Veritas: AI DFIR Investigation Platform

AI investigates the evidence, but deterministic code - not the model - decides what is confirmed, and every finding traces to the tool that proved it. On Amazon Aurora + Vercel.

Comment

Inspiration

High-stakes work is adopting AI fastest - security incident response, fraud, compliance, e-discovery - and that is exactly where you cannot ship a conclusion you cannot audit. An agent that says "this host is compromised" is worthless, or worse, if it occasionally hallucinates and no one can trace the claim back to proof. Today's tools ask analysts to trust the model. Courts, insurers, and auditors do not. Veritas makes the trust provable.

What it does

An autonomous agent investigates digital evidence end to end, but deterministic code - not the model - decides what is "confirmed," and every finding traces by foreign key to the exact tool record that proved it.

  • Case dashboard: verdict, a SHA-256 evidence-integrity badge, and the five-way disposition scoreboard.
  • AI-overruled view: where the model wanted CONFIRMED MALICIOUS but the code said SUSPICIOUS, with the exact gate that withheld promotion.
  • Proof chain: one click expands a finding into claim -> validated fact -> source forensic tool, with the raw tool output.
  • Cross-case IOC pivot: type a hash, IP, or PID and see every case it appears in - one indexed Aurora query across the whole corpus.
  • Queue a new investigation: Postgres-as-queue; a worker claims jobs with SELECT ... FOR UPDATE SKIP LOCKED and streams 16-step progress.

The data is real: every case is an actual Windows-intrusion investigation ingested from the open-source Sentinel Ensemble engine. No numbers are invented - the ingest adapter asserts the database counts match the engine output exactly.

How we built it (Amazon Aurora PostgreSQL Serverless v2)

Aurora is the system of record, and the data model is the product:

  • Foreign keys enforce the chain of custody - a finding cannot cite proof that does not exist.
  • UNIQUE(case_id, fact_signature) turns the engine's in-memory SHA-1 dedup into an idempotent ON CONFLICT UPSERT - cross-tool corroboration in one statement.
  • The engine's ~19 in-memory pivot indexes become ~19 real Postgres indexes (btree, GIN on JSONB, pg_trgm for fuzzy IOC search).
  • A recursive CTE walks the process tree; a finding_trace() function returns the full proof chain.
  • Row-level security by org_id is scaffolded for multi-tenant SaaS; a materialized view powers the cross-case pivot; Serverless v2 scales to zero between investigations.

Front end: Next.js 15 (App Router) on Vercel, server components querying Aurora directly over SSL, UI accelerated with v0. Async worker: Postgres-as-queue with SKIP LOCKED.

Challenges we ran into

Keeping the AI honest without making the app a black box: the override had to be a real column, the proof a real join, the corroboration a real merge - so the trust is queryable, not asserted. Modeling ~25 heterogeneous fact types and mirroring the engine's 19 pivot indexes in Postgres without an N+1 read storm drove the schema.

Accomplishments

A live, public, no-login app on real forensic data where the AI is overruled by code in plain sight, every claim is one query from its proof, and cross-case hunting is a single indexed Aurora query the file-based engine cannot do.

What's next

Productionize multi-tenant auth on the RLS already scaffolded; stream the worker's 16-step progress over the wire; broaden ingest to multimodal artifacts; and offer the trust layer as an API any AI investigation product can embed.

Built for the H0 Hackathon - Track 2 (Monetizable B2B). #H0Hackathon

Built With

Share this project:

Updates