Skip to content

sudu787/secureflow-ai

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

22 Commits
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

๐Ÿ›ก๏ธ SecureFlow AI

Autonomous Security Operations Platform

"197 days to detect a breach. We built the system that does it in 4 seconds."

Demo Animation

Python Next.js FastAPI License: MIT FlowZint 2026

๐ŸŽฌ Watch Demo ยท โšก Quick Start ยท ๐Ÿ“ Architecture ยท ๐Ÿค– Agents ยท ๐Ÿ‘จโ€โš–๏ธ Judges


๐Ÿšจ The Problem

Modern Security Operations Centers are drowning.

  • 10,000โ€“100,000 alerts per day โ€” analysts meaningfully investigate < 0.05%
  • 197-day average breach detection time โ€” attackers operate undetected for months
  • $4.5M average breach cost โ€” 69 days to contain after detection
  • 3.4M unfilled cybersecurity jobs globally โ€” teams are permanently understaffed
  • Zero institutional memory โ€” when an analyst leaves, their knowledge leaves with them

Existing tools (SIEMs, EDRs, SOARs) generate data. They do not think, connect, or remember.


๐Ÿ’ก The Solution

SecureFlow AI is an autonomous security team โ€” five specialized AI agents permanently online, sharing a Security Knowledge Graph and organizational memory, continuously learning from every attack.

Threat Detected (4 seconds)
       โ†“
๐ŸŽฏ Triage Agent classifies priority
       โ†“
๐Ÿ” Investigation Agent traces attack chain
       โ†“
๐ŸŒ Threat Intel Agent enriches from graph
       โ†“
๐Ÿง  Memory Agent recalls past incidents
       โ†“
๐Ÿ”ฎ Risk Agent predicts cascade impact
       โ†“
โšก Response Agent recommends + executes (with approval)
       โ†“
๐Ÿ“Š Executive Dashboard auto-generates CISO report

What makes SecureFlow AI unique:

  1. Graph + Memory combination โ€” No SOC platform connects knowledge graph intelligence with organizational episodic memory
  2. XAI on every autonomous action โ€” Every AI decision shows its evidence chain before acting
  3. Predictive security โ€” We don't just detect what happened; we forecast what's about to happen

๐Ÿ‘จโ€โš–๏ธ For Judges: How to Evaluate This Project

If you only have 5 minutes to test SecureFlow AI, follow this exact path:

  1. Start the Demo: Go to http://localhost:3000/demo and click "Launch Full Ransomware Attack". This simulates 9 stages of an APT29 attack.
  2. Watch the AI Triage: Go to http://localhost:3000/alerts to see the Triage Agent automatically prioritizing the incoming simulated logs.
  3. Trace the Kill Chain: Go to http://localhost:3000/graph to view the Security Knowledge Graph. Watch the nodes turn red as the blast radius computes the cascading risk of the ransomware spreading.
  4. Test Autonomous XAI: Go to http://localhost:3000/autonomous. See the Response Agent generating playbooks. Click "View AI Reasoning" to see the Explainable AI (XAI) evidence chain.
  5. View the CISO Report: Go to http://localhost:3000/executive to see how the Reporting Agent has synthesized the live attack into a boardroom-ready presentation and mapped it to Compliance frameworks.
  6. Test the Episodic Memory: Go to http://localhost:3000/memory and click "Simulate Nightly Consolidation" to see the system learn from the attack, burning it into ChromaDB vector memory for future recall.

For full evaluation criteria mapping, see JUDGES.md.


๐Ÿ—๏ธ Architecture

System Architecture

Layer Technology Purpose
Frontend Next.js 16, React, Vanilla CSS 20-page enterprise dashboard
Backend FastAPI, Python 3.10, SQLAlchemy REST API + agent orchestration
Knowledge Graph NetworkX, custom GraphRAG Entity relationships + risk propagation
Memory SQLite + semantic indexing Episodic incident memory
RAG Engine GraphRAG Fusion MITRE ATT&CK grounded intelligence
Database SQLite (โ†’ PostgreSQL in prod) Event, Alert, Incident, Ticket storage

๐Ÿค– AI Agents

Agent Role Speed MITRE Integration
๐ŸŽฏ Triage Classify alerts P1โ€“P4, route to workflows < 2s Technique mapping
๐Ÿ” Investigation Correlate alerts, trace attack chains, collect evidence < 5s Kill chain analysis
๐ŸŒ Threat Intelligence Enrich IOCs, identify threat actors via graph < 3s Actor attribution
๐Ÿง  Memory Recall similar past incidents, surface past mitigations < 1s Pattern matching
๐Ÿ”ฎ Risk Prediction Cascade risk scoring, attack probability forecast < 4s Impact prediction
โšก Autonomous Response Recommend + execute containment with XAI + human approval On approval Response playbooks

๐Ÿ•ธ๏ธ Security Knowledge Graph

The graph is the intelligence core of SecureFlow AI.

  • 90 nodes across 17 entity types (IPs, Users, Devices, Assets, CVEs, Threat Actors, MITRE Techniques...)
  • 234 relationships mapping attack paths, vulnerabilities, and threat actor TTPs
  • Real-time risk propagation โ€” computes cascade impact from any compromised entity
  • GraphRAG fusion โ€” combines graph traversal with RAG retrieval for grounded intelligence
APT29 โ”€โ”€usesโ”€โ”€โ–บ T1110 (Brute Force) โ”€โ”€targetsโ”€โ”€โ–บ VPN-Gateway
  โ””โ”€โ”€deploysโ”€โ”€โ–บ Akira-Ransomware โ”€โ”€encryptsโ”€โ”€โ–บ DB-PROD-01
       โ””โ”€โ”€linked_toโ”€โ”€โ–บ CVE-2024-3094 โ”€โ”€affectsโ”€โ”€โ–บ WKSTN-047

๐Ÿง  Organizational Memory

SecureFlow AI never forgets. The Memory Agent stores every incident as a semantic embedding and retrieves similar past events during new investigations.

New Alert: Brute Force from 185.220.101.34
    โ†“
Memory Query: similarity search (cosine distance)
    โ†“
Match Found: INC-104 (March 2024, similarity: 0.89)
    โ†“
Recall: "VPN geo-block + forced password reset resolved this"
    โ†“
Apply: learned mitigation template to new incident

๐Ÿ“Š Executive Dashboard

The CISO gets a real-time boardroom briefing โ€” no analyst hours, no report writing.

  • Live Risk Score โ€” org-wide gauge computed from graph traversal
  • 5-Framework Compliance โ€” NIST, CIS, ISO 27001, SOC 2, PCI DSS auto-mapped
  • AI Threat Forecast โ€” Next 7 days predicted attacks with probability scores
  • One-Click CISO Report โ€” Full boardroom PDF generated from live data

๐ŸŽฎ Demo: Operation NightOwl

Navigate to /demo and click ๐Ÿšจ Launch Ransomware Attack to trigger:

Stage Technique Description
1 T1110 47 VPN credential stuffing attempts from APT29 IP
2 T1078 Successful login with compromised credential
3 T1068 Privilege escalation via CVE-2024-3094
4 T1021 WMI lateral movement WKSTN-047 โ†’ API-GW-01
5 T1204 Akira ransomware dropped (YARA match)
6 T1071 CobaltStrike C2 beacon to 91.121.87.18
7 T1074 2.3GB customer data staged
8 T1048 Data exfiltrated via TOR exit node
9 T1486 3,847 files encrypted (.akira extension)

All 5 AI agents respond autonomously. Navigate to /graph to see risk propagation.


Screenshots

War Room Knowledge Graph
War Room Graph
Autonomous Response + XAI Risk Prediction
XAI Risk
Compliance Intelligence
Compliance

โšก Quick Start

Prerequisites

  • Python 3.10+
  • Node.js 18+
  • Git

1. Clone

https://github.com/sudu787/secureflow-ai.git
cd secureflow-ai

2. Configure Environment (CRITICAL FOR AI AGENTS)

cp .env.example .env

Edit .env and add your API keys:

  • GEMINI_API_KEY=your_key_here (Powers the Investigation & Reporting Agents)
  • GROK_API_KEY=your_key_here (Powers the Triage & Autonomous Agents)
  • GROQ_API_KEY=your_key_here (Powers the IT Support Agent fallback)

3. Start Backend

For Windows (PowerShell):

cd backend
python -m venv venv
.\venv\Scripts\Activate.ps1
$env:PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
pip install -r requirements.txt
python -m uvicorn app.main:app --reload --port 8000

For macOS/Linux:

cd backend
python3 -m venv venv
source venv/bin/activate
export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
pip install -r requirements.txt
python -m uvicorn app.main:app --reload --port 8000

4. Start Frontend

Open a new terminal window/tab, then run:

cd frontend
npm install
npm run dev

5. Open & Test

http://localhost:3000        โ† Full platform
http://localhost:3000/demo   โ† Launch ransomware simulation
http://localhost:8000/docs   โ† FastAPI interactive API docs

๐Ÿ† Innovation Highlights

Innovation What It Is Why It's Novel
GraphRAG Fusion Graph traversal + vector RAG combined No existing SOC tool does both simultaneously
Episodic Memory Semantic search over past incidents Prevents repeated mistakes across analyst shifts
XAI Evidence Chain Every AI action cites its reasoning Makes autonomous security trustworthy
Cascade Risk Propagation Real-time graph-computed blast radius Predicts attack path before completion
Continuous Compliance Auto-maps live alerts to 5 frameworks Replaces quarterly manual compliance audits
Predictive Threat Intel Probability forecasts for future attacks Forward-looking, not reactive

๐Ÿ—บ๏ธ Roadmap

  • Real SIEM connector (Splunk, QRadar, Microsoft Sentinel)
  • Federated threat graph sharing between organizations
  • Natural language SOC interface ("Show me all APT29 activity this week")
  • Autonomous playbook generation from memory patterns
  • Mobile CISO app with push alerts
  • LLM fine-tuning on organization-specific threat data

๐Ÿ“„ License

MIT License โ€” see LICENSE

About

Resources

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors