Skip to content
CV
Back to projects

Security case study / 2025

Go SIEM Agent — LLM Classifier

An AI-native SIEM agent written in Go that classifies any raw log line into a structured threat report — with MITRE ATT&CK mapping, IOC extraction, severity triage, and actionable remediation — in under 20 seconds, using a local-first LLM stack.

Go SIEM Agent — LLM Classifier — title

<20s

per classification

40+

MITRE techniques

~3k

lines Go

GoReactQdrantOllamaPostgreSQLDockerPrometheus

Product impact

Turns hours of manual SOC triage into a sub-20-second automated pipeline, reducing analyst time spent on alert noise by eliminating rule-writing and manual MITRE mapping.

Challenge

SOC teams drown in alert volume — existing rule-based SIEMs require manual signature writing, miss novel attacks, and force analysts to manually cross-reference MITRE ATT&CK, look up IPs, and write remediation notes for every event.

Approach

I built an AI-native backend in Go where a carefully engineered LLM system prompt acts as the entire detection engine. The prompt encodes severity scales, IOC extraction rules, and MITRE mappings, returning a strict JSON schema on every call. A concurrent worker pool classifies logs in parallel; streaming SSE delivers token-by-token feedback so 15-second calls feel instant.

Results

  • Full threat classification pipeline: attack type, MITRE tactic + technique ID, severity P1–P5, confidence score, IOCs, and remediation — all from a single raw log line.
  • Semantic search via Qdrant + Ollama embeddings lets analysts find similar past events using natural language, not exact-match rules.
  • Single Go binary embeds the React dashboard; three Docker containers complete the full stack — zero external dependencies beyond the LLM provider.
Go SIEM Agent — LLM Classifier — architecture