VVyshyvka
studio

Security AI systems

Security AI is only useful if analysts can review it.

A model score is not a security product.

Vyshyvka builds the surrounding product: data with context, model output that can be inspected, analyst screens that support review, and reporting that explains what the system found.

What this covers

  • Detection engineering
  • AI/ML security
  • LLM triage
  • Security data platforms
  • SIEM tooling
  • Sensitive workflows
  • Analyst workflows
  • Evidence review
  • Audit trails
  • Edge deployment

Operating range

The work sits between security engineering, product, and data systems.

Experience covers AI/ML security work in sensitive environments: behavioral analytics, LLM-assisted triage, analyst tooling, and investigation reporting. The work holds together when the data path, scoring path, review interface, and evidence trail are designed as one system.

Production
security engineering in live environments
Detection
model-assisted scoring and triage
Analysts
queues, cases, evidence, and review paths
Reporting
clear findings with caveats and source context
Delivery
typed contracts, tests, deployment, and operations
End-to-end
data, models, tools, response, and evidence

Capability map

Security AI work crosses detection, data, ML, and analyst tooling.

A useful tool needs a clear security problem, usable data, bounded model output, review paths, and reporting that can be challenged.

ML security systems

Behavioral baselines, anomaly scoring, peer context, model evaluation, and threshold tuning.

LLM detection workflows

Structured triage, drift checks, evidence handling, escalation paths, and cost-aware gating.

Security data platforms

Telemetry modeling, signal persistence, migrations, ingestion boundaries, and reviewable records.

Analyst product design

Triage queues, case views, dashboards, evidence tables, analyst actions, and audit trails.

Operations and infrastructure

Authentication-aware deployment, containerized services, cloud infrastructure, search, health checks, and jobs.

Investigation advisory

Security reporting with clear methods, caveats, evidence summaries, and decision-ready findings.

Systems shipped and operated

Experience spans detection platforms, review pipelines, analyst consoles, and evidence support.

The common thread is production ownership across data models, scoring logic, workflow state, review screens, audit paths, and findings that can be explained under scrutiny.

01Detection platform workML + LLM detection workflows

Signal definitions, model-assisted scoring, analyst review states, feedback paths, and dashboard views.

02LLM review pipelinesStructured content and risk review

Staged review logic, structured model outputs, persistence, quality gates, and human escalation.

03Analyst consolesTriage and investigation tooling

Queue state, case escalation, evidence tables, dashboard views, and analyst actions.

04Access monitoringSensitive access and audit workflows

Role-aware controls, audit logging, unstructured log parsing, weighted review logic, and exception handling.

05ML anomaly systemsBehavioral modeling prototypes

Model training, statistical scoring, experimental graph work, searchable outputs, and evaluation loops.

06Sensitive review supportEvidence correlation and reporting

Multi-source analysis, caveated findings, review-ready summaries, and clear methods.

Narrative Security

Narrative Security shows the full operating model.

Narrative models user behavior as event sequences, scores unusual activity with user and peer context, and presents the result in a SOC-style dashboard for review.

Narrative Security operations overview screen with dashboard, investigation, and model review surfaces.

Security analytics platform

Narrative Security Operations

Prototype work covering behavioral sequence scoring, Cloudflare-based runtime architecture, SOC dashboard screens, alert review, user context, red-team review, and model explanation.

View case study
29M
parameter transformer
144
behavior tokens
22MB
INT8 model artifact
27
Next.js page routes
5-stage
ML scoring pipeline
6
Cloudflare runtime primitives

Architecture discipline

In security work, review comes before automation.

Before a tool can act, people need to see what it saw, what it inferred, and where a human decision still belongs.

Evidence first

Signals, model outputs, and findings need source references, caveats, and enough context to review.

Typed handoffs

Contracts keep service outputs, queue payloads, filters, and analyst actions explicit.

Model lifecycle

Training, evaluation, quantization, artifact storage, and active-version switching have to be planned.

Analyst workflow

Analyst tools need queues, timelines, peer context, review screens, data exploration, and audit records.

Evaluation guide

Bring the real problem.

The clearest conversation starts with the role scope, telemetry, constraints, decision process, and the standard the work has to meet.

Architecture review

Walk through the event model, scoring path, deployment shape, UI surfaces, and tradeoffs.

Problem-fit discussion

Map the real security, AI, or data problem to systems that have been built and operated.

Code-oriented review

Discuss contracts, validation, artifacts, workflow boundaries, reliability, and implementation choices.

Case-based exercise

Use noisy telemetry, ambiguous behavior, stakeholder constraints, and evidence requirements.

Selective engagements

Best fit when the stakes are too high for black-box output.

Good fit

  • Security tools where model output has to be reviewed before anyone acts on it.
  • Detection engineering tools with messy multi-source data.
  • Security data products that need validation, auditability, and analyst trust.
  • LLM triage where cost, scope drift, and evidence quality matter.
  • Sensitive work where product, data, infrastructure, and reporting have to line up.

Not a fit

  • Generic chatbot apps with no security workflow.
  • Compliance checkbox tooling with no evidence model.
  • Dashboards that only restyle existing alerts.
  • AI strategy without implementation responsibility.
  • Projects without enough source material to model the work.

Start the work

If the security workflow needs a model, it also needs a review path.

Send a brief if the project involves sensitive data, detection logic, analyst review, LLM triage, evidence quality, or reporting that has to hold up under scrutiny.

Send a project brief