DEV Community: Quantum Sage The latest articles on DEV Community by Quantum Sage (@quantumsage). https://dev.to/quantumsage https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3694249%2Fb19dfb68-f6d7-4a91-9307-2aebb59f3b16.png DEV Community: Quantum Sage https://dev.to/quantumsage en Building SOC-AI: Sub-Second Security Triage with Groq & Kestra Quantum Sage Tue, 06 Jan 2026 12:38:00 +0000 https://dev.to/quantumsage/building-soc-ai-sub-second-security-triage-with-groq-kestra-51 https://dev.to/quantumsage/building-soc-ai-sub-second-security-triage-with-groq-kestra-51 <h2> The Motivation: Solving Alert Fatigue 🛡️ </h2> <p>Security teams are drowning in logs. I built <strong>SOC-AI</strong> solo during the <strong>AI Agents Assemble Hackathon</strong> (hosted on @wemakedevs) to prove that AI can handle the "boring" triage while humans keep control.</p> <h2> The Architecture </h2> <ul> <li> <strong>Triage:</strong> Groq (Llama-3.3) for 500ms log analysis.</li> <li> <strong>Orchestration:</strong> Kestra for semi-autonomous remediation.</li> <li> <strong>Frontend:</strong> Next.js 15 (Live on Vercel!).</li> </ul> <h2> Technical Deep Dive – Reliable AI &amp; Orchestration </h2> <p>One of the biggest challenges in AI agents is <strong>hallucination</strong>. In a security context, a "hallucinated" IP address or action could be a disaster. I solved this using two core patterns:</p> <h3> 1. Forcing Structured Output with Zod &amp; Groq </h3> <p>I didn't just ask the AI to "analyze the log." I defined a strict contract using Zod. This ensures that the high-speed Llama-3.3 model on Groq returns a precise JSON object that my backend can trust.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Define the Triage Schema</span> <span class="kd">const</span> <span class="nx">SecurityTriageSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">low</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">medium</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">]),</span> <span class="na">threat_type</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">describe</span><span class="p">(</span><span class="dl">"</span><span class="s2">Categorization like Brute Force, SQLi, etc.</span><span class="dl">"</span><span class="p">),</span> <span class="na">action_suggested</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">block_ip</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">disable_user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">monitor</span><span class="dl">"</span><span class="p">]),</span> <span class="na">reasoning</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">});</span> <span class="c1">// Forcing Groq to adhere to the schema</span> <span class="kd">const</span> <span class="nx">chatCompletion</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">groq</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">llama-3.3-70b-versatile</span><span class="dl">"</span><span class="p">,</span> <span class="na">response_format</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">json_object</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// Crucial for reliable JSON</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You are a SOC Triage Agent. Output ONLY JSON.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="s2">`Analyze this log: </span><span class="p">${</span><span class="nx">rawLogData</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h3> 2. Semi-Autonomous Remediation via Kestra </h3> <p>Trust is everything in security. Instead of letting the AI run wild, I built a <strong>Human-in-the-Loop</strong> system.</p> <p>When the AI suggests an action (like <code>block_ip</code>), it appears on my <strong>Next.js Dashboard</strong>. Only after I click <strong>"Approve"</strong> does the backend trigger a <strong>Kestra Workflow</strong>.</p> <h4> Why Kestra? </h4> <ul> <li> <strong>Retries:</strong> If the Firewall API is down, Kestra handles the retry logic.</li> <li> <strong>Audit Trail:</strong> Every action taken is logged visually in the Kestra UI.</li> <li> <strong>Separation of Concerns:</strong> My Next.js app handles the UI, while Kestra handles the heavy infrastructure automation.</li> </ul> <h2> The Result </h2> <p>By combining <strong>Groq's speed</strong> with <strong>Kestra's reliability</strong>, SOC-AI can triage a log and present a remediation plan to an analyst in less than a second.</p> <p>This project was a solo build, and it taught me that the future of AI isn't just about the "chat" - it's about <strong>orchestration</strong>.</p> <h2> Links &amp; Demo </h2> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/kaushik0010/soc-ai" rel="noopener noreferrer">https://github.com/kaushik0010/soc-ai</a> </li> <li> <strong>Video Walkthrough:</strong> <a href="https://youtu.be/LbuHXiPznJE" rel="noopener noreferrer">https://youtu.be/LbuHXiPznJE</a> </li> </ul> <p><strong>What are your thoughts on semi-autonomous security? Would you trust an AI to suggest your firewall rules? Let's talk in the comments!</strong></p> ai cybersecurity javascript hackathon