Inspiration
In the modern cybersecurity landscape, two metrics define whether a business survives an attack: Dwell Time (the time an attacker goes unnoticed) and Containment Time (the time it takes to stop them). Currently, it takes an average of 24 days for security teams to notice a breach, and hours to contain it manually. We were inspired to build Aegis SOC to prove that by combining Machine Learning (UEBA) and Security Orchestration, Automation, and Response (SOAR), we can compress the threat containment lifecycle from hours to under 3 seconds—stopping attackers in their tracks before they can move laterally.
What it does
Aegis SOC is a fully autonomous, real-time Security Operations Center (SOC) simulation platform. It ingests server logs, runs detection algorithms, and mitigates threats dynamically. Log Ingestion & Normalization: Raw text server logs are ingested in real-time, cleaned, and structured into normalized JSON event objects. Correlation & Detection: Static rules monitor the event stream to detect Port Scans and Brute Force attacks. The engine correlates reconnaissance scans and active password cracking, escalating threats from HIGH to CRITICAL. Behavioral Machine Learning: Traditional rules can be bypassed by "Low-and-Slow" attacks. Aegis uses an Isolation Forest ML model (UEBA) to extract behavioral features (e.g. failure rate, unique usernames tried, timing regularity) and flag anomalous IPs without signature signatures. Explainable AI & SOAR Response: Flags are translated into plain-English narratives using statistical deviations. Instantly, the SOAR engine triggers response playbooks to alert the team (PagerDuty, Slack, Email, SMS), log incident records, and update firewall blocklists. Web Console Dashboard: A premium, dark-mode dashboard displays timeline volume charts, live threat streams, ML anomaly grids, active firewall rules, and full executive incident reports.
How we built it
Aegis SOC is built on a split architecture: The Engine: A modular Python pipeline that handles the ingestion, correlation, machine learning, and SOAR playbooks. The ML Pipeline: Engineered using Scikit-Learn for the Isolation Forest modeling and StandardScaler to normalize multi-variable features. The Web Console: A Flask backend serving dynamic endpoints, paired with a vanilla HTML5, CSS3, and JavaScript frontend using Chart.js to render real-time telemetry charts.
Challenges we ran into
Real-Time Database Syncing: Managing race conditions when writing real-time simulation updates to disk from a background thread while Flask was serving API requests. We solved this by implementing atomic file-replacement writes (os.replace). Signature-less Evasion Modeling: Fine-tuning the ML model's contamination factors so it could detect stealthy brute force attacks without flagging legitimate users who occasionally forget their passwords (avoiding false positives). Automated SOAR Gates: Designing playbooks that normally require human approval to execute autonomously in a background daemon without blocking or hanging on stdin CLI input.
Accomplishments that we're proud of
Compressing threat containment (detecting a breach, raising alerts, sending notifications, and blocking the IP) to under 3 seconds. Bridging the gap between ML scores and human understanding through an Explainable AI (XAI) layer that explains the "why" behind model decisions in plain English. Creating a premium, high-fidelity security console dashboard utilizing modern visual design tokens and animations.
What we learned
The crucial importance of "Human-in-the-loop" design in security automation to manage blast radius and prevent self-inflicted service disruptions. How to normalize and vectorize unstructured log data for multi-dimensional statistical modeling.
What's next for Aegis SOC
Integrating Large Language Models (LLMs) like Gemini for advanced interactive root-cause investigation Q&A. Exposing direct firewall API integrations (AWS Security Groups, Azure Network Security Groups, and local iptables) to run in production environments.
Log in or sign up for Devpost to join the conversation.