| # 90-second YouTube walkthrough β OpenSOC |
|
|
| Total: **90 seconds**, broken into four ~25-second beats. Record at 1080p, |
| unlisted, no music (optional 5-second outro card). |
|
|
| ## Beat 1 β Problem (0:00β0:15) |
|
|
| **Visual**: cursor blinking on a SOC dashboard with a queue of unread alerts; |
| zoom into one alert that says `Authentication failures (8 attempts) from |
| 198.51.100.7`. |
|
|
| **Voiceover (suggested)**: |
|
|
| > "By the time a tier-1 analyst sees an alert like this, the attacker may |
| > have been inside for hours. Most SOCs are understaffed, and a real |
| > attack that gets dismissed by a tired human is invisible until it's |
| > too late." |
|
|
| ## Beat 2 β Env demo (0:15β0:40) |
|
|
| **Visual**: the deployed `https://...hf.space/demo` page. Click |
| "Next incident" three times; pause briefly on each example. |
|
|
| **Voiceover**: |
|
|
| > "OpenSOC is an OpenEnv environment where the same alert is shown to two |
| > models. On the left: zero-shot Qwen2.5-3B; on the right, the same model |
| > after we trained it inside this environment with GRPO. The verifier in |
| > the middle decides what 'right' is β deterministically, from the |
| > structured incident parameters, never from any text the attacker |
| > writes." |
|
|
| ## Beat 3 β Before vs after (0:40β1:05) |
|
|
| **Visual**: split screen β left half shows the eval bar chart |
| `bar_dismiss_on_malicious.png`; right half shows the confusion matrix |
| `confusion_opensoc_grpo.png`. |
|
|
| **Voiceover**: |
|
|
| > "On a 200-incident hold-out, the baseline dismisses real attacks at |
| > [BASELINE]%. After SFT warm-start plus GRPO across four curriculum |
| > stages, dismiss-on-malicious drops to [TRAINED]% β and macro F1 lifts |
| > from [BASELINE_F1] to [TRAINED_F1]. Over-reaction on benign traffic |
| > didn't get worse." |
|
|
| ## Beat 4 β Why RLVR (1:05β1:30) |
|
|
| **Visual**: a single code editor pane showing |
| `verifier.compute_ground_truth(params)` and |
| `verifier.check_plausibility(params)`; highlight that both are pure |
| functions of the *structured* params. |
|
|
| **Voiceover**: |
|
|
| > "The reason this works is that the reward is computed from the structured |
| > attacker parameters, not from any narrative. The plausibility checker |
| > blocks the trivial reward hack of just emitting noise. That's what makes |
| > this RLVR β verifiable rewards, no learned judge to fool. Code, eval |
| > set, training notebook and a $3 GPU recipe are all in the repo." |
|
|
| ## Closing card (1:30) |
|
|
| Title: **OpenSOC β RLVR self-play SOC triage** |
| URL: `huggingface.co/spaces/<USER>/opensoc-env` |
| GitHub-style logo: optional |
|
|
| ## Recording tips |
|
|
| - Use OBS or Loom; export as 1080p mp4. |
| - Pre-load the Space on `/demo` and click "Next incident" once before |
| recording so the first paint isn't cold. |
| - Keep terminal font size large; favour Bear Notes / OBS overlays for |
| the voiceover beats over fullscreen code. |
| - Upload as **unlisted**; share the URL in the README and the HF blog. |
|
|
