VVyshyvka
studio

Case study

Narrative Security

A prototype for behavioral security analytics: event normalization, sequence modeling, edge-oriented inference infrastructure, and analyst-facing review tools brought into one inspectable product system.

Capabilities
Design, Frontend, Backend, AI/ML, Data Modeling, DevOps
Type
Security analytics prototype
Stack
Python, PyTorch, NumPy, React, Cloudflare
Scope
SOC dashboard, Model exposition, Validation, Edge inference
Year
2026

Product inventory

Repository evidence: routes, data model, interface screens, and workflow code.

Page routes
27
UI components
269
Python tests
22
Model artifacts
12
Runtime path
Cloudflare

Project overview

A prototype for behavioral security analytics: event normalization, sequence modeling, edge-oriented inference infrastructure, and analyst-facing review tools brought into one inspectable product system.

Isolated security events rarely explain behavior. The prototype normalizes authentication, process, file, and access activity into behavioral sequences, compares them against user and peer context, and shows the result for analyst review rather than treating a model score as the product.

What was built

A full-stack applied AI product practice: domain modeling, ML pipeline design, deployment architecture, operational dashboard, validation, and documentation.

Sequence-modeling pipeline

Python services normalize events, tokenize activity, build profiles, train sequence models, and export inference artifacts.

SOC dashboard

Analyst screens show queue state, alerts, user risk, timelines, peer context, recommendations, and resolution workflows.

Edge inference architecture

Worker gateway, Python inference containers, queues, KV, R2 artifacts, D1 records, and active-version switching outline a Cloudflare runtime path.

Validation and audit model

Pydantic/Zod contracts, exercise-data review, audit records, benchmark-style pages, and model exposition pages keep the prototype inspectable.

Validation

Pydantic and Zod service boundaries.

Artifacts

Bundles, vocabularies, templates, versions.

Selected details

Implementation details from the product, data, workflow, and infrastructure layers.

  • 01

    Contract-driven Python services with Pydantic validation.

  • 02

    Runtime validation in TypeScript with Zod and hardened security headers.

  • 03

    Model bundle export, quantization, artifact upload, and active-version switching workflows.

  • 04

    Dashboard screens for triage, analytics, data exploration, users, settings, and operational administration.

  • 05

    System components map across Events, Gateway, Linguist, Profiler, Predictor, Investigator, and Dashboard screens.

  • 06

    Cloudflare deployment paths include Workers, D1, KV, R2, queues, containers, and Access-oriented configuration.

  • 07

    LANL-style and red-team artifacts support benchmark-style review, alert inspection, and model evaluation.

  • 08

    Security headers, audit records, validation contracts, and model exposition pages keep the workflow inspectable.

Systems overview

How the public pages, staff workflows, data, review steps, and infrastructure connect.

Events

Structured security telemetry.

Tokenization

Sequence-ready behavioral inputs.

Model

Anomaly scoring and inference artifacts.

Alert store

Severity, status, recommendations.

Analyst UI

Triage, timelines, analytics, settings.

Technology

The platform stack behind the build.

Python
PyTorch
NumPy
Next.js
React
Drizzle ORM
SQLite
Cloudflare D1
Cloudflare Workers
Cloudflare R2
Pydantic
Zod

Design language

A security-operations visual language: dark review panels, compact mono labels, sparse severity color, table-first evidence, queue state, and diagrams that explain the model path.

Philosophy

Security analytics as review workflow

The product framing keeps the model visible but subordinate to analyst review: event context, peer comparison, queue state, validation, and auditability do the explanatory work.

Analyst queuesPeer contextExercise reviewModel exposition
Aa
System sans, mono utility, severity symbolsAnalyst panels, IDs, risk state
Graphite#0c1117
Panel#151d27
Cyan#45d6d8
Purple#8b6ff7
Severity#f59e0b

Selected screens

Additional screens from the case study.