Security analysis often involves juggling multiple tools - malware sandboxes, macro scanners, steganography detectors, web vulnerability scanners, and OSINT recon. Running these manually is slow, repetitive, and prone to human error. That’s why I built SecFlow: an automated SOC pipeline that thinks for itself. Its completely open source, you can find the source code here: https://github.com/aradhyacp/SecFlow How It Works SecFlow is designed as a multi-pass, AI-orchestrated threat analysis engine. Here’s the workflow: Smart First-Pass Classification Uses file type + python-magic to deterministically classify inputs. Only invokes AI when the type is ambiguous, saving compute and reducing false positives. AI-Driven Analyzer Routing Groq qwen/qwen3-32b models decide which analyzer to run next after each pass. This enables dynamic multi-pass analysis: files can go through malware, macro, stego, web vulnerability, and reconnaissance analyzers as needed. Download-and-Analyze SecFlow automatically follows IOCs from raw outputs and routes payloads to the appropriate analyzer for deeper inspection. Evidence-Backed Rule Generation YARA → 2–5 deployable rules per analysis, each citing the exact evidence. SIGMA → 2–4 rules for Splunk, Elastic, or Sentinel covering multiple log sources. Threat Mapping & Reporting Every finding is mapped to MITRE ATT&CK TTP IDs with tactic names. Dual reports: HTML for human-readable reports (print-to-PDF) and structured JSON for automation or further AI analysis. Tools & Tech Stack Ghidra → automated binary decompilation and malware analysis. OleTools → macro/Office document parsing. VirusTotal API v3 → scans against 70+ AV engines. Docker → each analyzer is a containerized microservice for modularity and reproducibility. Python + python-magic → first-pass classification. React Dashboard → submit jobs, track live pipeline progress, browse per-analyzer outputs. Design Insights Modular Microservices: each analyzer exposes a REST API and can be used independently. AI Orchestration: reduces manual chaining and allows pipelines to adapt dynamically. Multi-Pass Analysis: configurable loops (3–5 passes) let AI dig deeper only when necessary. Takeaways Combining classic security tools with AI reasoning drastically improves efficiency. Multi-pass pipelines can discover hidden threats that single-pass scanners miss. Automatic rule generation + MITRE mapping provides actionable intelligence directly for SOC teams. If you’re curious to see the full implementation, example reports, and setup instructions, the code is available on GitHub — any stars or feedback are appreciated! submitted by /u/Content-Medium-7956 [link] [comments]