DEV Community: Миша Ефремов

SHARD v5.2.0 — What 25 Security Audits and 250+ Bug Fixes Taught Me About Building AI Security Software

Миша Ефремов — Tue, 26 May 2026 11:43:13 +0000

I've been building SHARD — an open-source autonomous AI SIEM — for the past few months. After 25 security audits and 250+ bug fixes, here's what I learned about building AI-powered security software.

Architecture Decisions That Mattered

1. Event-Driven Architecture

SHARD uses an EventBus with per-subscriber queues and priority routing. This allows 22 security modules to operate independently without blocking each other. A honeypot detection doesn't slow down the ML pipeline.

2. Graceful Degradation

Storage falls back PostgreSQL → SQLite → JSON file. If the database goes down, alerts aren't lost.

3. Module Registry Pattern

18 modules loaded via topological sort with dependency resolution. Adding a new module is 5 lines in module_specs.py.

ML Pipeline

10 neural networks working together:

XGBoost for classification (100% on 11 attack types)
Isolation Forest for anomaly detection (82%)
Seq2Seq Transformer for generating WAF/iptables rules (5.35M parameters)
VAE for zero-day detection
Temporal GNN for MITRE ATT&CK correlation (82% on 17 techniques)
RL DQN Agent for autonomous response decisions

All models retrain online with balanced batches (50% attacks / 50% normal traffic).

Security Lessons

Validate IP addresses before passing to iptables. Always.
Use HMAC for config file integrity.
Pickle deserialization in federated learning = RCE. Replaced with JSON.
Timing-safe password comparison matters.

Testing

60 unit tests. 4 integration tests. CI/CD pipeline. 0 critical vulnerabilities.

Results

After 25 audit cycles: Pylint 8.29/10, Bandit 0 High, 22/22 modules loading.

GitHub: https://github.com/misha622/shard-siem
Demo: https://youtube.com/shorts/aeyiGMYsbn0

How I Built an Autonomous AI SIEM With 10 Neural Networks in 3 Months

Миша Ефремов — Wed, 13 May 2026 15:11:49 +0000

How I Built an Autonomous AI SIEM With 10 Neural Networks in 3 Months

The Beginning

Three months ago, I started with a simple Python script that could detect port scans. Today, SHARD has 10 neural networks, 13 honeypots, and can autonomously block attacks in real-time. This is the story of how it happened.

Month 1: The Foundation

The first month was all about getting the basics right. I built:

A packet capture engine using Scapy
Basic ML classification with XGBoost
EventBus architecture for modular communication
SQLite storage with date-based partitions
13 honeypots (SSH, MySQL, Redis, MongoDB, FTP, etc.)

The biggest challenge was making all the modules communicate reliably. The EventBus went through 5 rewrites before it could handle 1000+ events per second without dropping.

Month 2: The Neural Networks

This was the hardest month. I trained 8 neural networks from scratch:

Seq2Seq Transformer (5.35M parameters)
The idea was radical: instead of using template iptables rules, generate unique rules for each attack. Training took 9 hours on CPU. The model learned to map "SQL Injection from 10.0.0.1 on port 3306" → actual iptables commands with the correct IP and port.

RL DQN Agent
Trained on 500 simulated attacks. The agent learned to choose between ignoring, throttling, temporarily blocking, or permanently blocking. After training, it made the right decision 100% of the time.

VAE Anomaly Detector
Trained on 25,000 normal traffic samples. Detects zero-day attacks with 91.2% accuracy by measuring reconstruction error.

GNN Threat Graph
Uses Graph Attention Networks to find clusters of attacking IPs and predict which nodes are most at risk.

Temporal GNN
The hardest model. It learns attack chains (Recon → Exploit → C2 → Exfil) and predicts what the attacker will do next. 75% accuracy on predicting the next attack type.

Multi-Modal Fusion
Combines signals from all 7 other models using cross-attention. This single model decides the final threat level.

Month 3: Production-Ready

The last month was about making SHARD usable:

Docker containerization (one command to deploy)
Swagger API with 15 endpoints
Telegram/Slack notifications
CI/CD with GitHub Actions (11 tests)
Stress testing: 4000+ defense actions, 8000+ RL decisions in one hour
Federated Learning for privacy-preserving training

The Numbers

Metric	Value
Lines of Python	13,878
Neural Networks	10
Total Parameters	~8.5M
Honeypots	13
API Endpoints	15
Test Coverage	11/11 passing
Throughput	870 packets/sec
Training Hours	50+

What I Learned

Start simple. My first version was 200 lines. It grew organically.
Test everything. Every neural network has its own training script and validation.
Docker is magic. One command deploys everything.
Open source from day one. Even when the code was bad, having it public kept me motivated.
CI/CD saves hours. GitHub Actions catches bugs before anyone sees them.

What's Next

SHARD is just getting started. The roadmap includes:

Kubernetes operator for auto-scaling
Splunk/ELK integration
Real traffic training pipeline
Community plugins

Try It Yourself


bash
docker pull shard19/shard-siem
docker run -d --name shard -p 8080:8080 -p 5001:5001 shard19/shard-siem

I Built an Autonomous AI SIEM With 10 Neural Networks

Миша Ефремов — Sat, 09 May 2026 17:58:10 +0000

What if your server could defend itself?

That's the question that drove me to build SHARD — a fully autonomous cybersecurity system that detects attacks, generates real-time defense rules, blocks hackers, and predicts their next move. All without a security team. All without human intervention.

The Problem

Every day, thousands of servers are attacked. SQL injections, brute force attempts, DDoS floods, ransomware. Small businesses can't afford enterprise SIEM solutions like Splunk or Palo Alto ($50,000+/year). They need something that just works — automatically.

I decided to build it.

What SHARD Does

When an attacker hits your server:

13 honeypots detect the connection (SSH, MySQL, Redis, MongoDB, FTP, etc.)
XGBoost ML model classifies the attack type (13 types, 100% accuracy)
Seq2Seq Transformer (5.35M parameters) generates unique iptables/WAF rules
RL DQN Agent decides: block permanently? block temporarily? throttle?
VAE Anomaly Detector checks if this is a zero-day attack
GNN Threat Graph maps the attacker's connections
Temporal GNN predicts their next target
Multi-Modal Fusion combines all 8 signals into one threat score
Telegram/Slack notification is sent immediately
Everything is logged and the attacker is blocked

The Numbers

Metric	Value
Neural Networks	10
Attack Classification Accuracy	100%
RL Decision Accuracy	100%
Anomaly Detection Rate	91.2%
Defense Actions (1 hour test)	4,000+
RL Decisions (1 hour test)	8,000+
Throughput	870 packets/sec
Honeypots	13

Tech Stack

PyTorch for deep learning models
XGBoost for attack classification
Docker for one-command deployment
Swagger for API documentation
pytest for testing (11/11 passing)
Telegram API for notifications

Try It Yourself


bash
git clone https://github.com/misha622/shard-siem
cd shard-siem
docker build -t shard-siem .
docker run -d --name shard -p 8080:8080 -p 5001:5001 shard-siem