VaultWatch

Inspiration

MongoDB is the most popular NoSQL database, yet most security tools ignore it entirely — they're built for SQL
After reading about breaches where attackers silently exfiltrated millions of records from unmonitored MongoDB instances, we asked: what if the database could defend itself?
We wanted three things no existing tool combines: real-time detection, AI-powered explanation, and tamper-proof blockchain evidence

Monitors multiple MongoDB databases in real time for suspicious activity (brute-force, privilege escalation, PII exfiltration, mass deletion, unauthorized access)
7 rule-based detectors flag events instantly and assign severity levels
Snowflake Cortex AI (Mistral-large2) analyzes each flagged event and explains why it's dangerous in plain English
SHA-256 hashes every piece of evidence and anchors proofs on Solana devnet — creating an immutable audit trail no one can tamper with
Groups events into incidents with timelines, executive summaries, remediation checklists, and actor risk scores
Live dashboard with source filtering, severity charts, and one-click attack simulation

Backend: Python / Flask with 7 modular blueprints (events, incidents, audit, sources, actors, scanner, live monitoring)
Frontend: React 19 + Vite + Tailwind CSS v4 — dark theme, responsive dashboard
Database: MongoDB 7.0 — also the thing we're protecting (meta!)
AI: Snowflake Cortex REST API → mistral-large2 model for threat analysis
Blockchain: Solana Web3 SDK on devnet for evidence anchoring
Deployment: Ubuntu VPS with nginx reverse proxy, systemd service, production seeded with 53,000+ documents across 8 collections

Multi-source event routing — making the event generator, detector, and incident engine all properly tag and filter events from multiple independent MongoDB instances
Snowflake Cortex integration — the REST API required specific SQL-over-HTTP formatting with session parameters; took significant debugging to get mistral-large2 responding correctly
Solana transaction timing — blockchain confirmations added latency to the event pipeline; had to make proof anchoring async so the UI stays responsive
Incident grouping logic — correlating events across different actors, databases, and time windows into coherent incidents without false groupings

3-tier verification pipeline that no other MongoDB security tool has: Rule Engine → Snowflake AI → Solana Blockchain
Tamper test feature — we built a way to prove evidence integrity by attempting modification and showing it gets caught
Every flagged event gets a plain-English AI explanation a non-technical executive can understand
Production-scale demo with 53,250 seeded documents across 8 collections including PII vaults, API keys, and financial transactions
The whole system works end-to-end: detect → classify → explain → prove → remediate

How to integrate Snowflake Cortex AI as a real-time analysis engine via their SQL-over-HTTP REST API
How to use Solana devnet for non-financial blockchain use cases (evidence anchoring / proof-of-integrity)
Building a multi-source monitoring architecture where one platform watches multiple independent databases
The importance of incident correlation — individual events are noise; grouped incidents with timelines tell a story

MongoDB Change Streams for true zero-latency detection (replacing profiler polling)
Solana mainnet deployment for production-grade immutable evidence
Slack / PagerDuty alerting when critical incidents are detected
Custom rule builder — let security teams define their own detection patterns
Multi-cloud support — monitor Atlas, DocumentDB, and Cosmos DB from one dashboard
Compliance reporting — auto-generate GDPR/HIPAA/SOC2 audit reports from the blockchain-backed evidence chain