"197 days to detect a breach. We built the system that does it in 4 seconds."
๐ฌ Watch Demo ยท โก Quick Start ยท ๐ Architecture ยท ๐ค Agents ยท ๐จโโ๏ธ Judges
Modern Security Operations Centers are drowning.
- 10,000โ100,000 alerts per day โ analysts meaningfully investigate < 0.05%
- 197-day average breach detection time โ attackers operate undetected for months
- $4.5M average breach cost โ 69 days to contain after detection
- 3.4M unfilled cybersecurity jobs globally โ teams are permanently understaffed
- Zero institutional memory โ when an analyst leaves, their knowledge leaves with them
Existing tools (SIEMs, EDRs, SOARs) generate data. They do not think, connect, or remember.
SecureFlow AI is an autonomous security team โ five specialized AI agents permanently online, sharing a Security Knowledge Graph and organizational memory, continuously learning from every attack.
Threat Detected (4 seconds)
โ
๐ฏ Triage Agent classifies priority
โ
๐ Investigation Agent traces attack chain
โ
๐ Threat Intel Agent enriches from graph
โ
๐ง Memory Agent recalls past incidents
โ
๐ฎ Risk Agent predicts cascade impact
โ
โก Response Agent recommends + executes (with approval)
โ
๐ Executive Dashboard auto-generates CISO report
What makes SecureFlow AI unique:
- Graph + Memory combination โ No SOC platform connects knowledge graph intelligence with organizational episodic memory
- XAI on every autonomous action โ Every AI decision shows its evidence chain before acting
- Predictive security โ We don't just detect what happened; we forecast what's about to happen
If you only have 5 minutes to test SecureFlow AI, follow this exact path:
- Start the Demo: Go to
http://localhost:3000/demoand click "Launch Full Ransomware Attack". This simulates 9 stages of an APT29 attack. - Watch the AI Triage: Go to
http://localhost:3000/alertsto see theTriage Agentautomatically prioritizing the incoming simulated logs. - Trace the Kill Chain: Go to
http://localhost:3000/graphto view the Security Knowledge Graph. Watch the nodes turn red as the blast radius computes the cascading risk of the ransomware spreading. - Test Autonomous XAI: Go to
http://localhost:3000/autonomous. See theResponse Agentgenerating playbooks. Click "View AI Reasoning" to see the Explainable AI (XAI) evidence chain. - View the CISO Report: Go to
http://localhost:3000/executiveto see how theReporting Agenthas synthesized the live attack into a boardroom-ready presentation and mapped it to Compliance frameworks. - Test the Episodic Memory: Go to
http://localhost:3000/memoryand click "Simulate Nightly Consolidation" to see the system learn from the attack, burning it into ChromaDB vector memory for future recall.
For full evaluation criteria mapping, see JUDGES.md.
| Layer | Technology | Purpose |
|---|---|---|
| Frontend | Next.js 16, React, Vanilla CSS | 20-page enterprise dashboard |
| Backend | FastAPI, Python 3.10, SQLAlchemy | REST API + agent orchestration |
| Knowledge Graph | NetworkX, custom GraphRAG | Entity relationships + risk propagation |
| Memory | SQLite + semantic indexing | Episodic incident memory |
| RAG Engine | GraphRAG Fusion | MITRE ATT&CK grounded intelligence |
| Database | SQLite (โ PostgreSQL in prod) | Event, Alert, Incident, Ticket storage |
| Agent | Role | Speed | MITRE Integration |
|---|---|---|---|
| ๐ฏ Triage | Classify alerts P1โP4, route to workflows | < 2s | Technique mapping |
| ๐ Investigation | Correlate alerts, trace attack chains, collect evidence | < 5s | Kill chain analysis |
| ๐ Threat Intelligence | Enrich IOCs, identify threat actors via graph | < 3s | Actor attribution |
| ๐ง Memory | Recall similar past incidents, surface past mitigations | < 1s | Pattern matching |
| ๐ฎ Risk Prediction | Cascade risk scoring, attack probability forecast | < 4s | Impact prediction |
| โก Autonomous Response | Recommend + execute containment with XAI + human approval | On approval | Response playbooks |
The graph is the intelligence core of SecureFlow AI.
- 90 nodes across 17 entity types (IPs, Users, Devices, Assets, CVEs, Threat Actors, MITRE Techniques...)
- 234 relationships mapping attack paths, vulnerabilities, and threat actor TTPs
- Real-time risk propagation โ computes cascade impact from any compromised entity
- GraphRAG fusion โ combines graph traversal with RAG retrieval for grounded intelligence
APT29 โโusesโโโบ T1110 (Brute Force) โโtargetsโโโบ VPN-Gateway
โโโdeploysโโโบ Akira-Ransomware โโencryptsโโโบ DB-PROD-01
โโโlinked_toโโโบ CVE-2024-3094 โโaffectsโโโบ WKSTN-047
SecureFlow AI never forgets. The Memory Agent stores every incident as a semantic embedding and retrieves similar past events during new investigations.
New Alert: Brute Force from 185.220.101.34
โ
Memory Query: similarity search (cosine distance)
โ
Match Found: INC-104 (March 2024, similarity: 0.89)
โ
Recall: "VPN geo-block + forced password reset resolved this"
โ
Apply: learned mitigation template to new incident
The CISO gets a real-time boardroom briefing โ no analyst hours, no report writing.
- Live Risk Score โ org-wide gauge computed from graph traversal
- 5-Framework Compliance โ NIST, CIS, ISO 27001, SOC 2, PCI DSS auto-mapped
- AI Threat Forecast โ Next 7 days predicted attacks with probability scores
- One-Click CISO Report โ Full boardroom PDF generated from live data
Navigate to /demo and click ๐จ Launch Ransomware Attack to trigger:
| Stage | Technique | Description |
|---|---|---|
| 1 | T1110 | 47 VPN credential stuffing attempts from APT29 IP |
| 2 | T1078 | Successful login with compromised credential |
| 3 | T1068 | Privilege escalation via CVE-2024-3094 |
| 4 | T1021 | WMI lateral movement WKSTN-047 โ API-GW-01 |
| 5 | T1204 | Akira ransomware dropped (YARA match) |
| 6 | T1071 | CobaltStrike C2 beacon to 91.121.87.18 |
| 7 | T1074 | 2.3GB customer data staged |
| 8 | T1048 | Data exfiltrated via TOR exit node |
| 9 | T1486 | 3,847 files encrypted (.akira extension) |
All 5 AI agents respond autonomously. Navigate to /graph to see risk propagation.
| War Room | Knowledge Graph |
|---|---|
![]() |
![]() |
| Autonomous Response + XAI | Risk Prediction |
|---|---|
![]() |
![]() |
| Compliance Intelligence | |
|---|---|
![]() |
- Python 3.10+
- Node.js 18+
- Git
https://github.com/sudu787/secureflow-ai.git
cd secureflow-aicp .env.example .envEdit .env and add your API keys:
GEMINI_API_KEY=your_key_here(Powers the Investigation & Reporting Agents)GROK_API_KEY=your_key_here(Powers the Triage & Autonomous Agents)GROQ_API_KEY=your_key_here(Powers the IT Support Agent fallback)
For Windows (PowerShell):
cd backend
python -m venv venv
.\venv\Scripts\Activate.ps1
$env:PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
pip install -r requirements.txt
python -m uvicorn app.main:app --reload --port 8000For macOS/Linux:
cd backend
python3 -m venv venv
source venv/bin/activate
export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
pip install -r requirements.txt
python -m uvicorn app.main:app --reload --port 8000Open a new terminal window/tab, then run:
cd frontend
npm install
npm run devhttp://localhost:3000 โ Full platform
http://localhost:3000/demo โ Launch ransomware simulation
http://localhost:8000/docs โ FastAPI interactive API docs
| Innovation | What It Is | Why It's Novel |
|---|---|---|
| GraphRAG Fusion | Graph traversal + vector RAG combined | No existing SOC tool does both simultaneously |
| Episodic Memory | Semantic search over past incidents | Prevents repeated mistakes across analyst shifts |
| XAI Evidence Chain | Every AI action cites its reasoning | Makes autonomous security trustworthy |
| Cascade Risk Propagation | Real-time graph-computed blast radius | Predicts attack path before completion |
| Continuous Compliance | Auto-maps live alerts to 5 frameworks | Replaces quarterly manual compliance audits |
| Predictive Threat Intel | Probability forecasts for future attacks | Forward-looking, not reactive |
- Real SIEM connector (Splunk, QRadar, Microsoft Sentinel)
- Federated threat graph sharing between organizations
- Natural language SOC interface ("Show me all APT29 activity this week")
- Autonomous playbook generation from memory patterns
- Mobile CISO app with push alerts
- LLM fine-tuning on organization-specific threat data
MIT License โ see LICENSE






