Security analysis often involves juggling multiple tools - malware sandboxes, macro scanners, steganography detectors, web vulnerability scanners, and OSINT recon. Running these manually is slow, repetitive, and prone to human error. That’s why I built SecFlow: an automated SOC pipeline that thinks for itself.

Its completely open source, you can find the source code here: https://github.com/aradhyacp/SecFlow

SecFlow is designed as a multi-pass, AI-orchestrated threat analysis engine. Here’s the workflow:

• Uses file type + python-magic to deterministically classify inputs.

• Only invokes AI when the type is ambiguous, saving compute and reducing false positives.

• Groq qwen/qwen3-32b models decide which analyzer to run next after each pass.

• This enables dynamic multi-pass analysis: files can go through malware, macro, stego, web vulnerability, and reconnaissance analyzers as needed.

• SecFlow automatically follows IOCs from raw outputs and routes payloads to the appropriate analyzer for deeper inspection.

• YARA → 2–5 deployable rules per analysis, each citing the exact evidence.

• SIGMA → 2–4 rules for Splunk, Elastic, or Sentinel covering multiple log sources.

• Every finding is mapped to MITRE ATT&CK TTP IDs with tactic names.

• Dual reports: HTML for human-readable reports (print-to-PDF) and structured JSON for automation or further AI analysis.

• Ghidra → automated binary decompilation and malware analysis.

• OleTools → macro/Office document parsing.

• VirusTotal API v3 → scans against 70+ AV engines.

• Docker → each analyzer is a containerized microservice for modularity and reproducibility.

• Python + python-magic → first-pass classification.

• React Dashboard → submit jobs, track live pipeline progress, browse per-analyzer outputs.

• Modular Microservices: each analyzer exposes a REST API and can be used independently.

• AI Orchestration: reduces manual chaining and allows pipelines to adapt dynamically.

• Multi-Pass Analysis: configurable loops (3–5 passes) let AI dig deeper only when necessary.

• Combining classic security tools with AI reasoning drastically improves efficiency.

• Multi-pass pipelines can discover hidden threats that single-pass scanners miss.

• Automatic rule generation + MITRE mapping provides actionable intelligence directly for SOC teams.

If you’re curious to see the full implementation, example reports, and setup instructions, the code is available on GitHub — any stars or feedback are appreciated!