Inspiration
Modern Security Operations Centers (SOCs) are drowning in alert fatigue. Analysts spend countless hours chasing down false positives, meaning when a genuine, high-speed attack like Ransomware hits, the human response time is simply too slow. We realized that AI shouldn't just be a chatbot that analysts query—it should be an autonomous teammate. We built GUARDIAN to act as a 24/7 autonomous Tier-1 Security Analyst that intercepts threats at machine speed.
What it does
GUARDIAN is a fully autonomous, event-driven SOAR (Security Orchestration, Automation, and Response) platform. When Splunk detects an anomaly, it fires a webhook directly into our multi-agent AI pipeline:
The Triage Agent instantly analyzes the Splunk log, scoring its severity and automatically closing false positives. The Investigate Agent takes over for critical alerts, reaching out to VirusTotal and AlienVault to scrape real-time Threat Intelligence on the attacking IPs. The Remediate Agent correlates this data, selects a containment playbook, and immediately fires a live notification to the security team's Telegram channel with the incident briefing. All of this is visualized on a stunning Next.js dashboard that updates in real-time without the user ever refreshing the page.
How we built it
GUARDIAN is built on a highly resilient, decoupled architecture:
Frontend: Next.js and Tailwind CSS (Deployed on Vercel). We built a sleek, dark-mode command center featuring an integrated "Attack Simulator Terminal" so anyone can safely test the pipeline. Backend: FastAPI (Deployed on Render). We utilize an asynchronous event queue via FastAPI BackgroundTasks to ensure high throughput. The AI Brain: Powered by Splunk's Hosted ML Models with a seamless, automatic failover system to Azure OpenAI (gpt-5.4). Live Integrations: 100% real APIs. We integrated VirusTotal, AlienVault OTX, and the Telegram Bot API. Challenges we ran into One of our biggest hurdles was architectural constraints. We initially designed a distributed background worker system using Celery and Redis. However, due to cloud deployment restrictions, we had to architecturally pivot mid-hackathon, completely migrating our distributed task queue into an efficient, embedded BackgroundTasks pipeline running directly within the FastAPI container.
Additionally, parsing complex, deeply nested Splunk log formats into clean, structured schemas that the multi-agent LLM pipeline could accurately reason about without hallucinating required strict prompt engineering and Pydantic validation.
Accomplishments that we're proud of
We are incredibly proud that GUARDIAN contains absolutely zero mock data. Every single piece of Threat Intelligence, AI reasoning, and Splunk log routing is 100% live.
We are also extremely proud of our "Attack Simulator Terminal" built directly into the UI. With a single click of a button, users can fire a simulated ransomware payload into the cloud, watch the terminal dispatch the webhook, and visually see the autonomous agents crush the attack live on screen.
What we learned
We learned the immense power of "Agentic Architecture." By breaking the AI down into highly specialized micro-agents (Triage, Investigate, Remediate) rather than using one massive prompt, we dramatically reduced hallucinations and increased the speed and accuracy of the security response.
What's next for guardian
Currently, GUARDIAN notifies the team of the containment playbook. The next step is Two-Way Splunk Integration. We want GUARDIAN to autonomously execute reverse webhooks back into the Splunk Forwarders to literally quarantine infected endpoints on the network without human intervention. We also plan to integrate long-term memory databases, allowing the agents to detect Advanced Persistent Threats (APTs) occurring over months rather than just isolated events.
Log in or sign up for Devpost to join the conversation.