Hugging Face's logo

shivam2k3
/
opensoc-env

openenv
cybersecurity
rlvr
self-play
Model card Files
xet
 Community
opensoc-env / docs /video_script.md
shivam2k3's picture
shivam2k3
OpenSOC v1
bb6a031
preview code
|
raw
history blame contribute delete
2.83 kB

90-second YouTube walkthrough β€” OpenSOC

Total: 90 seconds, broken into four ~25-second beats. Record at 1080p, unlisted, no music (optional 5-second outro card).

Beat 1 β€” Problem (0:00–0:15)

Visual: cursor blinking on a SOC dashboard with a queue of unread alerts; zoom into one alert that says Authentication failures (8 attempts) from 198.51.100.7.

Voiceover (suggested):

"By the time a tier-1 analyst sees an alert like this, the attacker may have been inside for hours. Most SOCs are understaffed, and a real attack that gets dismissed by a tired human is invisible until it's too late."

Beat 2 β€” Env demo (0:15–0:40)

Visual: the deployed https://...hf.space/demo page. Click "Next incident" three times; pause briefly on each example.

Voiceover:

"OpenSOC is an OpenEnv environment where the same alert is shown to two models. On the left: zero-shot Qwen2.5-3B; on the right, the same model after we trained it inside this environment with GRPO. The verifier in the middle decides what 'right' is β€” deterministically, from the structured incident parameters, never from any text the attacker writes."

Beat 3 β€” Before vs after (0:40–1:05)

Visual: split screen β€” left half shows the eval bar chart bar_dismiss_on_malicious.png; right half shows the confusion matrix confusion_opensoc_grpo.png.

Voiceover:

"On a 200-incident hold-out, the baseline dismisses real attacks at [BASELINE]%. After SFT warm-start plus GRPO across four curriculum stages, dismiss-on-malicious drops to [TRAINED]% β€” and macro F1 lifts from [BASELINE_F1] to [TRAINED_F1]. Over-reaction on benign traffic didn't get worse."

Beat 4 β€” Why RLVR (1:05–1:30)

Visual: a single code editor pane showing verifier.compute_ground_truth(params) and verifier.check_plausibility(params); highlight that both are pure functions of the structured params.

Voiceover:

"The reason this works is that the reward is computed from the structured attacker parameters, not from any narrative. The plausibility checker blocks the trivial reward hack of just emitting noise. That's what makes this RLVR β€” verifiable rewards, no learned judge to fool. Code, eval set, training notebook and a $3 GPU recipe are all in the repo."

Closing card (1:30)

Title: OpenSOC β€” RLVR self-play SOC triage URL: huggingface.co/spaces/<USER>/opensoc-env GitHub-style logo: optional

Recording tips

  • Use OBS or Loom; export as 1080p mp4.
  • Pre-load the Space on /demo and click "Next incident" once before recording so the first paint isn't cold.
  • Keep terminal font size large; favour Bear Notes / OBS overlays for the voiceover beats over fullscreen code.
  • Upload as unlisted; share the URL in the README and the HF blog.