Inspiration

The modern Security Operations Center (SOC) is fundamentally broken. Analysts are drowning in a sea of false positives, suffering from severe alert fatigue, and struggling to piece together fragmented data across dozens of isolated security tools. By the time a human analyst manually correlates a suspicious login to a lateral movement event and finally to data exfiltration, the ransomware has already encrypted the domain.

We realized that defending against AI-powered, machine-speed attacks requires machine-speed defense. We were inspired to build SecureFlow AI—a completely autonomous, self-driving SOC that replaces manual triaging with a multi-agent AI workforce capable of investigating, graphing, and neutralizing threats in milliseconds.

What it does

SecureFlow AI is an enterprise-grade Autonomous Security Operations platform. It operates as a continuous background SOC, utilizing a team of 5 specialized AI agents:

  1. The Orchestrator: Triages incoming alerts and delegates tasks.
  2. The Investigator: Deep-dives into logs and anomalies.
  3. The Threat Intel Agent: Enriches IOCs and identifies APT groups.
  4. The GraphRAG Agent: Maps the blast radius of an attack using spatial memory.
  5. The Responder: Drafts and executes autonomous containment playbooks.

When a threat is detected, the agents communicate with each other in real-time. They map the attack path onto an interactive Knowledge Graph, compute the blast radius, map the incident to 5 major compliance frameworks (NIST, SOC2, etc.), and generate an Explainable AI (XAI) containment strategy for human approval.

How we built it

We built SecureFlow AI using a highly decoupled, scalable architecture:

  • Frontend: We used Next.js 18 and React to build a stunning, glassmorphism-inspired "War Room" dashboard. We utilized Recharts for live telemetry and built a custom interactive canvas to render the Knowledge Graph in real-time.
  • Backend: The core engine is built on Python and FastAPI, providing lightning-fast, asynchronous event ingestion.
  • The AI Brain: We utilized a dynamic LLM architecture (leveraging Gemini/Groq APIs) to power the autonomous agents.
  • GraphRAG Memory: We fused spatial and semantic memory. We used NetworkX to maintain an in-memory topological graph of the enterprise network, and ChromaDB coupled with Sentence Transformers (all-MiniLM-L6-v2) to provide persistent vector memory of past incidents.

To predict the blast radius of an attack before it happens, we implemented a custom Cascade Risk Algorithm on our Knowledge Graph. The risk \( R \) of a node \( v \) is calculated dynamically based on its intrinsic vulnerability \( I(v) \) and the weighted risk of its compromised neighbors \( N(v) \):

$$ R(v) = \alpha I(v) + (1 - \alpha) \sum_{u \in N(v)} w_{uv} R(u) $$

Where \( \alpha \) is a dampening factor (0.85) representing network segmentation, and \( w_{uv} \) is the edge weight representing the access privilege level between nodes.

Challenges we ran into

1. LLM Hallucinations in Cybersecurity: We quickly realized that standard LLMs are prone to hallucinating CVEs or suggesting dangerous remediation steps. We overcame this by implementing a rigid GraphRAG (Retrieval-Augmented Generation) pipeline. Agents are physically constrained to only draw conclusions based on exact sub-graphs queried from NetworkX and past alerts stored in ChromaDB.

2. Prompt Injection Attacks: Because our AI agents process raw, untrusted user inputs (like log strings and HTTP headers), they were highly vulnerable to Prompt Injection. We had to build a Self-Defending AI middleware layer—an 11-category defense heuristic that sanitizes and analyzes payloads before they ever reach the core LLM orchestration layer.

Accomplishments that we're proud of

We are incredibly proud of successfully merging Knowledge Graphs with Vector RAG. Traditional RAG struggles with cybersecurity because it loses the spatial relationship between IP addresses, users, and servers. By building a custom "GraphRAG Fusion" engine that queries both ChromaDB (for semantics) and NetworkX (for topology) simultaneously, our AI agents can "see" the entire attack path exactly how a human analyst would, resulting in zero hallucinations during our simulated ransomware attacks.

We are also extremely proud of the front-end design. Cybersecurity tools are notoriously ugly and hard to use; we managed to build a platform that feels like a modern, premium enterprise SaaS product while processing massive amounts of data under the hood.

What we learned

Building SecureFlow AI was a masterclass in orchestrating multi-agent systems. We learned that chaining LLM agents together is not just about prompt engineering; it requires strict data contracts, deterministic state management, and semantic caching to prevent cascading API timeouts.

We also gained deep empathy for SOC analysts. Modeling the MITRE ATT&CK kill chain and translating human intuition into programmatic AI workflows taught us just how incredibly complex enterprise network defense truly is.

What's next for SecureFlow AI

This hackathon was just the beginning. Our roadmap for SecureFlow AI includes:

  1. Live SIEM Connectors: Building native integrations to pull real-time streams from Splunk, Microsoft Sentinel, and CrowdStrike.
  2. Federated Threat Sharing: Allowing multiple organizations to share anonymized vector-embeddings of zero-day attacks, so if one company's SecureFlow instance detects a novel threat, every other instance is instantly immunized.
  3. Mobile CISO App: A push-notification-based mobile app allowing security leaders to approve or reject autonomous containment playbooks with a single swipe.

Built With

Share this project:

Updates