SÓShieldta

SÓShieldta homepage
Main Dashboard
Company Profile
Employee List
Emplyee ORG chart
Campaigns list
Campaign results
Training center
Training phishing link landing page

Inspiration

Everyone on our team has at some point gone through security training, be it for a job, college, or simply to get a certification. And yet, despite this, social engineering is still the biggest and most dangerous attack vector exploited by malicious actors. Despite security training being mandatory, a lack of practice and simulation of real-life attacks means that, for many, the first time they encounter a social engineering attack is when their company and security are breached. It was this lack of engagement in security training that led us to develop SÓShieldta, to fill this gap.

We derived the name SÓShieldta around three core aspects of our product:

The Irish word sóisialta, meaning social, captures how we focus on the actual human training
"Shield" is there to show that we are creating a defensive barrier before attacks happen.
"SOS" is our call to action. Malicious attackers don't wait for anyone, so we have to catch up on AI technologies before they do.

What it does

SÓShieldta is an online system that allows companies to proactively test and monitor the effectiveness of their security training. This is done by routinely issuing simulated social engineering attacks over a variety of surfaces, from smishing to vishing, all with the intention of helping employees to recognise and react to attempted attacks. After creating their organisation account, each organisation can upload all the relative information such as org charts, tech stacks used, and any other information that could be used to potentially trick employees. This information is then used to generate the tailored attacks, which are automatically issued to users across the organisation. After each attack has be launched, the interactive dashboard keeps track of their status, results and which employees could benefit from further training. All of this is delivered in comprehensive infographics and quantified for ease of understanding.

How we built it

In our first hour, we focused solely on project scope and defining the actual problem being solved. We shared our own experiences with security training and got opinions from mentors, sponsors, and other attendees. Once we were happy with the problem scope and our target project, we created a shared written vision to guide the context for AI agents as we built the app.

We created our app from start to finish using Lovable. We decided to have Supabase as our entire backend, holding both the data and backend edge functions. We chose these options because they let us iterate quickly, turn ideas into visions, and avoid managing server setup. We sketched out our data model on paper and decided the scope of attributes given to an account, divided under organisation, employees, roles, domains, campaigns, and more. Early in the night, we integrated account management and a billing tiered setup using Stripe's API. We started our pentesting tests by creating emails sent from the lovable domain, however it only worked for one post address at a time. By midnight, we had it configured to correctly generate emails based on company data that were tailored to the target employee's role. The most ambitious feature for us was adding vishing tests - voice phising. Over the night we managed to integrate ElevenLabs and get phone calls working, then pivoted to using Twillio as a backup for calls and text messages.

We utilized Openshift's model in order to generate the required material for emails and scripts... We had to use their inference as no frontier models would let us generate this content due to safeguards. With this access to models with no guardrails we where able to generate very unique and personalised emails and campaigns that wouldn't stand out as obvious attempts and contributed to the quality of testing and training provided by the platform.

Finally, we closed the loop by adding training modules and follow-on lessons for employees who failed previous test attacks. We didn't like the model of just multiple choice questions for learning, so instead created a short information popup upon failure, that prompts the employee upon submission to ask for a message to their employer about what they actually learned.

Challenges we ran into

In the Lovable development space, there was one shared chat window for creating UI elements and integrating with our app. We found it really difficult to manage a group project on this shared interface, and had to create a system to pass around priority with the Lovable coding agent.
When setting up voice calls and text-to-speech using ElevenLabs, we unfortunately spent all of the free credits during development. As such, we implemented Twilio as a fallback option, but the core logic of our app attempts to use ElevenLabs first for a better, more convincing voice in phone-call AI vishing.

Accomplishments that we're proud of

Honestly we are incredibly proud of the teamwork and collaboration we did across these 30 hours. We did not all know each other before arriving at the hackathon, but we communicated really well and divided up work between ourselves easily. We had great fun hacking, really joined in the spirit of the hackathon event, and got the opporunity to build a really cool product at the same time.

What we learned

As a team, we improved on our collaboration abilities, using Git, a shared Supabase database, and a shared Loveable project. Holly learned more about Supabase edge functions and using APIs. Petr learned how to create test phishing content using generative AI. Sinéad learned more about design choices and insightful analytics. Skye learned how to develop a full frontend through Lovable.

What's next for SÓShieldta

SÓShieldta is perfectly set up to be expanded and personalised for any client. In the future, we will:

Improve analytics, including more insightful data that may affect vulnerability to cyber attacks.
Enhanced voice and conversational AI, by utilising a paid ElevenLabs subscription.
Expanded training feedback loops, with client-specific training content and testing.
Compliance with GDPR and clear legal statements with clear opt-in services.
Expanded platforms like Teams, Slack, even deepfaked video calls on Zoom.