Inspiration
During my cybersecurity internship at Habib Bank Limited, I spent months working alongside SOC analysts responding to real security incidents. I watched experienced analysts spend hours correlating logs across dozens of systems, manually mapping attacks to frameworks, and writing incident reports, all while attackers moved freely through compromised networks.
One incident stuck with me: a credential compromise that escalated to lateral movement across critical systems. By the time the team had correlated all the evidence, the attacker had been inside for over 4 hours. The tools showed us data, but we still had to do all the thinking.
When I saw Gemini 3's multimodal reasoning capabilities, I immediately thought: what if AI could think like a senior SOC analyst? Not just summarize logs or answer questions, but actually reason through an incident, explain its logic, and generate actionable response plans.
That's how SENTINEL AI was born.
What it does
SENTINEL AI is an autonomous incident commander that transforms raw security data into structured, actionable intelligence in seconds.
Input: Security logs, SIEM alerts, network topology diagrams
Output:
- Assessment: Incident classification, severity, and transparent reasoning path
- Kill Chain: MITRE ATT&CK technique mapping (T1110 → T1078 → T1133)
- Playbook: NIST 800-61R2 aligned response actions with role assignments
The key differentiator is the Logical Reasoning Path, SENTINEL doesn't just give you an answer, it shows you why. Every conclusion is tied to specific evidence, just like a senior analyst would explain their thinking.
How I built it
Architecture
Input Layer → Gemini 3 Reasoning Engine → Structured Output
The system uses a three-stage reasoning pipeline:
$$\text{Stage}_1(\text{Assessment}) \rightarrow \text{Stage}_2(\text{Kill Chain}) \rightarrow \text{Stage}_3(\text{Playbook})$$
Each stage builds on the previous, creating a coherent analysis chain that mirrors real-world incident response workflows.
Tech Stack
| Layer | Technology |
|---|---|
| Frontend | React + TypeScript |
| AI Engine | Gemini 3 Multimodal API |
| Prompt Engineering | Custom multi-stage reasoning prompts |
| Framework | NIST 800-61R2 + MITRE ATT&CK |
| Deployment | Google AI Studio → Cloud Run |
Prompt Engineering
The core innovation is in the system prompt design. Rather than a simple Q&A prompt, I created a structured reasoning protocol:
- CORE IDENTITY — Establishes the "Senior Incident Commander" persona
- INPUT HANDLING — Defines how to process logs, alerts, and images
- RESPONSE PROTOCOL — Three-stage output structure
- COMMANDER REASONING — Instructions to expose the logical thought process
- SELF-VERIFICATION — Prompts the model to check its own assumptions
This approach transforms Gemini 3 from a chatbot into a decision-support system.
Challenges I ran into
Challenge 1: Getting Structured Output
Problem: Gemini would produce great analysis but in inconsistent formats—sometimes paragraphs, sometimes bullets, rarely matching what the UI expected.
Solution: I learned that prompt structure directly maps to output structure. By using clear section headers (STAGE 1: INITIAL ASSESSMENT) and explicit format instructions in the prompt, I achieved consistent JSON-friendly output that the React frontend could reliably parse.
Challenge 2: Reasoning Transparency
Problem: Early versions gave confident answers but couldn't explain why. This is a critical flaw for security tools—analysts need to trust but verify.
Solution: I added the "Logical Reasoning Path" requirement to the prompt, using phrases like:
- "Explain WHY you classified the severity as you did"
- "WHAT patterns in the logs led to your conclusions"
- "Use phrases like: 'The pattern of X followed by Y indicates...'"
This transformed opaque outputs into transparent reasoning chains.
Challenge 3: Multimodal Integration
Problem: I wanted analysts to upload network diagrams alongside logs, but getting Gemini to meaningfully analyze both together, not just describe the image, was tricky.
Solution: I added specific instructions for image analysis:
- "Analyze network diagrams for segmentation and trust boundaries"
- "Identify potential lateral movement paths"
- "Correlate topology with observed log activity"
This turned image input from a gimmick into a genuine analytical capability.
Challenge 4: Avoiding "AI Slop"
Problem: Initial outputs felt generic, the kind of surface-level analysis anyone could get from ChatGPT.
Solution: Domain specificity. I embedded real SOC knowledge into the prompt:
- MITRE ATT&CK technique IDs (not just names)
- NIST 800-61R2 incident response phases
- Specific stakeholder roles (SOC L1/L2, IAM Team, Legal)
- Kill chain stage terminology
The model rose to match the specificity expected of it.
Accomplishments that I'm proud of
Production-Quality UI — It doesn't look like a hackathon project. It looks like a real SOC tool.
Transparent AI Reasoning — The Logical Reasoning Path feature makes SENTINEL trustworthy. Analysts can see exactly how conclusions were reached.
Framework Alignment — Native MITRE ATT&CK mapping and NIST playbook generation aren't just buzzwords—they're how real security teams operate.
Sub-Minute Analysis — What takes senior analysts 2-4 hours, SENTINEL does in under 60 seconds.
Multimodal Capability — Combining log analysis with network diagram understanding is something current SOC tools don't do well.
What I learned
Technical
- Prompt engineering is software engineering. The prompt isn't a magic incantation, it's a specification that requires iteration, testing, and refinement.
- Multi-stage reasoning > single prompts. Breaking complex tasks into sequential stages produces more reliable, structured output.
- Gemini 3's multimodal capabilities are underutilized. Most demos just describe images. Real value comes from reasoning across text and visual inputs together.
Domain
- Security frameworks matter. MITRE ATT&CK and NIST aren't bureaucratic overhead—they're shared languages that make AI output immediately actionable.
- Explainability is non-negotiable in security. SOC analysts won't trust a black box. The reasoning path isn't a nice-to-have; it's essential.
Personal
- Hackathons reward specificity. A focused tool that does one thing exceptionally beats a general-purpose assistant that does many things adequately.
- My SOC experience gave me an edge. Knowing how real analysts work let me build something they'd actually use, not just something that demos well.
What's next for SENTINEL AI - Autonomous SOC Incident Commander
Short-Term
- SIEM Integration — Direct connectors to Splunk, Elastic, and Microsoft Sentinel
- Alert Triage Automation — Process incoming alerts and prioritize by AI-assessed severity
- Export Capabilities — Generate PDF incident reports for compliance documentation
Long-Term
- Memory Across Incidents — Learn from past incidents at an organization to improve future analysis
- Automated Playbook Execution — Move from decision-support to semi-automated response (with human approval gates)
- Threat Intelligence Integration — Correlate IOCs against live threat feeds
The Vision
Security teams shouldn't spend hours correlating logs while attackers roam free. SENTINEL AI is a step toward a future where AI handles the analytical heavy lifting, freeing human experts to focus on strategic decisions and threat hunting.
Built With
- gemini
- google-ai-studio
- google-cloud-run
- mitre
- python
- react
- tailwindcss
- typescript
Log in or sign up for Devpost to join the conversation.