locally via llama-cpp-python. You'll need about 12-14GB RAM when the model is loaded, plus ~8GB disk space for the base system (models, FAISS index, CVE database). The full exploit database is an optional 208GB add-on.
What makes this different from just wrapping an LLM, the core challenge wasn't the AI—it was making security tools output data that an LLM can actually understand tools like YARA, Volatility, and Nmap output unstructured text with inconsistent formats. I built parsers that convert this into structured JSON, which the LLM can then reason about intelligently. Without that layer, you get hallucinations and garbage analysis.
Current tool integrations: - Red Team: Nmap (with CVE correlation), Metasploit, Sliver C2, exploit database lookup - Blue Team: Volatility 3 (memory forensics), YARA (malware detection), Chainsaw (Windows event log analysis), PCAP analysis, Zeek, Suricata - Cross-tool intelligence: YARA detection → CVE lookup → patching steps; Nmap scan → Metasploit modules ready-to-run commands
The privacy angle exists because I couldn't paste potential malware samples, memory dumps, or customer network scans into ChatGPT without violating every security policy. Everything runs on localhost:11434—no data ever leaves your machine. For blue teamers handling sensitive investigations or red teamers on client networks, this is non-negotiable.
Real-world example from the demo syd scans a directory with YARA, hits on a custom ransomware rule, automatically looks up which CVE was exploited(EternalBlue/MS17-010), explains the matched API calls, and generates an incident response workflow—all in about 15 seconds. That beats manual analysis by a significant margin.
What I'd love feedback on:
1. Tool suggestions: What other security tools would you want orchestrated this way? I'm looking at adding Capa(malware capability detection) and potentially Ghidra integration. 2. For SOC/IR folks: How are you currently balancing AI utility with operational security? Are you just avoiding LLMs entirely, or have you found other solutions? 3. Beta testers: If you're actively doing red/blue team work and want to try this on real investigations, I'm looking for people to test and provide feedback. Especially interested in hearing what breaks or what features are missing.
The idea is solid and I like the direction you’re going with it, but the demo doesn’t really show it off. There’s a lot of jumping around in the UI and it’s hard to follow what’s happening without any audio. The interesting bit is right at the end when the rule gets generated, but it’s over so fast that you don’t really get a feel for what Syd is actually doing under the hood.
It was a bit hard to follow with no audio, just a simple “here’s the scan running, here’s the parser kicking in, here’s where the model steps in” kind of thing. Even speeding up the slower parts would make it easier to see the flow. Right now it feels more like a screen recording than a walkthrough. When you’ve spent hundreds of hours inside something it all feels obvious, but for someone seeing it for 3 minutes it’s tough to piece together what’s happening. Been there myself.
The automation angle you mentioned in the post is the part that really sells it. If the tool can take a directory, scan it, parse, correlate and then spit out the rule with almost no manual copying, that’s the kind of workflow improvement I (and maybe others?) care about. The video doesn’t quite show that yet, so it’s hard to judge how smooth the actual experience is.
I’m not against backing something like this, especially as it runs locally and handles the annoying parts. £250 is fine, but at the moment the payment page is just a Stripe form with no real signal that the thing is ready or actively maintained. A clearer demo, a roadmap, or even a short narrated “here’s the state of it today” would go a long way in building confidence.
Apologies if this comes across a bit direct. The idea is solid though. Local LLM + structured output from real security tools is genuinely useful. Keep going.
GPU/CPU question: Yes, Syd supports both. It auto-detects CUDA if available and falls back to CPU if not. With GPU (tested on RTX 3060), inference runs at 30-50 tokens/sec. On CPU it drops to 5-10 tokens/sec, which is usable but noticeably slower for larger responses. The model is quantized (Q4_K_M) to keep VRAM requirements reasonable(6GB).
On the video: You're absolutely right Ive been staring at this for months and forgot what it looks like to someone seeing it fresh. The lack of audio and the jumpy editing makes it hard to follow the actual workflow there are more videos on the website 5 in total I'll redo the demo with: - Narration or at least on-screen captions explaining each step - Slower pacing on the important bits (the parsing LLM rule generation flow) - A clear "here's the input here's what Syd does here's the output" structure - Maybe a side-by-side showing manual workflow vs. Syd's automation
On the payment page: Fair point. It's bare-bones right now because I've been heads-down on the tool itself, but that doesn't inspire confidence if you're considering backing it. I'll add: - Current development status (what's working today vs. what's planned) - Roadmap with realistic timelines - Maybe a shorter "state of the project" video or changelog - Clearer communication on what backers get and when you will recieve weekly or monthly updates and obviously ill answer any questionsCurrent state for transparency: - Core features working: YARA, Nmap, Volatility, Metasploit, PCAP analysis with RAG-enhanced explanations - 356k chunk knowledge base indexed and searchable - Exploit/CVE database integrated - GUI and CLI both functional - Still refining: UX polish, additional tool integrations, documentation
I'm actively developing this (clearly evidenced by me responding to HN feedback at [current time 10:38am). The idea of local LLM + security tool orchestration is genuinely useful—I use it daily—but I need to do a better job showing how it's useful and building confidence that it's not vaporware.
Completely unrelated codebases, just happens to share the same name.