Skip to content

What is ARCHER?

ARCHER is a local-first, agentic security operations, research project - exploring the Agentic AI development cycle. Specifically, the software runs on commodity hardware and stays within your security boundary. It handles the full operational scope of a professional security team. Currently it's skillset is limited to Penetration Testing, including reconnaissance, exploitation, hardening, threat hunting, and digital forensics. In the future ARCHER will expand out to 9 domains such as Threat Hunting, Digital Forensics, and System Hardening.

The Problem It Solves

Security operations at scale faces three problems that don't have good solutions today.

Breadth vs. Depth. A senior analyst who is expert in penetration testing may be slower in digital forensics. An expert threat hunter may not know the DISA STIG controls cold. The field has grown faster than any individual's ability to keep pace across all of it.

Volume vs. Quality. Modern environments generate more telemetry than any team can manually triage. AI tools exist to help with volume, but most produce output that can't be verified - findings without evidence, confidence scores without explanation, reports that don't satisfy audit requirements.

Automation vs. Accountability. Fully autonomous security tooling is a liability. An agent that can delete files, modify firewall rules, or attribute an attack to a specific nation-state without human authorization creates more risk than it removes.

ARCHER's answer to all four is the Centaur model.

How It Works

You give ARCHER a task in plain English. It routes the task to the appropriate skill domain, builds a focused system prompt with tactical guidance for that domain, and runs a local LLM in a structured loop:

  1. The model reasons about the current state of the investigation
  2. It generates a command to execute
  3. ARCHER executes the command and feeds structured output back
  4. The loop repeats until the objective is achieved or the halt discipline fires

Every command executed, every finding recorded, every dead end documented - all of it is logged to an immutable session record that any analyst can review, reproduce, and present to a regulator.

What Makes It Different

Local-first. The model runs on your hardware via Ollama. No data leaves the controlled environment during inference. No API key routes session data to a third party.

Standards-aligned. Each skill domain is built to its governing professional standards - PTES for penetration testing, ISO/IEC 27037 for digital forensics, CIS Benchmarks for hardening. Output is formatted to map directly to MITRE ATT\&CK and to satisfy NIS2 and DORA requirements on high-risk detections.

Human in command. ARCHER stages; you decide. It identifies threats and prepares responses. It does not execute irreversible actions without explicit authorization. It does not name threat actors. It does not modify forensic artifacts.

Extensible. The skill domain architecture is designed so new domains can be added without modifying the core agent. A contributor who has never spoken to the maintainer can follow the dispatcher contract and ship a working new domain.\ \ Lower Hardware Requirements. ARCHER runs on a single consumer GPU - currently an RTX 4060 Mobile with 8 GB VRAM - using a 14B parameter model via Ollama. No cloud compute, no GPU cluster, no data routed through a third-party API. This is a design constraint, not a temporary limitation. Building against restricted hardware forces the architectural decisions that make the system efficient: a tight context budget, structured output that eliminates parsing overhead, and a trained skill router that makes routing decisions in under 5ms. The hardware floor will drop further in V2 as domain-tuned models target 7B parameters per skill - fit for hardware that costs less than a month of most cloud AI subscriptions.