Skip to content

AI-Native SOC/SOAR Platform

Multi-tenant security operations platform — alert triage, investigations, SOAR playbooks, and an AI engine running 43 task types across 105 integrations. Built end-to-end as sole developer.

PythonFastAPIMongoDBVue.jsTypeScriptLangGraphDockerHelm

Overview

A multi-tenant, AI-native SOC/SOAR platform that unifies the full security-operations lifecycle: alert ingestion and triage, investigations and case management, SOAR playbooks with approval gates, threat intelligence, and compliance reporting. I designed and built it end-to-end as the sole developer — turning SOC analyst and leadership requirements directly into shipped product at team velocity using AI-assisted development.

At its core is an AI task and agent engine running 43 task types spanning incident response, compliance audits (ISO 27001 / NIST CSF gap analysis and regional frameworks), fraud detection, and code review. Tasks execute in-process, in Dockerized warm container pools, or on remote runners — with approval gates for sensitive actions, heartbeats, timeout handling, and per-run AI decision logs tracking tokens, cost, and latency for every model call.

The connector ecosystem spans 105 providers across 34 categories — SIEM, EDR, ticketing, IAM, threat intel, AML/fraud, firewalls, and cloud security. An internal JWT bridge lets isolated task containers call platform-controlled capabilities (SIEM queries, EDR isolation, ticket updates, enrichment lookups) without ever holding long-lived customer credentials, backed by credential and webhook-token rotation.

Security and quality are first-class: Casbin RBAC with tenant-scoped authorization, JWT sessions with MFA, tamper-evident append-only audit logs with hash chaining, and replay-protected HMAC-signed webhooks. The platform is hardened for air-gapped deployments and covered by 150+ backend tests plus Playwright E2E suites, deploying via Docker Compose or Helm.

Key Achievements

  • 43 AI task types across in-process, warm-container-pool, and remote-runner execution modes
  • 105 integrations across 34 categories (SIEM, EDR, ticketing, IAM, threat intel, AML/fraud)
  • Multi-tenant Casbin RBAC, JWT + MFA, and tamper-evident append-only audit logs
  • Replay-protected HMAC-signed webhooks and air-gapped deployment hardening
  • Compliance automation spanning ISO 27001, NIST CSF, SOC 2, GDPR, and regional frameworks
  • 150+ backend tests plus Playwright E2E coverage; Docker Compose and Helm deployment

Tech Stack

  • FastAPI — async Python backend for webhook ingestion, task orchestration, and the full API surface
  • MongoDB — tenant-aware document store for heterogeneous security event and case schemas
  • Vue.js + TypeScript — real-time operations console with live alert streams and case workspaces
  • LangGraph — orchestration for investigation, playbook, and learning agents
  • Docker — container-isolated task execution with a warm pool for low-latency runs
  • Helm — Kubernetes deployment with secrets, storage, and resource controls
Proprietary — source not available