Prometheus Siren Pro

Modern cybersecurity is dangerously reactive. Prometheus Siren Pro uses Gemini 3 to trap threats and autonomously patch code with verifiable reasoning. We are building future for cyber-immune systems.

Comment

Project Story: Prometheus Siren ProInspirationModern cybersecurity is dangerously reactive. Most organizations identify vulnerabilities only after a breach has occurred, leading to a perpetual cycle of "catch-up" security where human analysts are overwhelmed by the sheer volume of logs. We were inspired by the biological immune system—a structure that doesn't just wait for an infection to be fatal, but actively identifies, traps, and develops antibodies for pathogens in real-time. Our goal was to build a "Cyber-Immune System" where software possesses the intrinsic intelligence to diagnose, deceive, and heal itself without human intervention.What it doesPrometheus Siren Pro is an autonomous "Action Intelligence" agent that transforms a static web application into a living, defensive organism.Active Deceptive Defense: Instead of just blocking IPs, it diverts malicious traffic into the "Siren Honeypot"—a high-interaction environment that mimics real databases and filesystems to exhaust attacker resources.Autonomous Self-Healing: When an exploit is detected, the "Prometheus Agent" identifies the vulnerable code path and generates a verifiable, production-ready patch.Agentic Reasoning: Unlike standard firewalls, it "thinks" through threats. When faced with a Zero-Day, it autonomously researches the web to understand the exploit and bring back a mitigation strategy.How we built itThe system is architected as a high-performance pipeline utilizing a Mixture of Experts (MoE) architecture:The Gateway (The Shield): A Flask-based reverse proxy (\texttt{src/gateway/router.py}) acts as the entry point. It calculates a preliminary threat score $S$ based on an ensemble of classifiers:$$S = w_1 \cdot R_{egex} + w_2 \cdot M_{L} + w_3 \cdot G_{emini}$$Threat Detection (The Brain): We tiered our detection for maximum efficiency. A Regex engine handles known signatures ($<1$ms), an XGBoost model extracts features from payload character distributions ($\sim 5$ms), and Gemini 3 provides deep semantic analysis for multi-stage attacks.Siren Honeypot (The Trap): We built high-interaction modules like \texttt{FakeSQL} and \texttt{FakeFS} to simulate Linux structures. This allows us to capture the attacker's specific "Exploit PoC" (Proof of Concept) in a safe sandbox.Prometheus Agent (The Healer): It utilizes a Qdrant Vector Database to perform semantic searches across the codebase using cosine similarity to find the vulnerable function:$$\text{similarity} = \cos(\theta) = \frac{\mathbf{A} \cdot \mathbf{B}}{|\mathbf{A}| |\mathbf{B}|}$$Once located, Gemini generates a "Thought-Signed" patch.Challenges we ran intoThe most significant hurdle was AI Trust. Allowing an autonomous agent to patch production code is a massive operational risk. We solved this by implementing Thought Signatures—cryptographically signed logs of the AI's internal reasoning using the Gemini 3 Thinking API. This ensures every code modification is justified by a verifiable "internal monologue" that humans can audit after the fact.We also faced a Latency vs. Security trade-off. Running every request through a large model is too slow. We mitigated this by building a tiered scoring system where only requests with a mid-range suspicion score ($0.5 \le S < 0.8$) are escalated for deep reasoning, while high-score threats are instantly diverted to the honeypot to prevent bottlenecking the "safe" traffic.Accomplishments that we're proud ofWe are incredibly proud of our Log4Shell (CVE-2021-44228) demonstration. Our system successfully detected a suspicious ${jndi:ldap...} header, autonomously researched the vulnerability online, checked our internal \texttt{pom.xml} via Context Cache, and applied a configuration-level mitigation to disable JNDI lookups—all in under 60 seconds without human intervention. This proves that "System 2" agentic reasoning can effectively guard against world-class threats.What we learnedWe learned that Action Intelligence is the next frontier for LLMs. By utilizing Context Caching, we discovered we could give the agent a "long-term memory" of attack patterns spanning 1M+ tokens without the $O(n)$ latency penalty. We also learned that the "Thinking" process of Gemini 3 is a critical security feature; the ability for a model to "verify its own assumptions" before outputting a patch reduced our simulated false-positive rate for complex injection detection by approximately $40\%$.What's next for Prometheus Siren ProThe future of Siren Pro lies in Collaborative Defense:Multi-Agent Red/Blue Teaming: Implementing a system where one Gemini model attempts to break the generated patch before it is applied.Real-time Grounding: Fully enabling the \texttt{google_search_retrieval} tool so the agent stays updated with live zero-day disclosures every hour.Edge Deployment: Moving the MoE detection logic to the network edge (Cloudflare Workers) to stop attacks before they ever reach the application server.

Built With

Share this project:

Updates