Synt

An autonomous SOC analyst on Splunk: it forms hypotheses, queries via the MCP Server, reasons with hosted models, and hands you a MITRE-mapped case file with a one-click response.

Comment

Inspiration

Security Operations Centers (SOCs) are drowning in alerts. A typical security team processes hundreds of alerts every day, yet much of the work remains repetitive: open an alert, investigate related entities, run searches, validate hypotheses, and determine whether the threat is real.

This repetitive workflow creates alert fatigue, analyst burnout, and ultimately increases the risk of missing critical incidents. Most existing security tools focus on making analysts faster. We wanted to eliminate the routine work altogether.

Our vision was simple: transform the analyst's role from manually investigating hundreds of alerts into reviewing a handful of completed AI-generated investigations. Instead of 200 raw alerts, the analyst receives 3 fully investigated case files.

That vision became Synt.

What it does

Synt is an autonomous SOC analyst built on Splunk that investigates security alerts the way an experienced analyst would.

When Splunk detects suspicious activity, Synt automatically:

  • Forms multiple hypotheses about what may have happened and ranks them by confidence.
  • Generates SPL queries and executes them through the Splunk MCP Server.
  • Analyzes results and continuously updates its confidence model.
  • Pivots across related entities to uncover the complete attack path.
  • Identifies root cause, blast radius, and attacker behavior.
  • Maps findings to MITRE ATT&CK techniques.
  • Produces a detailed executive-ready PDF case file.
  • Recommends or initiates response actions depending on confidence levels.

The user experience is what we call a Reasoning Theatre. Analysts can watch the AI investigate in real time through a live reasoning stream, a self-assembling investigation graph, interactive case files, and a ChatGPT-style command interface for steering investigations.

High-confidence threats such as ransomware detonation can be automatically contained, while more nuanced cases such as insider threats remain human-approved.

To demonstrate generalization across the cyber kill chain, Synt supports four attack scenarios:

  • Credential Stuffing
  • Insider Data Exfiltration
  • Lateral Movement
  • Ransomware Staging

How we built it

Synt is built as a Turborepo monorepo with a strong emphasis on agent architecture before user experience.

packages/agent

The core autonomous investigation engine.

It implements an OODA (Observe, Orient, Decide, Act) loop through a runInvestigation() workflow that streams structured TraceEvents.

The agent depends only on two injected interfaces:

  • Splunk Client
  • Hosted Model Client

This allows identical execution against both real infrastructure and deterministic offline mocks.

packages/splunk

Provides the agent's operational capabilities:

  • MCP client using JSON-RPC over Streamable HTTP
  • SPL query execution
  • Response action execution
  • Hosted-model integration
  • HEC ingestion for attack scenario seeding

packages/scenarios

Contains four realistic attack simulations complete with:

  • Seed events
  • Ground-truth root causes
  • Expected blast radius
  • MITRE ATT&CK mappings

apps/api (NestJS)

Responsible for:

  • Agent orchestration
  • MongoDB persistence
  • Server-Sent Event streaming
  • PDF case file generation
  • Cloudflare R2 storage
  • Human approval workflows

apps/web (Next.js App Router + Tailwind CSS)

Provides the analyst-facing experience:

  • Live reasoning feed
  • React Flow investigation graph
  • Interactive case file viewer
  • AI command interface
  • Authentication layer
  • Landing page

Confidence Model

Synt maintains confidence scores using a Bayesian-inspired belief update mechanism:

$$ P(H \mid E) \propto P(E \mid H)P(H) $$

Where:

  • H represents a hypothesis.
  • E represents newly observed evidence.

As evidence accumulates, confidence dynamically shifts toward the most likely explanation.

A key engineering principle guided development:

The agent must consistently reach the correct conclusion before any UI is built.

To enforce this, we created a verification suite that runs every attack scenario and validates root cause identification, blast radius discovery, and MITRE ATT&CK mappings before any frontend work began.

Challenges we ran into

Making "Watch It Think" Feel Real

Offline investigations completed almost instantly, causing the reasoning stream to appear all at once.

To preserve the feeling of an active investigation, we built a pacing layer that progressively reveals reasoning steps while simultaneously animating graph construction and hypothesis updates.

Graph Physics Problems

Disconnected entities were being launched far outside the visible graph due to force simulation edge cases.

This caused the entire visualization to frame incorrectly.

We solved this by introducing gravity forces for isolated nodes, improving entity relationship generation, and ensuring compromised assets remain connected to attacker nodes.

Building a Believable Offline Mode

We wanted Synt to run with zero external dependencies while still feeling realistic.

This required:

  • An in-memory Splunk implementation.
  • A practical SPL filtering engine.
  • Scenario-aware reasoning models.

Maintaining realism without introducing cross-scenario contamination became a significant challenge.

Monorepo Complexity

Numerous integration issues surfaced across the stack, including:

  • SSE replay versus live-tail behavior.
  • Next.js middleware placement under src/.
  • CORS issues affecting web fonts.
  • Module compatibility between NestJS, Next.js, and shared packages.

Accomplishments that we're proud of

The Core Agent Works

All four scenarios execute a genuine investigation loop, query Splunk using real SPL, discover affected entities, and correctly identify the ground-truth root cause.

The Reasoning Theatre

Instead of presenting a chatbot answer, Synt visualizes the entire investigative process in real time.

Analysts can literally watch evidence emerge, hypotheses evolve, and attack paths unfold.

Confidence-Gated Autonomy

A single agent can automatically contain high-confidence threats while escalating ambiguous situations for human review.

Finished Artifacts, Not Conversations

The end result is a complete, downloadable, executive-ready PDF case file containing:

  • Incident narrative
  • Timeline
  • Blast radius analysis
  • MITRE ATT&CK mapping
  • Recommended response actions

Seamless Offline-to-Live Transition

Synt runs fully offline by default and can switch to Splunk Enterprise, MCP Server, and hosted LLMs through environment variables without changing agent code paths.

What we learned

Agent Quality Depends on Loops and Tools

The most important architectural decision was separating responsibilities:

  • Splunk MCP Server as the agent's hands.
  • Hosted models as the reasoning brain.
  • OODA loop as the decision-making engine.

This made the system explainable and debuggable.

NL→SPL Is a Force Multiplier

Allowing the model to convert hypotheses directly into SPL queries created a natural investigative workflow that closely mirrors human analysts.

Deterministic Development Accelerates Progress

Decoupling the agent from live services enabled rapid iteration and ensured demos remained reliable and repeatable.

Graph Physics Is User Experience

Small adjustments to graph behavior dramatically improved interpretability.

A little gravity and proper framing transformed the graph from a chaotic visualization into a self-explaining investigation map.

What's next for Synt

Live Enterprise Deployment

Integrate directly with Splunk Enterprise and execute response actions through SOAR platforms.

Expanded Detection Coverage

Add support for:

  • Phishing attacks
  • Supply-chain compromises
  • Cloud security incidents
  • Identity-based attacks
  • Misconfiguration detection

Adaptive Learning

Introduce analyst feedback loops where approvals and rejections continuously update investigation priors and improve future performance.

Multi-Investigation Correlation

Move beyond isolated incidents and automatically connect related investigations into unified campaign-level views that reveal broader attacker activity.

Autonomous Security Operations

Our long-term vision is an AI-powered SOC where analysts focus exclusively on judgment, strategy, and exception handling while Synt performs the bulk of day-to-day investigations autonomously.

Built With

Share this project:

Updates