Direct Interface for requesting AI to perfrom detailed Contextual Analysis
AI detailed analysis and response on question been asked
Log Simulation and Preview
Some AI analysis on logs and traffics
IOC Analysis

IRIS-SOC DOCUMENTATION

(Intelligent Response and Intelligent System - Security Operation Centre)

PROBLEM DEFINITION AND CONTEXT

In today’s Africa, digitization is happening faster than ever before, but cybersecurity is still lagging behind. Imagine a mid-sized university in Africa, using an old infrastructure, with only a few IT officers (3-5) responsible for monitoring email attacks, Wi-Fi breaches, student and staff portal logins, and more. Each day, the system logs thousands of events, yet no one has the tools or time to identify what’s normal and what could be a Cybersecurity breach or attack, or imagine a mid-sized bank in West Africa with about 3 to 5 branches spread across urban and semi-rural areas. The bank serves over 60,000 customers and handles millions in daily transactions. But the cybersecurity team might just be five overwhelmed analysts working from a small back office in the headquarters building. This story is not unique to these industries, because across banks, schools, hospitals, government agencies, and even startups in Africa, organizations are increasingly becoming targets of cyberattacks, ranging from phishing and malware to sophisticated ransomware. But the tools available to protect against these threats are:

Too expensive (globally priced SIEMs and SOC tools)
Too complex (requires trained cybersecurity professionals)
Too resource-intensive (need cloud infrastructure, stable internet, full-time teams)

As a result, many institutions either don't have Security Operations Centers (SOCs) or operate with outdated, manual processes. According to a 2023 Interpol African Cyberthreat Assessment, phishing, digital extortion, and business email compromise are some of the most prevalent threats across Africa, with an estimated $4 billion in losses annually.
But the reality is that most African SOC analysts, IT admins, and incident response teams are overwhelmed. They manually check logs, react to email alerts, and try to patch threats hours, days, or even weeks after compromise.

Why This Problem Matters in Africa

Understaffed SOCs: Many mid-sized African institutions have 3-4 IT personnel responsible for both IT support and security.
Expensive licensing: Most global security platforms charge per asset, per feature, pricing out most African SMEs and public organizations.
Slow threat response: Manual triage and human-only decision-making result in delayed containment, often after the damage is done.
No real-time visibility: Logs may be stored, but rarely analyzed live.
Training gaps: There’s a growing cybersecurity talent gap in Africa. Most junior analysts don’t yet have the skills to perform complex threat correlation.

IDENTIFIED CONSTRAINTS

Low Infrastructure & Compute Constraints

Problem: Many African SMEs, schools, and public agencies still operate on basic computing setups, often around 4GB RAM, dual-core CPUs, and without access to enterprise infrastructure or stable power. Outages, reliance on diesel/solar backups, and limited cloud budgets restrict the adoption of traditional SOC tools that require consistent uptime and processing power.

IRIS-SOC’s Solution: IRIS-SOC was designed to operate with minimal local requirements:

AI processing is offloaded to Google Cloud via edge relay functions, reducing device-side computation.
Backend uses Supabase Edge Functions and FastAPI, which run on low-resource hosting.
The platform supports modular enrichment, avoiding unnecessary CPU-intensive processes.
Optimized for low-memory environments, even as light as 4GB RAM, without degradation in core functionality.

Impact: Organizations in constrained environments can deploy IRIS-SOC on low-cost cloud plans or lightweight local servers. This makes AI-powered threat detection and response accessible without large infrastructure investment, addressing a real accessibility barrier for many African institutions.

Skills Gap & Human Resource Constraints

Problem: Africa faces a documented shortfall in trained security professionals, with an estimated shortage of 112,000 analysts in the Middle East & Africa, according to the 2023 ISC2 Cybersecurity Workforce Study. Most SMEs, schools, and even government agencies lack dedicated SOC staff, often leaving threat response in the hands of general IT admins.

IRIS-SOC’s Solution:

Embedded AI Security Assistant provides natural language summaries, IOC analysis, and MITRE mapping.
Offers semi-autonomous response (e.g., isolate IPs, generate reports) based on pre-set permissions.
Empowers non-specialists to take action confidently, reducing dependency on full-time cybersecurity hires.

Impact: IRIS-SOC turns complex threat intelligence into simplified, explainable actions, helping even junior staff or solo admins perform at SOC-grade efficiency.

Bandwidth & Connectivity Constraints

Problem: Despite significant progress in internet infrastructure, many African regions still suffer from limited bandwidth, high latency, and inconsistent connectivity. With mobile data often exceeding $4–$5 per GB in some regions like south-africa according to a World Economic Forum report. With all these, cloud-heavy tools can become inaccessible.

IRIS-SOC’s Solution:

Uses a relay model that selectively sends only essential threat data (like IOC summaries) to Gemini AI, minimizing bandwidth usage.
Supports offline-first workflows, queuing logs locally, and performing delayed enrichment when connectivity resumes.
Dashboards function with cached or static data, allowing analysts to continue work during network outages.

Impact: IRIS-SOC is usable in low-bandwidth, high-latency, or intermittently connected environments, making it viable even in underserved or rural areas.

DOCUMENTATION OF DESIGNS, ALTERNATIVES, AND FINAL DECISION

During development, we evaluated deployment strategies based on infrastructure limitations and usability goals relevant to African environments.

Alternative 1: Self-Hosted Backend vs Supabase Edge Functions

Initially, we planned to deploy all backend logic (e.g., log ingestion, threat enrichment) directly within the main application on local infrastructure. However, this required constant uptime, high compute power, and increased complexity, all impractical for low-resource setups. We instead moved core functions to Supabase Edge Functions, leveraging its lightweight, serverless architecture. This reduced latency, minimized power demands, and aligned with our goal of making IRIS-SOC operable even on 4GB RAM systems or budget cloud plans.

Alternative 2: Direct Gemini AI Call vs Relay via Google Cloud Function

Initially, we attempted to connect Supabase Edge Functions directly to Gemini Vertex AI for AI-powered analysis because of Supabase’s powerful edge function capabilities. However, Supabase lacked native support for Google’s authentication protocols and streaming capabilities, leading to frequent request failures and limited reliability. We pivoted to a relay-based architecture, where Supabase collects and structures log data, then forwards it to a dedicated Google Cloud Function. This cloud function interacts natively with Gemini, improving stability, reducing bandwidth usage, and enabling advanced prompt injection and response handling. Additionally, we implemented a batch processing Cloud Function that is triggered by PostgreSQL functions whenever new logs or traffic entries have a pending AI analysis status. This batch function securely accesses the database, extracts relevant logs and contextual information, sends structured prompts to Gemini for analysis, and then writes enriched results (triage scores, MITRE mappings, containment suggestions) back into the appropriate tables. This design not only ensures high reliability and efficiency but also allows asynchronous AI analysis without overwhelming the main Supabase backend, a crucial advantage in low-bandwidth, resource-constrained African environments.

These choices reflect a strong alignment between design and real-world deployment constraints, ensuring IRIS-SOC remains lightweight, scalable, and accessible across Africa’s diverse tech environments.

Decision Area	Initial Design	Final Design	Constraint Addressed
Backend Function Deployment	Host all functions with frontend (self‑managed)	Move core logic to Supabase Edge Functions	Power, compute, scalability
AI Integration Approach	Direct Gemini access from Supabase	Relay via Google Cloud Function (native client)	Reliability, compatibility, bandwidth usage

TOOLS USED

Gemini Pro 2.5 via Google Cloud Functions

Type: AI / Cloud-based Inference

We chose Gemini Pro 2.5 for its strong contextual reasoning in cybersecurity and seamless integration with Google Cloud. Instead of running inference from Supabase (which lacks persistent filesystem and external network access), we used a relay-based architecture via Google Cloud Functions. This minimizes local compute demand, reduces bandwidth by transmitting compressed prompts, and suits resource-constrained deployments. Gemini is the brain of IRIS-SOC. It powers IRIS-SOC’s triage, MITRE mapping, and IOC analysis, acting as a virtual SOC analyst in low-skill environments.

Supabase Edge Functions (Deno Runtime)

Type: Serverless Backend

Supabase Edge Functions power our real-time logic and secure API routing. Chosen for their low infrastructure overhead, they enable scalable backend execution on demand, ideal for African settings with limited compute. Their sandboxed design ensures secure execution, while native real-time support enhances responsiveness for SOC dashboards and alerts, without persistent server infrastructure.

Postman

Type: API Testing and Validation Tool

We used Postman extensively during development to test and validate Supabase Edge Functions and Google Cloud Functions. It allowed us to send structured payloads and authenticated POST requests to simulate real log ingestion and AI analysis triggers. This ensured our APIs were functioning correctly, securely, and efficiently before integration into the full IRIS-SOC platform.

AI Platforms (ChatGPT, Gemini, etc.)

Type: AI Assistance Tools

We leveraged AI platforms during development for rapid prototyping, code debugging, and optimizing functions. These tools also assisted in drafting technical documentation and refining implementation approaches, improving development speed and overall solution quality.

What's next for IRIS-SOC

We plan to develop a custom cybersecurity-focused LLM, deeply integrated with global CTI sources, MITRE ATT&CK, NVD, and other threat intelligence feeds. This model will be fine-tuned on diverse real-world incident data to deliver faster, more confident threat analysis and autonomous response capabilities. Future iterations will also:

Expand real-time integrations with EDR, firewalls, and SIEM tools.
Introduce basic multi-tenant SOC features for MSSPs.
Enhance offline-first capabilities for low-connectivity environments.
Enhance the lightweight endpoint agent for direct traffic and event forwarding.

These upgrades aim to make IRIS-SOC a fully autonomous, next-generation SOC platform tailored for Africa and beyond.

Built With

Submitted to

Africa Deep Tech Challenge 2025

Created by

As the backend and AI engineer for IRIS-SOC, I transform complex cybersecurity challenges into accessible solutions. I architect the platform's core, from designing a lightweight, serverless backend to integrating an AI-powered security assistant. My work bridges the gap between sophisticated threat analysis and real-world resource constraints, empowering African organizations to defend against cyber threats with cutting-edge technology that is both affordable and practical.

Abdulmuiz Annafi
Lawal Abdulmalik

Updates

Lawal Abdulmalik started this project — Jul 29, 2025 10:07 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.