Containment Countdown

Approve containment for risky identities in 60 seconds after evidence crosses threshold.

Comment

What it does

Containment Countdown turns a risky-identity alert into a human-approved containment decision. A judge opens the live mission route, lowers the policy threshold, watches replayed Splunk-compatible events push confidence over the line, approves containment, then opens the dossier that records signal, context, decision, replay action, and verification.

The product is built around one visible consequence. The model can write a SOC decision note, but it does not own the action. The operator approves or holds replay-mode containment, and the app keeps a receipt that survives after the demo click.

How I built it

The app runs on Cloudflare Workers with Next.js route handlers. Cloudflare D1 stores evidence rows, approvals, containment actions, verification runs, and dossier metadata. KV stores replay and dossier pointers. R2 stores exported dossier JSON. A server-side OpenAI-compatible route writes the SOC decision note without exposing model keys to the browser.

Why it fits the Security track

  • It focuses on risky identity containment, approval control, and verification evidence.
  • It avoids autonomous remediation. The human owns the containment decision.
  • It shows the operational loop in one minute: threshold, approval, action, proof.
  • It includes a root architecture diagram that explains the Splunk-compatible telemetry, reasoning, policy, and storage flow.

Challenges

The hardest part was keeping the demo honest while still making it useful for judges. Cloudflare storage and the reasoning route are live, but live Splunk credentials are not configured for the public deployment. I made that boundary visible: seeded Splunk-compatible telemetry drives the demo, and the Splunk REST path can replace replay once SPLUNK_HOST, SPLUNK_TOKEN, and SPLUNK_INDEX are configured and smoke-tested.

Accomplishments

The public app gives judges a complete path without an account wall: open the mission, cross the threshold, approve replay containment, inspect the dossier, and review the architecture. The shipped loop writes to D1/KV/R2 and produces a stored proof artifact instead of ending at a recommendation.

What I learned

For security operations, the useful product primitive is a decision record. The model can help write the note, but the interface needs to show who approved the action, what evidence crossed the line, and where the receipt lives.

What's next

The next milestone is a live Splunk mode with configured Splunk Cloud or Enterprise credentials, a smoke-tested SPL query transcript, and a second verifier that compares post-action telemetry against the stored dossier.

Judge path

  1. Open the live demo.
  2. Go to /mission.
  3. Set the threshold to 70.
  4. Approve replay containment.
  5. Open /dossier/demo and inspect or export the dossier.

Boundary

The public deployment uses seeded Splunk-compatible telemetry. It does not claim live Splunk connectivity. Replay containment changes demo incident state only; it does not call a real IAM, EDR, or firewall system.

Built With

  • cloudflare-d1
  • cloudflare-kv
  • cloudflare-r2
  • cloudflare-workers
  • next.js
  • openai-compatible-api
  • playwright
  • splunk-compatible-telemetry
  • typescript
Share this project:

Updates