I've been building SHARD — an open-source autonomous AI SIEM — for the past few months. After 25 security audits and 250+ bug fixes, here's what I learned about building AI-powered security software.
Architecture Decisions That Mattered
1. Event-Driven Architecture
SHARD uses an EventBus with per-subscriber queues and priority routing. This allows 22 security modules to operate independently without blocking each other. A honeypot detection doesn't slow down the ML pipeline.
2. Graceful Degradation
Storage falls back PostgreSQL → SQLite → JSON file. If the database goes down, alerts aren't lost.
3. Module Registry Pattern
18 modules loaded via topological sort with dependency resolution. Adding a new module is 5 lines in module_specs.py.
ML Pipeline
10 neural networks working together:
- XGBoost for classification (100% on 11 attack types)
- Isolation Forest for anomaly detection (82%)
- Seq2Seq Transformer for generating WAF/iptables rules (5.35M parameters)
- VAE for zero-day detection
- Temporal GNN for MITRE ATT&CK correlation (82% on 17 techniques)
- RL DQN Agent for autonomous response decisions
All models retrain online with balanced batches (50% attacks / 50% normal traffic).
Security Lessons
- Validate IP addresses before passing to iptables. Always.
- Use HMAC for config file integrity.
- Pickle deserialization in federated learning = RCE. Replaced with JSON.
- Timing-safe password comparison matters.
Testing
60 unit tests. 4 integration tests. CI/CD pipeline. 0 critical vulnerabilities.
Results
After 25 audit cycles: Pylint 8.29/10, Bandit 0 High, 22/22 modules loading.
GitHub: https://github.com/misha622/shard-siem
Demo: https://youtube.com/shorts/aeyiGMYsbn0
Top comments (0)