Spaces:
Sleeping
Sleeping
metadata
title: SOC Triage OpenEnv
emoji: 🛡️
colorFrom: blue
colorTo: red
sdk: docker
app_port: 7860
pinned: false
tags:
- openenv
- cybersecurity
- triage
base_path: /web
SOC Triage Environment
A real-world cybersecurity SOC analyst triage environment for agent training and evaluation.
Overview
This environment simulates tier-1 SOC workflow where an agent must:
- investigate evidence with SOC tools
- classify alert severity only after evidence gathering
- prioritize alert queues under uncertainty
- identify multi-stage kill chains in noisy timelines
Architecture now follows OpenEnv reference patterns:
SOCTriageEnvsubclassesEnvironment- server uses
create_app(...)fromopenenv-core - standard endpoints (
/reset,/step,/state,/schema,/ws) are auto-generated - custom endpoints (
/tasks,/grader,/baseline) remain available
Action Space
tool_name: one oflist_tools,query_siem,get_threat_intel,pivot_alert,submit_verdicttool_args: JSON object for tool parameters (query strings, IOC, alert id, etc.)classification: required forsubmit_verdictrecommended_action: required forsubmit_verdictreasoning: analyst rationale for traceability
Observation Space
task_id,difficulty,step_num,max_stepspromptandcontext_historyavailable_toolsfor guided interactioninvestigation_notes,known_iocs,last_tool_result- task evidence (
alertoralertsorevents) reward,done, andfeedback
Tasks
- easy: single alert severity classification
- medium: alert queue prioritization
- hard: kill-chain event correlation
Graders
- easy: severity-distance score
- medium: Kendall-tau rank correlation normalized to [0,1]
- hard: F1 score on selected kill-chain events
Reward Design
Reward is shaped as:
- investigation step rewards for useful evidence gathering
- base grader score on
submit_verdict - partial credit for directionally correct outcomes
- investigation bonus when tool usage improves trace quality
- penalties for false positives and premature/no-investigation verdicts
Run Locally
pip install -r requirements.txt
uvicorn soc_triage_env.server.app:app --host 0.0.0.0 --port 8000
Docker
docker build -t soc-triage-env:latest -f server/Dockerfile .
docker run -p 8000:8000 soc-triage-env:latest
Required Endpoints
- POST /reset
- POST /step
- GET /state
- GET /tasks
- POST /grader
- POST /baseline
- GET /health
Latest Verification Snapshot
Validated locally against the current code state:
- diagnostics: no workspace errors
- grader contract/bounds suite:
test_grader_bounds.pypassed (127/127) - OpenEnv validator: ready for multi-mode deployment
- endpoint smoke checks:
/health,/schema,/reset,/step,/tasks,/grader,/logsall returned HTTP 200
Reference Alignment Summary
Compared against OpenEnv reference repos and templates (calendar, reasoning_gym, tbench2, carla, repl):
- app creation follows
create_app(...)factory pattern used by reference env servers - environment implementation follows
Environmentcontract (reset,step,state) - supports multi-turn progression and deterministic grading-friendly behavior
- custom SOC routes (
/tasks,/grader,/baseline) are additive and do not break standard OpenEnv API shape
Intentional environment-specific extension:
- request-log capture middleware and
/logsendpoint for triage/debug observability