Are you tired of manually parsing thousands of raw log lines or dealing with noisy alerts across your cloud infrastructure? In cybersecurity, the real enemy isn't always the attacker; it is often the sheer volume of data.
To participate in the Gemma 4 Challenge on DEV.to, I decided to build a practical tool: analista.byronlainez.click. It is an AI-powered Virtual SOC (Security Operations Center) Analyst driven by Google's new open-weights model family, Gemma 4.
The Problem: Drowning in a Sea of Logs
If you manage servers, firewalls, or cloud infrastructure in AWS, you know that CloudTrail, AWS WAF, or Nginx syslogs grow exponentially. When a security incident occurs:
- The sheer volume of raw logs leads to rapid alert fatigue for junior SOC analysts.
- Correlating distant events (e.g., an initial port scan at 2:00 AM and a SQL injection attempt at 5:00 AM from the same IP) requires writing complex SIEM queries (Splunk, Athena, etc.).
- Generating mitigation rules (like WAF blocking rules) takes valuable minutes—time that an attacker can exploit.
The Solution: analista.byronlainez.click
Our application acts as a cybersecurity co-pilot that automates alert triaging, forensic log analysis, and threat mitigation in real time. Here is how we addressed the challenge requirements and the key features we built:
1. Large-Context Log Ingestion & Correlation (128K Window)
Legacy LLMs had narrow context windows; feeding them a large production log file would cause memory overflows or make the model "forget" the beginning of the file.
Leveraging Gemma 4's massive 128K context window, the app ingests entire structured JSON or raw log files without truncation. This unlocks the detection of slow, distributed brute-force attacks and correlates the initial passive scanning with subsequent active exploitation, giving you a holistic diagnostic report of the attacker's full session.
2. Automated MITRE ATT&CK & OWASP Threat Mapping
The tool doesn't just alert you to "suspicious traffic." The Gemma 4 backend parses the signature of the anomalous logs, identifies the threat vector, and maps it directly to the **MITRE ATT&CK** framework and **OWASP** categories.
For example, if it detects malicious query parameters containing single quotes and SQL keywords, the app instantly labels the tactical phase (Initial Access), the exact technique (T1190 - Exploit Public-Facing Application), and the OWASP category (A03:2021-Injection).
3. Automated Threat Containment (AWS WAF & Terraform)
Mean Time to Remediate (MTTR) is a critical security metric. We built a module that automatically generates production-ready defense rules to stop attacks instantly. Once an attack signature is identified, the app outputs the exact **AWS WAF** rule JSON or **Terraform** HCL code ready for deployment:
{
"Name": "BlockMaliciousIPsGemma",
"Priority": 10,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/MaliciousIPs/a1b2c3d4..."
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BlockMaliciousIPsGemmaMetric"
}
}4. Native Multimodal Triaging (Visual Threat Analysis)
Gemma 4 features outstanding native multimodal capabilities. We added a visual triage module where users can upload screenshots of network topology maps, AWS architecture diagrams, or Security Hub alarm dashboards. The visual engine analyzes the screenshot, flags design flaws (like databases hosted in public subnets), and alerts on anomalous traffic spikes displayed in the charts, providing immediate remediation recommendations.
5. Private Local Edge Mode (Gemma 2B/4B)
In cybersecurity, data privacy is sacred. Uploading sensitive production logs to external cloud APIs can violate compliance standards like GDPR or PCI-DSS.
To address this, we built a "Local Processing" switch. When toggled, the app uses WebLLM to run lightweight Gemma 4 2B/4B models directly in the user's browser memory. Your production logs never leave your local machine.
How to Scale It to an Enterprise SOC
While this app serves as a robust hackathon MVP, the real power lies in scaling it to a fully automated production SecOps pipeline. I have designed the proposed architecture to show how this basic setup can scale industrially:
- Real-Time Logs: Logs from AWS WAF or CloudTrail are streamed continuously to an Amazon Kinesis Firehose delivery stream.
- Classifier / Filter: A rapid filtering script separates standard traffic from anomalous or highly suspicious payloads.
- Intelligent Triaging: Suspicious alerts are automatically forwarded via webhook to the app's API, where Gemma 4 (31B or MoE) conducts deep triaging and reasoning.
- Mitigation Generation: The model instantly generates the corresponding containment rule (JSON WAF rule or Terraform).
- Active Block & Notification: An AWS Lambda function applies the block immediately to your production Web ACL, and the SOC is notified via Slack or Teams webhook.
This closed-loop approach cuts response times from minutes to scant milliseconds, autonomously shielding your cloud assets from malicious automation and rapid scanning campaigns.
Conclusion
Open weights models like Gemma 4 democratize enterprise-grade cybersecurity. You no longer need expensive security platform licenses to have an intelligent analyst assisting your team.
Although analista.byronlainez.click is a basic MVP built for the challenge, it demonstrates that open-weights local AI can revolutionize how we protect our cloud infrastructures.
Are you ready to audit your logs like a pro? Try the app today with your own logs, and let me know in the DEV.to comments what automated containment rules you generated!