I Gave My Home SOC a Local Gemma 4 Analyst

chris wilson — Fri, 08 May 2026 02:38:16 +0000

This is a submission for the Gemma 4 Challenge: Build with Gemma 4

What I Built

I built NetGuard Gemma 4 Local SOC Analyst, a local-first cybersecurity demo that uses Gemma 4 as an analyst for sanitized security telemetry.

Most security dashboards tell you what fired.

They do not always tell you what happened.

This project takes a block of sanitized Suricata/Wazuh-style logs and asks Gemma 4 to connect the events into a structured incident report. Instead of treating every alert as an isolated line, the model reads the event window and returns:

incident summary
severity
confidence
attack chain
timeline
indicators of compromise
triage recommendations

The goal is to give a small SOC workflow a local analyst layer: something that can read noisy telemetry, connect related events, and produce a usable incident report without sending sensitive logs to a hosted model.

Demo

The local demo includes:

GET / health check
POST /analyze for single-event analysis
POST /analyze-logs for the main log-autopsy workflow
GET /ui for a simple browser demo
GET /sample-logs for sanitized sample telemetry

Demo flow:

Start the local FastAPI server.
Open the /ui page.
Click Load sample logs.
Click Analyze logs.
Gemma 4 returns a structured incident report.

The sample log window includes a multi-stage pattern:

TCP scan
SQL injection-style probe
SSH brute force attempts
successful login
privileged payload download
script execution
outbound shell behavior
suspicious root-level user creation

The important part is that Gemma 4 is asked to connect the sequence, not just summarize one alert.

Demo video: Silent walkthrough showing the GitHub repo, local NetGuard UI, sanitized sample logs, and Gemma 4 structured incident output.

GitHub Release: https://github.com/cbw29512/GeminiHackathon/releases/tag/demo-v1

Code

Repository:

https://github.com/cbw29512/GeminiHackathon

Core files:

main.py — FastAPI routes and local API guardrails
services/llm_analyzer.py — Gemma 4 prompt and response parsing logic
services/schemas.py — Pydantic schemas for validated output
scripts/sanitize_logs.py—sanitizer for SOC-shaped logs
templates/index.html — minimal local web UI
`tests/ "— validation tests

The project passed its final local audit with: ** 11 passed**.

I also added guardrails so oversized log windows are rejected before being sent into local inference.

How I Used Gemma 4

I used Gemma 4 E4B Q8_0 locally through Ollama.

Gemma 4 is the core reasoning engine of the project. It is not being used only for copywriting or generic chatbot responses.

The main endpoint is POST /analyze-logs.

That endpoint sends Gemma 4 a sanitized log window and asks it to return a strict JSON incident report containing:

incident_summary
severity
confidence
attack_chain
timeline
iocs
triage_recommendations

I chose the E4B model because this project needs local reasoning over security logs, not a huge hosted model. The goal was to keep the system practical on local hardware while still using Gemma 4 for the central analysis task.

Privacy And Local-First Design

Security logs can expose internal IPs, usernames, hostnames, and network behavior.

That is why this project is designed around local inference and sanitized input.

The sanitizer preserves useful event structure while replacing sensitive values. This lets the model reason over realistic telemetry without exposing private data in the demo.

The local-first design uses:

FastAPI on 127.0.0.1
Ollama for local model runtime
Pydantic for schema validation
sanitized sample logs
no committed model binary
no committed secrets
no committed raw captures

What I Learned

The strongest version of this project was not single-alert analysis.

The stronger idea was log-window autopsy.

A single alert can tell you something suspicious happened. A sequence of events can tell you the story of the incident.

That is where Gemma 4 became valuable: reading multiple related events and turning them into an analyst-style report.

What I Would Build Next

Next, I would extend the UI into a richer NetGuard dashboard panel with:

upload support for local sanitized logs
side-by-side raw alert stream and Gemma incident report
exportable analyst reports
confidence notes for each attack-chain stage
larger event windows
human review notes for triage decisions

Final Thoughts

This project is about giving a small SOC workflow a local analyst brain.

Gemma 4 reads the evidence window, connects the related activity, and returns a structured report that a defender can actually use.

That is the heart of the build.

DEV Community: chris wilson