Inspiration
Traditional threat intelligence is a manual, highly repetitive process tethered to desktop dashboards. Security analysts need real-time, actionable intelligence wherever they are, without having to manually query multiple databases or parse massive JSON files. We were inspired to bridge the gap between enterprise-grade cybersecurity tools and mobile accessibility, creating a true "SOC in your pocket" that automates Tier-1 analyst workflows.
What it does
Autonomous SOC is a cross-platform (Web and Android) application that acts as an automated Tier-1 Security Analyst. When a user inputs a suspicious target (like an IP address or domain name), our AI agent autonomously triggers a multi-step investigation. It resolves domains, extracts structured telemetry from threat networks like AbuseIPDB, and synthesizes the data into a beautifully formatted, actionable Markdown threat report directly on the user's mobile device. It also features persistent local caching so analysts can access previous intelligence reports instantly.
How we built it
We utilized a decoupled, modern architecture:
Frontend: Built a cross-platform mobile UI using React Native and Expo Router. It is deployed simultaneously as a web app on Vercel and a standalone Android APK via EAS (Expo Application Services) Cloud Builds.
Backend Engine: A Python FastAPI server hosting a LangGraph state machine. We used Gemini 1.5 Flash as the core reasoning engine to drive the agentic workflow.
Data Layer (Coral): Instead of writing fragile Python API wrappers or cluttering the LLM's context window with massive JSON payloads, we used WithCoral to expose our security tools as virtual SQL databases. Our agent issues standard SQL queries to Coral, which handles the API execution "below deck" and returns clean, tabular database rows directly back to our workflow.
Challenges we ran into
Integrating WithCoral required us to fundamentally rethink how our agent fetches data, moving from standard API wrappers to a structured SQL-based data layer. On the frontend, bridging the gap between local development and production was an intense challenge. We faced strict React Native dependency conflicts (such as missing punycode modules) during the bundling phase. Figuring out how to bypass the forgiving Expo Go sandbox to compile a strict, standalone Android APK using EAS CI/CD pipelines pushed us to our technical limits.
Accomplishments that we're proud of
We are incredibly proud of successfully deploying a true cross-platform application that runs identically on a Vercel web URL and natively on an Android device. Architecturally, successfully utilizing WithCoral to abstract our threat APIs into SQL tables was a massive win. It drastically reduced the token payload sent to our LLM, minimized latency, and entirely eliminated AI hallucinations during the security triage phase.
What we learned
We learned how to build and debug resilient CI/CD pipelines for mobile apps using Expo EAS and Vercel build overrides. More importantly, we learned the profound difference between writing a rigid Python script and building an autonomous AI agent, alongside the critical importance of abstracting data layers (via Coral) to protect an LLM's token budget and reasoning accuracy.
What's next for Autonomous SOC
We plan to expand our Coral virtual schemas to include more threat intelligence endpoints, such as VirusTotal and Shodan, allowing the agent to cross-reference multiple databases in a single SQL query. On the frontend, we want to implement background push notifications for real-time zero-day vulnerability alerts and add native biometric authentication (FaceID/Fingerprint) to secure the analyst's local threat history logs.
Log in or sign up for Devpost to join the conversation.