CLARA

Post scan results, easy to view ranking of vulnerable attack chains
Simple, yet super informational panel to identify where vulnerabilites root from and how to fix them

Inspiration

Security teams in the modern world have to interact with overwhelming security alerts. Tools like Bandit, OWASP ZAP, and npm audit output numerous raw alerts per scan with no information on priority, context, or connection to real-world impact. Teams have to dig through lines and lines of JSON, trying to contextualize what is significant. We built CLARA to understand the problem, not just find the vulnerabilities.

What it does

Clara is a layered triage agent that synthesizes output from SAST, DAST, and OSS security scans into prioritized attack chains. Instead of outputting tens to hundreds of scattered alerts, CLARA groups findings, explains how an attack would chain findings, MITRE ATT&CK techniques, and recommends a concrete fix in plain English. The result is a few named attack chains that give security teams exactly what they need to act.

How we built it

We built CLARA on a LangGraph.js agentic pipeline powered by Gemini 3.1 Flash Lite. The pipeline runs seven nodes: ingestion and normalization, deduplication across tools, clustering by attack surface, chain synthesis, MITRE ATT&CK mapping, prioritization, and report formatting. The frontend is built in React with a split-pane interface showing raw scan output alongside CLARA's synthesized chains. We used real scan data from three intentionally vulnerable targets, OWASP Juice Shop, pygoat, and Impacket, to validate the pipeline across different stacks and vulnerability types.

Challenges we ran into

Our biggest challenge was hitting usage limits across AI models. Every time we'd get the pipeline working and start stress-testing it across all three targets, we'd hit a rate limit and lose momentum. This forced us to be extremely deliberate about when and how we made API calls, which shaped the architecture more than we expected. Choosing the right model was also non-trivial. We evaluated options based on context window size, JSON output consistency, and latency, and landed on Gemini 3.1 Flash Lite because of its large context window let us feed the full multi-tool scan in a single coherent pass.

Accomplishments that we're proud of

We're proud that CLARA actually works on real scan data and not preloaded examples. Watching tens of raw alerts collapse into a few coherent, named attack chains with MITRE mappings in real time was the moment we knew the core idea was solid. We're also proud of the pipeline architecture being a genuinely multi-step agentic system with conditional self-correction that goes well beyond a simple prompt wrapper.

What we learned

We learned that the hardest part of agentic AI systems isn't the individual LLM calls: it's the state management and error recovery between nodes. We also learned that prompt design is as much of an engineering discipline as the code itself. The chain synthesis prompt went through over a dozen iterations before it produced output we trusted. And we learned that Gemini's large context window is a genuine product differentiator for multi-document reasoning tasks like this one.

What's next for CLARA

CI/CD integration is the natural next step, meaning CLARA runs automatically on every pull request, blocking merges when critical attack chains are detected. Beyond that, we want to expand compatibility to more scanner types, add a human-in-the-loop pause so teams can remove false positives before chain synthesis, and build a report export feature for security audits. The long-term vision is CLARA as the reasoning layer that sits on top of any security toolchain, regardless of what scanners a team is already using.