S.O.C.R.A.T.E.S

S.O.C.R.A.T.E.S. tackles the hardest part of security: deciding what deserves attention among noisy signals. It reduces cognitive load to help analysts think clearly under uncertainty.

Comment

Inspiration

Security analysts deal with noisy, incomplete, and competing signals every day. I realized the hardest part of security operations is not collecting data, but deciding what actually deserves attention. As a solo developer, I wanted to solve alert fatigue by building a system that provides complete cognitive offload. The goal was to create a terminal where the analyst never has to hunt for meaning. The story is assembled automatically, clearly, and calmly, enabling confident decision-making under uncertainty.

What it does

S.O.C.R.A.T.E.S. (Security Operations Center Reasoning & Analytic Triage for Escalation Stories) acts as a high-fidelity tactical advisor. Instead of using AI for triage, it relies on a deterministic mathematical algorithm to cluster raw CSV logs into coherent “Attack Stories” based on user identity and time windows.

A custom velocity-based heuristic detects exact “Story Pivots,” moments where behavior escalates. These pivots ensure prioritization is transparent, explainable, and defensible. For each attack story, the system delivers a complete briefing package: a clear explanation of what happened, a visual attack chain, a voice-narrated briefing, and one-click remediation actions.

How we built it

The Brain

A Python engine built with Pandas and NumPy runs a deterministic prioritization algorithm. Instead of vague scoring, it uses a clear and weighted risk & escalation formula:

The Risk Scoring Formula Risk Score = (Severity Weight × 20) + (Confidence × 15) + Escalation Bonus

Severity Weighting: To make the math work, the text-based severity levels are converted into numbers:

Critical: 4

High: 3

Medium: 2

Low: 1

Informational: 0

The Escalation Bonus A flat +65 points is added to the score whenever the algorithm detects a "Behavioral Escalation." This bonus is what pushes a suspicious user to the top of the queue immediately.

The Escalation Heuristic (The "Pivot") The algorithm identifies a "Pivot" by looking for a specific pattern in the user's logs. An escalation is triggered if:

Severity Increases: The current event has a higher severity than the user’s previous event (e.g., jumping from Low to High).

AND

Rapid Timing: This jump happens within 1,200 seconds (20 minutes) of the previous activity.

This precise math ensures that the system ignores steady background noise but instantly flags any user whose behavior is rapidly becoming more dangerous.

The Intelligence

Google Gemini interprets the clustered events and explains why a specific event matters, using concise and plain language suitable for rapid analyst comprehension.

The Voice

The ElevenLabs API narrates briefings so analysts can absorb context without reading, reducing cognitive strain during high-pressure scenarios.

The HUD

A minimalist Streamlit interface displays only what is unmistakable and urgent, intentionally removing distractions to reduce cognitive overload.

The Persistence

Snowflake stores and processes synthetic SOC-style event data. It reflects real-world log scale and ensures the signal-to-decision pipeline remains fast even under heavy volume.

Challenges we ran into

Security data is inherently messy. Alerts may be labeled “Critical” while having very low confidence. In other cases, important context such as destination IPs or user metadata is missing.

Displaying every high-severity alert overwhelms analysts with false emergencies. Instead of filtering data, I built a risk scoring algorithm that weights uncertainty. Low-confidence alerts are deprioritized, while sudden behavioral changes trigger sharp score increases. This allows the system to surface what is most likely to be a real threat without forcing analysts to dig through ambiguous data.

Accomplishments that we're proud of

I transformed a confusing spreadsheet of hundreds of raw log entries into a clear, structured narrative. What was once overwhelming can now be understood immediately.

The system enables a user to go from raw logs to a finished incident report in under 60 seconds. It uncovers hidden attacks, explains why they matter, and provides concrete next steps. This makes effective security analysis possible even for non-experts.

What we learned

Clear thinking is only possible when noise is removed. More data does not lead to better decisions. Cognitive overload is the real enemy.

By using deterministic algorithms to manage uncertainty, I learned that the ambiguous and repetitive parts of security analysis can be automated. This allows humans to focus on judgment, accountability, and final decision-making, backed by evidence.

What's next for S.O.C.R.A.T.E.S

The next phase is integrating live threat intelligence feeds so emerging threats are recognized immediately. I also plan to implement multi-hypothesis modeling, where the system presents multiple plausible explanations for an incident, giving analysts greater clarity during complex attacks.

Built With

Share this project:

Updates