{"slug": "virtual-soc-analyst", "title": "Virtual SOC Analyst", "summary": "The article describes an AI-powered Virtual SOC Analyst tool, hosted at analista.byronlainez.click, that uses Gemma 4 to rapidly analyze AWS security logs (such as CloudTrail, WAF, and Nginx) and detect threats like SQL injection in under 30 seconds. It can also identify critical architecture misconfigurations, such as an RDS database exposed in a public subnet, by analyzing uploaded screenshots of AWS architecture diagrams. The system leverages a 128K context window to correlate security events across large log files in a single pass, outputting structured threat analysis, MITRE ATT&CK mappings, and deployment-ready AWS WAF block rules.", "body_md": "analista.byronlainez.click is an AI-powered Virtual SOC (Security Operations Center) Analyst that:\nIf you manage AWS infrastructure, you know the pain: CloudTrail + WAF + Nginx logs grow exponentially. A production environment generates tens of thousands of security events per hour. When an incident happens:\nThis tool cuts all of that to under 30 seconds.\nThe real enemy in cybersecurity is often not the attacker — it is the sheer volume of data that buries the signal inside the noise. Gemma 4 solves this.\nUnfortunately, due to the API limit, I couldn't record the video, but I'm leaving the link so you can try it. In the settings, if you don't see the option to enter the API, reduce your window resolution.\n🌐 Live app: analista.byronlainez.click\nI fed the tool a raw AWS WAF log containing a SQL injection attempt from an automated scanner:\nInput — raw WAF log:\n{\n\"timestamp\": \"2026-05-21T02:14:33Z\",\n\"action\": \"ALLOW\",\n\"httpRequest\": {\n\"uri\": \"/api/users?id=1' OR '1'='1\",\n\"clientIp\": \"45.33.32.156\",\n\"country\": \"RU\",\n\"headers\": [\n{ \"name\": \"User-Agent\", \"value\": \"sqlmap/1.7\" }\n]\n}\n}\nGemma 4 analysis — returned in under 8 seconds:\n🚨 THREAT DETECTED — HIGH CONFIDENCE\nMITRE Tactic: Initial Access\nMITRE Technique: T1190 — Exploit Public-Facing Application\nOWASP Category: A03:2021 — Injection (SQL Injection)\nAttacker IP: 45.33.32.156\nTool Signature: sqlmap/1.7 (automated SQL injection scanner)\nTimeline correlation: This IP performed ICMP reconnaissance\nat 01:47 UTC before switching to active exploitation.\nRecommended Action: BLOCK immediately and audit all requests\nfrom this source in the last 24 hours for lateral movement.\nAuto-generated AWS WAF block rule — ready to deploy:\n{\n\"Name\": \"BlockMaliciousIPsGemma\",\n\"Priority\": 10,\n\"Statement\": {\n\"IPSetReferenceStatement\": {\n\"ARN\": \"arn:aws:wafv2:us-east-1:123456789012:regional/ipset/MaliciousIPs/a1b2c3d4\"\n}\n},\n\"Action\": { \"Block\": {} },\n\"VisibilityConfig\": {\n\"SampledRequestsEnabled\": true,\n\"CloudWatchMetricsEnabled\": true,\n\"MetricName\": \"BlockMaliciousIPsGemmaMetric\"\n}\n}\nNo editing needed. Paste this directly into AWS Console or deploy via CLI.\nI uploaded a screenshot of an AWS architecture diagram where a database was sitting in a public subnet. Gemma 4 flagged it without any additional prompting:\n⚠️ ARCHITECTURE MISCONFIGURATION DETECTED\nFinding: RDS instance appears exposed in a public subnet\nRisk Level: CRITICAL — direct internet-reachable database\nMITRE Ref: T1190, T1078 (Valid Accounts via exposed DB port)\nRemediation:\n1. Move RDS to a private subnet immediately\n2. Configure NAT Gateway for outbound-only connectivity\n3. Enable RDS encryption at rest (KMS) if not already active\n4. Audit Security Group rules — port 3306/5432 must not be 0.0.0.0/0\nThis second layer of analysis — visual + log correlation — is something no purely text-based model can replicate.\n🔗 Repository: github.com/Byronsasvin/bals-analyst-v2\nThe system is built around a structured prompt engineering core that leverages Gemma 4's 128K context window to correlate security events across massive log files in a single inference pass — no chunking, no summarization loss.\nSOC analyst system prompt (simplified):\nSYSTEM_PROMPT = \"\"\"\nYou are a senior SOC analyst with expertise in AWS security,\nMITRE ATT&CK framework, and OWASP Top 10.\nAnalyze the provided security logs and return a structured JSON with:\n- threat_detected: boolean\n- confidence: HIGH | MEDIUM | LOW\n- mitre_tactic: string\n- mitre_technique: string (include T-number)\n- owasp_category: string or null\n- attacker_ips: array of strings\n- attack_timeline: chronologically ordered events\n- waf_rule_json: complete AWS WAF rule object, deployment-ready\n- remediation_steps: prioritized action list\nIf image input is provided, also analyze for:\n- Architecture misconfigurations (public subnets, open ports)\n- Visual anomalies in traffic/metric charts\n\"\"\"\ndef analyze(log_content: str, screenshot=None) -> dict:\nmessages = [{\"role\": \"user\", \"content\": []}]\nif screenshot:\n# Gemma 4 multimodal: image tokens must precede text tokens\nmessages[0][\"content\"].append({\n\"type\": \"image\",\n\"image\": screenshot\n})\nmessages[0][\"content\"].append({\n\"type\": \"text\",\n\"text\": f\"{SYSTEM_PROMPT}\\n\\nLogs to analyze:\\n{log_content}\"\n})\nresponse = gemma4_client.chat(\nmessages,\nresponse_format={\"type\": \"json_object\"},\nmax_tokens=2048,\ntemperature=0.1 # Low temperature = consistent structured output\n)\nreturn json.loads(response.choices[0].message.content)\nLocal edge mode — Gemma 4 4B running 100% in-browser:\nimport { CreateWebWorkerMLCEngine } from \"@mlc-ai/web-llm\";\n// Runs in a Web Worker — zero server calls, zero data leakage\nconst engine = await CreateWebWorkerMLCEngine(\nnew Worker(new URL('./worker.js', import.meta.url), { type: 'module' }),\n\"gemma-4-4b-it-q4f32_1-MLC\",\n{ initProgressCallback: (p) => updateProgressBar(p.progress) }\n);\nasync function analyzeLocally(logContent) {\nconst reply = await engine.chat.completions.create({\nmessages: [\n{ role: \"system\", content: SYSTEM_PROMPT },\n{ role: \"user\", content: logContent }\n],\ntemperature: 0.1,\nmax_tokens: 2048\n});\nreturn JSON.parse(reply.choices[0].message.content);\n}\nAfter the model downloads once (~2.5 GB cached in IndexedDB), every analysis run is completely offline. Your production logs never touch a server.\nI made a deliberate choice to use two different Gemma 4 variants for two distinct security scenarios. Here is the reasoning behind each decision.\nWhy 27B? The 128K context window was the decisive factor.\nI benchmarked the same log analysis task against smaller models and previous-generation LLMs. Every one of them failed in the same way: they either refused files larger than ~30K tokens, or they exhibited the classic \"lost in the middle\" problem — forgetting events from the beginning of the log by the time they reached the end.\nWith Gemma 4 27B, I fed a complete 72-hour CloudTrail export (~85K tokens) in a single call. It correctly identified a three-hop attack chain:\nThat correlation across 3 hours and 3 rotating IPs from the same subnet would have taken a human analyst 45+ minutes to find manually. Gemma 4 found it in one inference pass, in under 90 seconds.\nThis is what the 128K window actually unlocks in a security context: not just \"longer documents,\" but temporal correlation at scale without losing context.\nWhy 4B in the browser? Because compliance is a hard blocker for most enterprises.\nUploading production security logs to any external API — even a secure, encrypted one — can violate:\nBy running Gemma 4 4B locally via WebLLM, the sensitive data never leaves the user's machine. The model runs in a browser Web Worker with no outbound network calls after the initial model download. This makes the tool usable for banks, hospitals, and any regulated industry that would otherwise be completely blocked from using a cloud API version.\nThe 4B model handles single-event triage with enough accuracy for real-time alerting. Users who need deep forensic correlation across large log archives can switch to the cloud mode with a single toggle.\nBuilding the visual triage module revealed something I did not anticipate: Gemma 4 can read AWS dashboard screenshots with the accuracy of a trained human analyst.\nFeed it a CloudWatch metrics screenshot showing a traffic anomaly, and it correctly identifies:\nThis is a second analysis layer that no text-only model can replicate. It required zero extra tooling — just passing the screenshot as native image input to Gemma 4.\nThis app is a working MVP. Here is how the same architecture scales to a fully automated, production-grade SecOps pipeline:\nAWS WAF / CloudTrail\n│\n▼\nAmazon Kinesis Firehose ← real-time event stream\n│\n▼\nClassifier Lambda ← fast filter: normal vs suspicious\n│ (suspicious events only)\n▼\nanalista.byronlainez.click API\n│\n▼\nGemma 4 31B Dense ← deep reasoning + timeline correlation\n│\n▼\nGenerate WAF Rule JSON\n│\n▼\nLambda → Update WAF IP Set ← automatic block in ~200ms\n│\n▼\nSlack / Teams webhook ← SOC team notified with full report\nWhat this closed-loop approach delivers:\nThat is what open-weights models like Gemma 4 make possible — and why I believe this architecture represents the future of accessible, privacy-respecting enterprise security.\nTry analista.byronlainez.click with your own logs.\nWhat threats did Gemma 4 find in your infrastructure? Drop your results in the comments 👇", "url": "https://wpnews.pro/news/virtual-soc-analyst", "canonical_source": "https://dev.to/byron_lainez/virtual-soc-analyst-4a5p", "published_at": "2026-05-24 04:46:38+00:00", "updated_at": "2026-05-24 05:01:04.794515+00:00", "lang": "en", "topics": ["cybersecurity", "artificial-intelligence", "cloud-computing", "developer-tools", "products"], "entities": ["Gemma 4", "AWS", "MITRE", "OWASP", "sqlmap", "CloudTrail", "WAF", "Nginx"], "alternates": {"html": "https://wpnews.pro/news/virtual-soc-analyst", "markdown": "https://wpnews.pro/news/virtual-soc-analyst.md", "text": "https://wpnews.pro/news/virtual-soc-analyst.txt", "jsonld": "https://wpnews.pro/news/virtual-soc-analyst.jsonld"}}