IRIS-SOC Reporting Platform

The Chat Interface of the Application
Sample Report Generated
Sample Report Generated

Inspiration

Every day, cybersecurity analysts face a massive bottleneck: the blank page. When an attack happens, logs flood in, and evidence scatters across a dozen tools. Before anything can be escalated or acted upon, a highly skilled security professional has to spend 2–4 hours manually formatting a document. For smaller organizations, NGOs, and under-resourced security teams especially across Africa this isn't just an administrative annoyance, it’s a dangerous gap in response time that attackers exploit. We built IRIS-SOC because professional reporting shouldn't be a privilege reserved for massive enterprise teams. We wanted to turn raw chaos into actionable, standardized intelligence in seconds, allowing analysts to get back to what they do best: hunting threats.

What it does

IRIS-SOC Reporting Platform is an AI-powered platform purpose-built for Security Operations Centers (SOCs). An analyst simply pastes in their raw, messy findings server logs, investigation notes, script outputs, or threat data. IRIS-SOC automatically understands the context, classifies the report type, and generates a polished, professional security report in under 60 seconds. It ships with five templates aligned to international standards (like NIST SP800-61, STIX 2.1, and OWASP) and seamlessly exports to Google Docs, PDF, or Word.

How we built it

We designed IRIS-SOC with a modern, enterprise-grade stack:

Frontend: Built a fast, responsive, and clean chat-like interface using React (Vite).
Backend: Powered by Python and FastAPI to handle fast, production-ready API requests.
AI Engine: Integrated Google Gemini 2.5 Pro (via Vertex AI) for its state-of-the-art structured output capabilities and low hallucination rate.
Document Generation: Leveraged the Google Docs API to automatically generate and format the reports in real-time.
Storage & Security: Used AWS S3 to host secure, time-limited download links (auto-expiring after 7 days) and ensured all data is handled with strict NDPA/GDPR compliance and AES-256 encryption.

Challenges we ran into

Our biggest hurdle was ensuring technical precision. Most AI generators summarize or paraphrase text, which is catastrophic in cybersecurity. If an AI alters a CVE number, an IP address, or a file hash, the report becomes useless or worse, misleading. We had to rigorously prompt-engineer and structure our Gemini API calls to ensure it acted as a strict parser rather than a creative writer. We trained the system to preserve technical indicators exactly as entered and to gracefully output "Not provided" when data was missing, prioritizing integrity over the appearance of a "complete" document. Handling the massive variance in unstructured log formats was also a significant parsing challenge that required extensive iterative testing.

What we learned

We learned a massive amount about forcing Large Language Models into strict, predictable schemas. We also gained a deep appreciation for international cybersecurity frameworks (like STIX 2.1 and FIRST TLP 2.0) and how vital standardizing threat intelligence is for the global security community. On the infrastructure side, we leveled up our skills in securely managing ephemeral file storage and real-time document generation via APIs.

What's next for IRIS-SOC

We are starting with reporting, but our vision is much larger. The immediate roadmap includes:

Automated playbook generation based on the incident type.
Multi-analyst collaboration features for complex, multi-day incidents.
Direct API integrations with major SIEM platforms (like Splunk or Microsoft Sentinel) to pull logs automatically without manual copy-pasting.

Built With

amazon-web-services
fastapi
google-gemini
python
react
vertex-ai

Submitted to

AlgoFest Hackathon 2026

Created by

I developed the backend architecture and intelligence engine for IRIS-SOC, an automated cybersecurity reporting platform. Using Python and FastAPI, I built a highly robust API layer that seamlessly ingests and normalizes massive volumes of raw security telemetry. I integrated the powerful Google Gemini 2.5 Pro model, upgrading our system from basic data extraction to advanced agentic reasoning, allowing the AI to synthesize forensic logs into compliance-ready narratives. To solve strict cloud quota limitations, I engineered a unique single-document overwrite mechanism utilizing Google Workspace APIs for dynamic report generation. Furthermore, I constructed a secure, fully automated export pipeline directly out to AWS S3 for persistent document storage. Finally, I optimized our data ingestion pipelines, refactoring validation schemas, heuristic normalizers, and custom template parsers to perfectly process extremely large payload files while preserving critical indicators of compromise. This ensured our platform securely transforms chaotic incident data into highly structured, enterprise-grade threat intelligence.

Lawal Abdulmalik
Built and deployed the full-stack infrastructure for IRIS-SOC v4, a cybersecurity AI reporting platform. Engineered the React/Vite frontend and deployed it to AWS S3 with smart caching immutable headers for hashed assets, no-cache for HTML so updates are instant. Containerized the Python FastAPI backend with Docker and deployed it to Google Cloud Run with autoscaling and a dedicated IAM service account, removing the need for any credentials files in the container. Built a GitHub Actions CI/CD pipeline with two parallel jobs that automatically builds and pushes the Docker image to Google Container Registry, deploys to Cloud Run, and syncs the frontend bundle to S3 on every push to master. Provisioned all GCP infrastructure from scratch including Artifact Registry, Cloud Run IAM bindings, and service account roles across Vertex AI and Cloud Resource Manager.

Abdulmuiz Annafi

Updates

Lawal Abdulmalik started this project — Apr 11, 2026 12:24 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.