AI-Native SOC/SOAR Platform
Multi-tenant security operations platform — alert triage, investigations, SOAR playbooks, and an AI engine running 43 task types across 105 integrations. Built end-to-end as sole developer.
Overview
A multi-tenant, AI-native SOC/SOAR platform that unifies the full security-operations lifecycle: alert ingestion and triage, investigations and case management, SOAR playbooks with approval gates, threat intelligence, and compliance reporting. I designed and built it end-to-end as the sole developer — turning SOC analyst and leadership requirements directly into shipped product at team velocity using AI-assisted development.
At its core is an AI task and agent engine running 43 task types spanning incident response, compliance audits (ISO 27001 / NIST CSF gap analysis and regional frameworks), fraud detection, and code review. Tasks execute in-process, in Dockerized warm container pools, or on remote runners — with approval gates for sensitive actions, heartbeats, timeout handling, and per-run AI decision logs tracking tokens, cost, and latency for every model call.
The connector ecosystem spans 105 providers across 34 categories — SIEM, EDR, ticketing, IAM, threat intel, AML/fraud, firewalls, and cloud security. An internal JWT bridge lets isolated task containers call platform-controlled capabilities (SIEM queries, EDR isolation, ticket updates, enrichment lookups) without ever holding long-lived customer credentials, backed by credential and webhook-token rotation.
Security and quality are first-class: Casbin RBAC with tenant-scoped authorization, JWT sessions with MFA, tamper-evident append-only audit logs with hash chaining, and replay-protected HMAC-signed webhooks. The platform is hardened for air-gapped deployments and covered by 150+ backend tests plus Playwright E2E suites, deploying via Docker Compose or Helm.
Key Achievements
- 43 AI task types across in-process, warm-container-pool, and remote-runner execution modes
- 105 integrations across 34 categories (SIEM, EDR, ticketing, IAM, threat intel, AML/fraud)
- Multi-tenant Casbin RBAC, JWT + MFA, and tamper-evident append-only audit logs
- Replay-protected HMAC-signed webhooks and air-gapped deployment hardening
- Compliance automation spanning ISO 27001, NIST CSF, SOC 2, GDPR, and regional frameworks
- 150+ backend tests plus Playwright E2E coverage; Docker Compose and Helm deployment
Tech Stack
- FastAPI — async Python backend for webhook ingestion, task orchestration, and the full API surface
- MongoDB — tenant-aware document store for heterogeneous security event and case schemas
- Vue.js + TypeScript — real-time operations console with live alert streams and case workspaces
- LangGraph — orchestration for investigation, playbook, and learning agents
- Docker — container-isolated task execution with a warm pool for low-latency runs
- Helm — Kubernetes deployment with secrets, storage, and resource controls