Hugging Face's logo

Spaces:
shivam2k3
/
opensoc-env
Running

App Files Community
opensoc-env
File size: 2,834 Bytes
bb6a031
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# 90-second YouTube walkthrough β€” OpenSOC

Total: **90 seconds**, broken into four ~25-second beats.  Record at 1080p,
unlisted, no music (optional 5-second outro card).

## Beat 1 β€” Problem (0:00–0:15)

**Visual**: cursor blinking on a SOC dashboard with a queue of unread alerts;
zoom into one alert that says `Authentication failures (8 attempts) from
198.51.100.7`.

**Voiceover (suggested)**:

> "By the time a tier-1 analyst sees an alert like this, the attacker may
> have been inside for hours. Most SOCs are understaffed, and a real
> attack that gets dismissed by a tired human is invisible until it's
> too late."

## Beat 2 β€” Env demo (0:15–0:40)

**Visual**: the deployed `https://...hf.space/demo` page.  Click
"Next incident" three times; pause briefly on each example.

**Voiceover**:

> "OpenSOC is an OpenEnv environment where the same alert is shown to two
> models. On the left: zero-shot Qwen2.5-3B; on the right, the same model
> after we trained it inside this environment with GRPO. The verifier in
> the middle decides what 'right' is β€” deterministically, from the
> structured incident parameters, never from any text the attacker
> writes."

## Beat 3 β€” Before vs after (0:40–1:05)

**Visual**: split screen β€” left half shows the eval bar chart
`bar_dismiss_on_malicious.png`; right half shows the confusion matrix
`confusion_opensoc_grpo.png`.

**Voiceover**:

> "On a 200-incident hold-out, the baseline dismisses real attacks at
> [BASELINE]%. After SFT warm-start plus GRPO across four curriculum
> stages, dismiss-on-malicious drops to [TRAINED]% β€” and macro F1 lifts
> from [BASELINE_F1] to [TRAINED_F1]. Over-reaction on benign traffic
> didn't get worse."

## Beat 4 β€” Why RLVR (1:05–1:30)

**Visual**: a single code editor pane showing
`verifier.compute_ground_truth(params)` and
`verifier.check_plausibility(params)`; highlight that both are pure
functions of the *structured* params.

**Voiceover**:

> "The reason this works is that the reward is computed from the structured
> attacker parameters, not from any narrative. The plausibility checker
> blocks the trivial reward hack of just emitting noise. That's what makes
> this RLVR β€” verifiable rewards, no learned judge to fool. Code, eval
> set, training notebook and a $3 GPU recipe are all in the repo."

## Closing card (1:30)

Title: **OpenSOC β€” RLVR self-play SOC triage**
URL: `huggingface.co/spaces/<USER>/opensoc-env`
GitHub-style logo: optional

## Recording tips

- Use OBS or Loom; export as 1080p mp4.
- Pre-load the Space on `/demo` and click "Next incident" once before
  recording so the first paint isn't cold.
- Keep terminal font size large; favour Bear Notes / OBS overlays for
  the voiceover beats over fullscreen code.
- Upload as **unlisted**; share the URL in the README and the HF blog.