Spaces:
Sleeping
OpenSecOpsEnv β Full Project Walkthrough
What Is This?
OpenSecOpsEnv is an OpenEnv-compliant reinforcement learning environment where an AI agent acts as an on-call security engineer. The agent must investigate and resolve production incidents across 4 escalating scenarios β from a simple memory leak to a disguised data exfiltration attack buried under 55% noise.
π€ What Your Agent Does β Full Pipeline
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Episode Flow β
β β
β env.reset(task_id) β
β β β
β βΌ β
β HiddenState (true root cause β NEVER shown to agent) β
β β drives β
β βΌ β
β SecOpsObservation (alerts + metrics + logs + topology) β
β β β
β βΌ β
β LLM reads observation as text prompt β
β β β
β βΌ β
β LLM outputs JSON: {"action_type": "...", "parameters": {...}} β
β β β
β βΌ β
β env.step(action) β (new_obs, reward, done, info) β
β β β
β GRPO uses reward to update model weights β
β β β
β βββββ loop until done or max_steps βββββββββββββββββββββ
β β
β grade(state) β score [0, 1] β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The 4 Tasks
| Task | Incident | Root Cause | Noise | Max Steps |
|---|---|---|---|---|
| easy_memory_leak | Auth service heap overflow | infra_failure:memory_leak |
5% | 30 |
| medium_ddos_cascade | DDoS from 2 IP ranges β gateway β api β auth | cyber_attack:ddos |
25% | 40 |
| medium_hard_bad_deployment | Bad Redis config in api v2.4.1 β cache reconnect storm | misconfiguration:bad_config |
35% | 45 |
| hard_data_exfiltration | Compromised reports_bot exfiltrating 4GB via DB, false cache alert |
cyber_attack:data_exfiltration |
55% | 50 |
Reward Design (Dense)
| Action | Reward |
|---|---|
| Investigate affected service (first time) | +0.20 |
| Security scan hits cyber attack target | +0.30 |
| Correct mitigation step | +0.50 |
| Correct diagnosis | +1.00 |
| Investigate irrelevant service | β0.05 |
| Wrong mitigation (e.g., restart wrong service) | β0.10 |
| Harmful action (block legit IP, isolate healthy service) | β0.50 |
| Wrong diagnosis | β1.00 |
Grader (Episode Score [0, 1])
score = 0.5 Γ diagnosis_correct
+ 0.3 Γ action_efficiency
+ 0.2 Γ investigation_quality
π§ Training: GRPO with Unsloth
Model: Qwen2.5-7B-Instruct (4-bit QLoRA via Unsloth)
Algorithm: Group Relative Policy Optimization (GRPO)
Training file: colab_training.ipynb (Google Colab, T4 GPU)
What GRPO does
For each observation prompt, it generates 4 completions (different JSON actions), runs each in the environment, gets rewards, then updates the model to increase probability of higher-reward completions relative to the group average.
Prompt (observation) β [action_1, action_2, action_3, action_4]
β β β β
r=0.20 r=-0.05 r=0.50 r=-0.50
β winner
GRPO update: increase P(action_3) relative to group mean
What the agent learns
- Start with
inspect_metrics({})to get overview (not random) - Follow the topology: gateway β api β auth (upstream = root cause)
- Run
run_security_scanbefore isolating services - Ignore false alerts (the cache in hard task is a decoy)
- Submit exact diagnosis labels
π¨ Dashboard Changes (Round 2 Retheme)
The dashboard was redesigned from cyberpunk neon to clean minimal professional:
| Before | After |
|---|---|
Dark background #050811 |
Light background #f8fafc |
| Neon cyan/green glows | Clean blue #2563eb, green #16a34a, red #dc2626 |
| Animated grid background | Clean white cards with subtle shadows |
alert() for comparison hint |
Non-blocking toast notification |
Bugs Fixed (10 total)
- β Topology nodes now highlight in red when they're affected services
- β Log stream clears properly on episode reset
- β
alert()replaced withshowToast()(non-blocking) - β Progress bar colors are now dynamic (green/orange/red based on score)
- β Score total color resets to neutral on UI reset
- β
comparisonScorespreserved acrossresetUI()so Compare works after replay - β Latency bar scale fixed (was /5000, now /2000 for better visibility)
- β Chart theme updated to match clean palette
- β Panel backgrounds consistent across all three columns
- β
Topology node
topo-node.affectedCSS was always defined but JS never applied the class β fixed
π¦ Files Overview
opensecops_env/
βββ env.py # Core environment (reset/step/state)
βββ multi_agent_env.py # β NEW: Red vs Blue adversarial environment
βββ curriculum.py # β NEW: Procedural task generation & level ups
βββ models.py # SecOpsAction, SecOpsObservation, SecOpsState
βββ grader.py # Deterministic episode grader [0,1]
βββ tasks/
β βββ task_definitions.py # 4 base task configs
βββ server/
βββ app.py # FastAPI server + endpoints + dashboard
training/
βββ train_grpo.py # GRPO training script (local)
βββ plot_rewards.py # Reward curve generation
colab_training.ipynb # Full Colab notebook for HF credits
inference.py # Baseline heuristic agent
π Round 2 Theme Alignment
| Theme | Status | Evidence |
|---|---|---|
| Long-Horizon Planning | β Strong | 30β50 step episodes, sparse final reward, causal chain reasoning |
| World Modeling: Professional | β Strong | Real SecOps tools (block_ip, rollback_deployment), realistic metrics |
| Multi-Agent | β Strong | Red vs Blue: An attacker (Red) interleaves turns with the defender (Blue). Red actively obfuscates logs, spikes metrics, and injects false alerts while Blue investigates. |
| Self-Improvement | β Strong | Curriculum Manager: Environment dynamically scales difficulty. When agent scores > 0.72 consistently, it unlocks Level 2 (compound failures), Level 3 (unknown procedurally generated topologies), and Level 4 (Adversarial Red). |
π How to Execute & Test
1. Test the API Endpoints (Curriculum & Multi-Agent)
Start the server locally:
uvicorn opensecops_env.server.app:app --reload
In another terminal, test the Curriculum endpoint:
curl http://localhost:8000/curriculum/summary
# You will see the current level (1) and performance stats.
Test the Multi-Agent environment (Blue step, then Red step):
# Reset with "auto" to use curriculum
curl -X POST http://localhost:8000/multi/reset \
-H "Content-Type: application/json" -d '{"task_id":"auto"}'
# Blue takes a step
curl -X POST http://localhost:8000/multi/blue/step \
-H "Content-Type: application/json" \
-d '{"action_type":"inspect_metrics", "parameters":{}}'
# Red reacts (heuristic attacker)
curl -X POST http://localhost:8000/multi/red/step \
-H "Content-Type: application/json" -d '{}'
2. View the Dashboard
Go to http://localhost:8000/dashboard in your browser.
Click Run Episode and you will see the new clean, minimal theme, functional topology highlighting, and fixed progress bars.
3. Run the Colab Notebook (The Core Training Evidence)
- Upload
colab_training.ipynbto Google Colab. - Select a T4 GPU runtime (or A100 if using HF credits).
- Add your
HF_TOKENin Colab's Secrets tab. - Run all cells. It will:
- Download the model and environment
- Run GRPO training using Unsloth
- Automatically generate
training_results.png(learning curves) - Push the fine-tuned adapter to Hugging Face.
Primary pitch to judges: This environment isn't just a static puzzle. It actively fights back (Multi-Agent) and gets harder as the model learns (Self-Improvement), making it a true testbed for next-generation reasoning models.