Skip to main content
Independent security-AI prototype

Narrative Security: AI/ML Insider Threat Detection Portfolio

Behavioral sequence modeling for insider-risk investigations.

An end-to-end prototype that turns normalized security events into user-relative anomaly scores and analyst investigation workflows.

Built with public benchmark data and synthetic demonstrations.

A security engineering portfolio project by Vyshyvka Studio

50M
Benchmark events
29M
Model parameters
144
Token vocabulary
22MB
INT8 artifact

The detection thesis

Events are not behavior.

An authentication, file access, or process execution may be harmless in isolation. Risk emerges from how actions relate to the person, their peers, and the sequence that came before.

Event-first detection

Is this event malicious?

Sequence-first detection

Is this sequence surprising for this person?

AI-Native Assessment

Auth: LogonLOW RISK

Kerberos auth. No IOC match.

File: Read — quarterly_report.pdfLOW RISK

In user's access scope. DLP clean.

Auth: Logon (failed)LOW RISK

1/5 threshold. No brute force pattern.

Auth: LogonLOW RISK

Post-failure re-auth. Normal retry.

File: Read — customer_list.xlsxLOW RISK

Valid RBAC. UEBA score normal.

Device: Mount — USB_DRIVEMEDIUM

T1052.001. USB policy — verify.

File: Copy → USB_DRIVEMEDIUM

T1048 possible. DLP — no trigger.

Device: Unmount — USB_DRIVELOW RISK

Device removal. No data in motion.

2 medium-risk findings. Dispatching triage agent...

Read it as a story. See it now?

01Auth: Logonjsmith
02File: Read — quarterly_report.pdfjsmith
03Auth: Logon (failed)jsmith
04Auth: Logonjsmith
05File: Read — customer_list.xlsxjsmith
06Device: Mount — USB_DRIVEjsmith
07File: Copy → USB_DRIVEjsmith
08Device: Unmount — USB_DRIVEjsmith

Every assessment is thorough. IOC lookups, MITRE mapping, DLP cross-references, UEBA scoring — genuinely good per-event analysis. But the sequence is a textbook exfiltration, and no amount of per-event enrichment can surface it.

See the system think

Follow an event from raw telemetry to analyst context.

The interactive demo uses synthetic scenarios to show normalization, tokenization, sequence assembly, contextual scoring, and the narrative presented for investigation.

Run the interactive demo

Scenario trace

Synthetic insider-risk sequence

Interactive
01

Normalize

02

Tokenize

03

Sequence

04

Score

05

Investigate

Narrative resultContext shift detected

A first-time resource access becomes significant when followed by an unusual export and destination change.

System shape

From event stream to analyst decision.

The public view keeps the architecture at the level needed to understand the product. A private walkthrough covers the implementation and tradeoffs in depth.

01

Ingest

Receive vendor-neutral security events.

02

Normalize

Map activity into a consistent OCSF contract.

03

Tokenize

Translate categorical behavior into a bounded vocabulary.

04

Contextualize

Assemble user, peer, resource, and sequence context.

05

Score

Estimate coherence and relative surprise.

06

Investigate

Preserve evidence for analyst review and action.

Prototype evidence

Concrete artifacts, with the boundaries intact.

The numbers below describe the checked-in model and benchmark run. They are evidence of implementation depth—not claims of production effectiveness.

Public LANL events
50M
Training configuration
Model parameters
29M
Four-layer transformer
Vocabulary entries
144
143 templates plus padding
Quantized artifact
22MB
INT8 deployment bundle

Evidence boundary

  • Independent proof of concept
  • Public benchmark data
  • Synthetic public demonstrations
  • No customer or production validation claimed

Public enforcement case

What happens when controls see changes, but not behavior?

According to the SEC, unauthorized changes to fourteen Two Sigma investment models contributed to approximately $165 million in client harm. The activity continued for 21 months; a later SEC complaint alleges that an anonymous compensation post prompted the investigation.

The individual changes were subtle. The sequence was not.

Sources: SEC administrative order · SEC complaint

Read the public case study

Built end to end

One project, several layers of technical judgment.

Narrative connects the parts of security product work that are often shown separately.

01

Security strategy

Threat framing, behavioral detection, control analysis, and investigation design.

02

Applied ML

Sequence representation, transformer training, evaluation, and model compression.

03

Systems engineering

Event contracts, data pipelines, stateful inference, and edge deployment design.

04

Analyst experience

Triage, evidence presentation, user context, review state, and operational workflows.