# 90-second YouTube walkthrough — OpenSOC Total: **90 seconds**, broken into four ~25-second beats. Record at 1080p, unlisted, no music (optional 5-second outro card). ## Beat 1 — Problem (0:00–0:15) **Visual**: cursor blinking on a SOC dashboard with a queue of unread alerts; zoom into one alert that says `Authentication failures (8 attempts) from 198.51.100.7`. **Voiceover (suggested)**: > "By the time a tier-1 analyst sees an alert like this, the attacker may > have been inside for hours. Most SOCs are understaffed, and a real > attack that gets dismissed by a tired human is invisible until it's > too late." ## Beat 2 — Env demo (0:15–0:40) **Visual**: the deployed `https://...hf.space/demo` page. Click "Next incident" three times; pause briefly on each example. **Voiceover**: > "OpenSOC is an OpenEnv environment where the same alert is shown to two > models. On the left: zero-shot Qwen2.5-3B; on the right, the same model > after we trained it inside this environment with GRPO. The verifier in > the middle decides what 'right' is — deterministically, from the > structured incident parameters, never from any text the attacker > writes." ## Beat 3 — Before vs after (0:40–1:05) **Visual**: split screen — left half shows the eval bar chart `bar_dismiss_on_malicious.png`; right half shows the confusion matrix `confusion_opensoc_grpo.png`. **Voiceover**: > "On a 200-incident hold-out, the baseline dismisses real attacks at > [BASELINE]%. After SFT warm-start plus GRPO across four curriculum > stages, dismiss-on-malicious drops to [TRAINED]% — and macro F1 lifts > from [BASELINE_F1] to [TRAINED_F1]. Over-reaction on benign traffic > didn't get worse." ## Beat 4 — Why RLVR (1:05–1:30) **Visual**: a single code editor pane showing `verifier.compute_ground_truth(params)` and `verifier.check_plausibility(params)`; highlight that both are pure functions of the *structured* params. **Voiceover**: > "The reason this works is that the reward is computed from the structured > attacker parameters, not from any narrative. The plausibility checker > blocks the trivial reward hack of just emitting noise. That's what makes > this RLVR — verifiable rewards, no learned judge to fool. Code, eval > set, training notebook and a $3 GPU recipe are all in the repo." ## Closing card (1:30) Title: **OpenSOC — RLVR self-play SOC triage** URL: `huggingface.co/spaces//opensoc-env` GitHub-style logo: optional ## Recording tips - Use OBS or Loom; export as 1080p mp4. - Pre-load the Space on `/demo` and click "Next incident" once before recording so the first paint isn't cold. - Keep terminal font size large; favour Bear Notes / OBS overlays for the voiceover beats over fullscreen code. - Upload as **unlisted**; share the URL in the README and the HF blog.