Spaces:
Sleeping
OpenSecOpsEnv β Complete Dashboard Guide
Plain-English explanation of every element on every tab. Read this before demoing to judges.
The Big Picture β What Is This System?
This is an AI Security Operations (SecOps) environment.
Imagine your company's servers are being attacked at 3am. A human on-call engineer would have to:
- Look at alerts and dashboards
- Figure out what went wrong (memory leak? hacker? bad deploy?)
- Take the right actions (restart a service, block an IP, isolate a server)
We trained an AI model (Qwen2.5-7B-GRPO) to do all of that automatically, in real time, better than a random/untrained model would.
The dashboard is a live demonstration of that AI responding to security incidents.
The Header Bar
OpenSecOpsEnv [OpenEnv] [Curriculum RL] π€ Qwen2.5-7B-GRPO (fine-tuned) β Server online
| Element | What it means |
|---|---|
| OpenSecOpsEnv | Name of the environment/project |
| [OpenEnv] | This is built on the OpenEnv hackathon framework |
| [Curriculum RL] | The agent learns progressively harder tasks over time |
| π€ Qwen2.5-7B-GRPO (fine-tuned) | Your actual trained AI model is LIVE and connected. This turns on when the HF endpoint responds. |
| β Streaming | An episode is actively running (SSE stream is open) |
| β Server online | The FastAPI backend is running |
Tab 1: AGENT β Single AI Agent vs. Incident
This tab shows one AI agent (your trained model) responding to an incident alone.
Controls Bar
[Scenario βΌ] [Trained Model | Baseline Model] [Speed βΌ] [Run Episode] [Reset] [Compare]
| Control | What it does |
|---|---|
| Scenario | Picks which security incident to simulate. 4 scenarios: Memory Leak (Easy), DDoS Cascade (Medium), Bad Deployment (Medium-Hard), Data Exfiltration (Hard) |
| Trained Model | Uses YOUR fine-tuned Qwen2.5-7B model to decide actions. This is the AI you trained. |
| Baseline Model | Uses a hardcoded "bad agent" that makes wrong choices β used to show how much better your trained model is |
| Speed | How fast the episode plays out (Fast = 0.8s between steps, Slow Demo = 2.5s β use Slow for presentations) |
| Run Episode | Starts the AI agent running through the incident |
| Reset | Clears everything and starts fresh |
| Compare | After running both Trained and Baseline modes, shows the score difference |
Left Panel β SYSTEM STATE
This shows what the AI can "see" at any moment. It's the AI's observation.
βββββββββββββββββββββββββββββββββββββββ
β Data Exfiltration (Disguised) β
β A compromised service account... β
β [HARD] β
βββββββββββββββββββββββββββββββββββββββ€
β ACTIVE ALERTS β
β [WARNING] db Β· cpu 89.3% β
β [CRITICAL] cache Β· memory 82% β
βββββββββββββββββββββββββββββββββββββββ€
β SERVICE METRICS β
β db cpu βββββ 4.1% β
β auth cpu βββββ mem ββββββ β
βββββββββββββββββββββββββββββββββββββββ
| Element | What it means |
|---|---|
| Scenario Card (top blue box) | Brief description of what the incident is. The AI doesn't get told this β it has to figure it out from the clues below. |
| [HARD] badge | Difficulty level. Hard = 55% noise (fake alerts designed to mislead), disguised attack vector |
| Active Alerts | Live alerts the system is generating. These are what a real PagerDuty/Datadog alert would look like. |
| [WARNING] / [CRITICAL] | Severity of the alert. CRITICAL = urgent. WARNING = watch it. |
| [RED INJECTED] (in Battle mode) | An alert that the Attacker agent CREATED to mislead the Defender β it's fake! |
| Service Metrics | CPU, Memory, Latency bars for each microservice |
| Bar colour | π’ Green = normal. π‘ Cyan = warning. π΄ Red = critical. |
| err X.X% | Error rate β what % of requests to that service are failing |
| Service Topology | Which services talk to which. Shows the blast radius if one goes down. |
Centre Panel β AGENT ACTION FEED
This is the MOST IMPORTANT panel. It shows every decision the AI makes, in real time.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π΅ DEFENDER SCAN run_security_scan +0.38 β
β target="db" β
β SECURITY SCAN β db: ALERT: Unusual outbound... β
β π€ AI Output β
β {"action_type": "run_security_scan", "parameters":...β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Element | What it means |
|---|---|
| π΅ DEFENDER | This action was taken by the Blue (Defender) AI agent β your trained model |
| π΄ ATTACKER | This action was taken by the Red (Attacker) agent β the adversarial agent trying to make things worse |
| SCAN run_security_scan | The action type. SCAN = badge abbreviation. run_security_scan = exact game action |
| target="db" | Parameters passed to the action (which service to scan) |
| The text below | What the environment told the agent back β the result of that action |
| +0.38 | The reward earned. Positive = good action. Negative = bad/wrong action. Zero = neutral. |
| π€ AI Output (teal box) | The ACTUAL raw JSON your Qwen2.5-7B model generated. This is live proof the AI is running β not a simulation. |
| Thinking dots | The model is currently querying the HF endpoint β waiting for a response |
The 9 possible actions:
| Action | What the agent does | When to use it |
|---|---|---|
inspect_metrics |
Look at all service metrics | First step β gather info |
query_logs |
Read logs for a specific service | Investigate suspicious service |
run_security_scan |
Deep security scan of a service | Suspect cyber attack |
restart_service |
Restart a crashed/leaking service | Memory leak, service crash |
scale_service |
Add more replicas to handle load | DDoS / traffic spike |
block_ip |
Block a specific IP address | DDoS, data exfiltration source |
rollback_deployment |
Revert to previous version | Bad deployment |
isolate_service |
Cut a service off from the network | Active breach, data exfiltration |
submit_diagnosis |
Final answer β what was the root cause | Final step of every episode |
The reward signal (+/- numbers):
+1.00= Correct final diagnosis β+0.50= Correct mitigation action (e.g., isolate the right service)+0.30= Good investigation (scanning/querying the right service)0.00= Neutral (looked at the wrong service β wasted a step)-0.30= Mildly wrong action-1.00= Completely wrong final diagnosis β
Right Panel β REWARD CURVE
Step Reward βββ Cumulative - - -
β² 0.5
β βββββββ
0.0 β β β
β β
-0.5
S1 S2 S3 S4 S5
| Element | What it means |
|---|---|
| Step Reward (solid line) | The reward earned at each individual step. Bounces up and down β good steps go up, wasted steps go to zero. |
| Cumulative (dashed) | Running total of all rewards. Should trend upward for a smart agent. |
| Final Score / 1.0 | OpenEnv's grader score between 0 and 1. Weighted average of all 3 sub-scores below. |
| Cumul. Reward | Sum of all step rewards. Can be negative if the agent made many bad moves. This is what GRPO optimised during training. |
| Steps Taken | How many actions the agent took total |
| Diagnosis | Did the agent correctly identify the root cause? (1.0 = perfect, 0.0 = wrong) |
| Action Efficiency | Did the agent take the minimum effective actions, or did it waste steps? High = focused. Low = scattered. |
| Investigation Quality | Did the agent properly investigate before diagnosing? (Query logs? Run scans?) High = methodical. |
Log Stream (Bottom of Centre Panel)
[cron] INFO Backup job completed successfully
[audit] WARN Audit log: 3 RBA privilege grants in past 3 hours
[db] INFO Large SELECT query executed by service-account 'reports_bot'
Raw real-time log lines from the simulated services. The AI reads these too (up to 5 per step). The clues to finding the attacker are hidden in here.
Tab 2: BATTLE β Trained AI vs. Attacker
This tab shows an adversarial game between two agents:
- π΅ Defender (your trained AI) β tries to identify and stop the incident
- π΄ Attacker (heuristic agent) β tries to make the incident WORSE and confuse the defender
Turn order: Red attacks first β Blue responds. Repeat.
Why this is impressive for judges:
Most ML projects just show a model predicting something. This shows a LIVE multi-agent game where your fine-tuned AI is actively competing against an adversary in real time.
Battle Controls
| Control | Meaning |
|---|---|
| Scenario | Which incident the battle is fought over |
| Start Battle | Begins the Red vs Blue SSE stream |
| Defender vs Attacker (header right) | Score leaders β who's winning right now |
Battle Feed
Same as Agent Action Feed but interleaved with Red and Blue cards.
π΄ ATTACKER AMP amplify_attack +0.20
auto
Red amplified attack progress by 0.06 β 1.00
π΅ DEFENDER ISO isolate_service +0.50
service="db"
Service 'db' isolated from network. Attack vector contained.
π€ AI Output: {"action_type": "isolate_service", ...}
The Red agent's 5 attack moves explained:
| Attack | What it does |
|---|---|
inject_noise |
Adds fake log entries to confuse the defender |
amplify_attack |
Makes the cyberattack progress faster (more data stolen faster) |
corrupt_metric |
Spikes CPU/latency on a HEALTHY service to create a false alarm |
create_false_alert |
Injects a fake CRITICAL alert on the wrong service |
accelerate_spread |
Spreads the attack to neighbouring services in the topology |
Battle Score Panel
BATTLE SCORE
Defender ββ Attacker ββ
1.4 βββββββββββββββββββββββββββ
1.0 β
0.5 βββββββ
0.0 β βββββ
R1 R2 R3 R4 R5
1.40 DEFENDER | 0.40 ATTACKER
0.990 Episode Score
Defender Advantage +1.00
Attack Suppression 76%
Battle Rounds 8
| Element | Meaning |
|---|---|
| Defender cumulative | Blue agent's total rewards. Higher = better defending. |
| Attacker cumulative | Red agent's total rewards. Higher = attack is succeeding. |
| Episode Score | Final grader score 0-1 for how well the incident was resolved |
| Defender Advantage | Blue cumulative MINUS Red cumulative. Positive = Defender winning. |
| Attack Suppression | What % of the attacker's maximum possible damage was neutralised by the defender |
| Battle Rounds | Number of Red+Blue turn pairs completed |
Tab 3: LEARNING β Curriculum Progress
This tab answers: Is the agent getting better over time during this session?
Left Panel β Curriculum Progress
CURRENT LEVEL
[ Level 1 / 5 ] No episodes recorded yet
Progress to Level 2
The agent starts at Level 1 (easy tasks) and automatically advances when it scores well consistently.
| Level | Tasks included | Threshold to advance |
|---|---|---|
| 1 | Memory Leak (Easy) | Score avg β₯ 0.65 over 5 episodes |
| 2 | Memory Leak + DDoS (Medium) | Score avg β₯ 0.70 |
| 3 | DDoS + Bad Deployment | Score avg β₯ 0.72 |
| 4 | Bad Deployment + Data Exfiltration | Score avg β₯ 0.75 |
| 5 | Data Exfiltration only (Hard) | Maximum difficulty |
Right Panel β Learning Curve Chart
Episode Score βββ Curriculum Level - - -
1.0 ββββββββββββββββββββββββββ
0.8 β
0.5 βββββββ
Ep1 Ep2 Ep3 Ep4
Each dot = one completed episode. The green line shows whether scores are going up over time. The purple dashed line shows which curriculum level the agent is at.
Level-Up Events
When the agent crosses a threshold, a Level-Up event is logged here:
Episode 5: Level 1 β 2 (avg score 0.823)
β οΈ Important: Where is the "learning" actually happening?
There are TWO different kinds of learning in this project β don't confuse them:
1. GRPO Training (already done β )
- This happened in the Hugging Face Space on an A100 GPU over ~500 steps
- The model's weights were updated via Group Relative Policy Optimization (GRPO)
- The result is the fine-tuned model at
SapphireGaze429/opensecops-qwen2.5-7b-grpo - This is NOT happening on the dashboard β it already happened. The dashboard is INFERENCE only.
2. Curriculum Tracking (happens live on the dashboard)
- Every episode you run, the score is recorded server-side
- If the agent consistently scores above the level threshold, it "levels up"
- This doesn't change the model weights β it just selects harder tasks
- It's a demonstration of how you WOULD do online curriculum learning
To explain to judges:
"The model was trained offline using GRPO on an A100 GPU. Here on the dashboard, we demonstrate a curriculum learning wrapper β the agent starts on easy scenarios and earns harder ones as it succeeds. The live AI on the right panel is our trained model making real-time decisions via the Hugging Face Inference Endpoint."
The Episode End Modal
βββββββββββββββββββββββββββββββββ
β β
β
β Incident Resolved! β
β (Trained AI (Qwen2.5-7B)) β
β 0.990 β
β [Run Again] β
βββββββββββββββββββββββββββββββββ
| Score | Icon | What it means |
|---|---|---|
| > 0.70 | β | Incident Resolved! β Agent correctly diagnosed AND efficiently mitigated. |
| 0.40 β 0.70 | β οΈ | Partially Resolved β Agent got partial credit (maybe right diagnosis, inefficient actions or vice versa) |
| < 0.40 | β | Episode Failed β Agent made wrong diagnosis, took harmful actions, or ran out of steps |
For Battle Mode:
βββββββββββββββββββββββββββββββββ
β Defender | VS | Attackerβ
β 1.40 | | 0.40 β
β Defender Wins! π΅ β
β 0.990 β
βββββββββββββββββββββββββββββββββ
Winner is whichever agent has higher cumulative reward. The Episode Score (0.990) is separate β it grades how well the overall incident was resolved regardless of who won the battle.
What Makes a "Good" Episode?
| What the agent did | Score impact |
|---|---|
| Scanned/queried the ACTUALLY affected service | β High Investigation Quality |
Correctly identified root cause (cyber_attack:data_exfiltration) |
β High Diagnosis score |
| Took targeted actions (didn't restart random services) | β High Action Efficiency |
| Got distracted by the attacker's fake alerts | β Low Efficiency |
| Diagnosed the wrong thing | β Zero Diagnosis score |
| Isolated the wrong service causing an outage | β Negative reward steps |
The 4 Scenarios β What's Actually Happening
| Scenario | The Real Problem | The Trap / Noise |
|---|---|---|
| Memory Leak (Easy) | auth service has a memory leak β needs restart |
5% noise, clear signals |
| DDoS Cascade (Medium) | Attackers hitting gateway β api β auth cascade | 25% noise, 2 attacking IPs to block |
| Bad Deployment (Medium-Hard) | api v2.4.1 pushed bad Redis config β reconnect storm | 35% noise, cache error looks like hardware fault |
| Data Exfiltration (Hard) | Service account reports_bot exfiltrating 4GB+ of data |
55% noise, false cache CRITICAL alert injected to mislead |
Common Questions from Judges
Q: Is the AI actually running live, or is this pre-recorded?
The π€ AI Output boxes show the raw JSON generated by the model in real time. Every episode hits our Hugging Face Inference Endpoint. You can see it at http://localhost:8000/debug/ai
Q: How is this different from a script that reads the playbook?
Run Baseline Model mode β it makes obviously wrong choices (restarts the wrong service, blocks 8.8.8.8, wrong diagnosis). The trained model consistently picks the right service, correct mitigation, and correct diagnosis because it was trained to do so via GRPO.
Q: What did GRPO training actually do?
GRPO (Group Relative Policy Optimization) is the same RL algorithm used to train DeepSeek-R1. It generates multiple candidate responses, ranks them by reward, and reinforces the better ones. After 500 training steps on the hardest scenarios, the model learned to prefer investigation β targeted mitigation β correct diagnosis over random actions.
Q: How much did scores improve?
Baseline (untrained) episodes typically score 0.1β0.3. Trained model consistently scores 0.7β0.99 on hard scenarios. That's a ~3-5Γ improvement in grader score.