File size: 2,834 Bytes
bb6a031 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | # 90-second YouTube walkthrough β OpenSOC
Total: **90 seconds**, broken into four ~25-second beats. Record at 1080p,
unlisted, no music (optional 5-second outro card).
## Beat 1 β Problem (0:00β0:15)
**Visual**: cursor blinking on a SOC dashboard with a queue of unread alerts;
zoom into one alert that says `Authentication failures (8 attempts) from
198.51.100.7`.
**Voiceover (suggested)**:
> "By the time a tier-1 analyst sees an alert like this, the attacker may
> have been inside for hours. Most SOCs are understaffed, and a real
> attack that gets dismissed by a tired human is invisible until it's
> too late."
## Beat 2 β Env demo (0:15β0:40)
**Visual**: the deployed `https://...hf.space/demo` page. Click
"Next incident" three times; pause briefly on each example.
**Voiceover**:
> "OpenSOC is an OpenEnv environment where the same alert is shown to two
> models. On the left: zero-shot Qwen2.5-3B; on the right, the same model
> after we trained it inside this environment with GRPO. The verifier in
> the middle decides what 'right' is β deterministically, from the
> structured incident parameters, never from any text the attacker
> writes."
## Beat 3 β Before vs after (0:40β1:05)
**Visual**: split screen β left half shows the eval bar chart
`bar_dismiss_on_malicious.png`; right half shows the confusion matrix
`confusion_opensoc_grpo.png`.
**Voiceover**:
> "On a 200-incident hold-out, the baseline dismisses real attacks at
> [BASELINE]%. After SFT warm-start plus GRPO across four curriculum
> stages, dismiss-on-malicious drops to [TRAINED]% β and macro F1 lifts
> from [BASELINE_F1] to [TRAINED_F1]. Over-reaction on benign traffic
> didn't get worse."
## Beat 4 β Why RLVR (1:05β1:30)
**Visual**: a single code editor pane showing
`verifier.compute_ground_truth(params)` and
`verifier.check_plausibility(params)`; highlight that both are pure
functions of the *structured* params.
**Voiceover**:
> "The reason this works is that the reward is computed from the structured
> attacker parameters, not from any narrative. The plausibility checker
> blocks the trivial reward hack of just emitting noise. That's what makes
> this RLVR β verifiable rewards, no learned judge to fool. Code, eval
> set, training notebook and a $3 GPU recipe are all in the repo."
## Closing card (1:30)
Title: **OpenSOC β RLVR self-play SOC triage**
URL: `huggingface.co/spaces/<USER>/opensoc-env`
GitHub-style logo: optional
## Recording tips
- Use OBS or Loom; export as 1080p mp4.
- Pre-load the Space on `/demo` and click "Next incident" once before
recording so the first paint isn't cold.
- Keep terminal font size large; favour Bear Notes / OBS overlays for
the voiceover beats over fullscreen code.
- Upload as **unlisted**; share the URL in the README and the HF blog.
|