Autonomous Kubernetes Forensics using OpenCode AI Agent

Autonomous AI-powered incident response too, translates a single natural language prompt into a multi-node Kubernetes cluster forensic investigation, timeline reconstruction, and graph visualization

Comment

Inspiration

Kubernetes and container security are my favorite areas of research . While there is significant innovation happening in automated disk forensics and static malware analysis, automated cloud-native incident response remains largely unaddressed.

Manually triaging hundreds of thousands of raw API events during an active breach is a massive bottleneck for SOC analysts. I wanted to work on this by building an intelligent, autonomous agent capable of dynamically hunting down containerized threats using a single natural language prompt.

What it does

It runs against your live K8s cluster and collect telemetry data like manifest, events , API audit logs Performs normalization of those events and create graph database which we can view using obsidien graph tool After normalization , investigator skill kicks in and identify anomaly with the help of LLM ( malicious pods, outbound connects ) and map it with MITRE Finally Reporter skill create summary in readable format along with remediation steps

How we built it

To start i built lab environment with kube-goat on one ubuntu and SANS SIFT having opencode AI agent with kubernets and ssh MCP . I use big pickle model which comes with opencode Then my simulating certain attacks and played with user prompt to come up with best possible prompt which will reduce token usage , avoid exploring cluster or try destructive command. lot of trial and error with SKILLS and parser script ( still scope to improve it )

Challenges we ran into

Main challenge I faced is of analyzing kubernetes API logs (audit.log ) as they are in millions uploading directly to LLM exahaust token window so coming up with solution to manage those logs while not loosing or missing attackers activity.

Accomplishments that we're proud of

I am able to build something which will help incident response community

What we learned

Lot of things, opencode AI agent, MCP's , K8s / container security related stuffs and mainly AI foundational concepts

What's next for Autonomous Kubernetes Forensics using OpenCode AI Agent

next is improvising parser srcript.

Built With

Share this project:

Updates