ThreatLens

Inspiration

Security teams are drowning in log events. The average mean-time-to-detect a breach is over 200 days — not because analysts aren't skilled, but because finding real threats inside thousands of daily log events is slow, manual, and exhausting. I wanted to build something that lets any team member simply ask their security data what's happening, in plain English.

What it does

ThreatLens is a conversational AI security intelligence agent. You ask it questions like:

"What are the critical threats right now?"
"Check IP 192.168.1.105"
"What should I do about the ransomware on 192.168.1.20?"

It connects Google Gemini to MongoDB Atlas and returns instant, cited answers with actionable remediation steps.

The agent has 4 intelligent tools:

query_logs — filters MongoDB logs by severity and event type
semantic_search — uses MongoDB Atlas Vector Search with AI embeddings to find similar threats
get_ip_reputation — scores any IP address based on its event history
suggest_remediation — returns step-by-step response plans for any threat type

How I built it

AI Agent — Google Gemini 2.0 Flash via Google Gen AI SDK with function calling
MongoDB MCP Server — integrated MongoDB's MCP protocol server with 4 tools: find_documents, aggregate_documents, count_documents, and get_collections (live at /mcp/tools endpoint)
Database — MongoDB Atlas storing security logs with vector embeddings using text-embedding-004
Vector Search — MongoDB Atlas Vector Search for semantic similarity queries
Backend — Node.js + Express deployed on Google Cloud Run
Frontend — React + TypeScript deployed on Firebase Hosting
Embeddings — Vertex AI text-embedding-004 model

Challenges I ran into

Getting Gemini function calling to reliably select the right tool for each query
Configuring MongoDB Atlas Vector Search indexes for cosine similarity
Managing Google Cloud authentication between local development and Cloud Run
Keeping the Cloud Run environment variables in sync across deployments