Event-first detection
“Is this event malicious?”
Behavioral sequence modeling for insider-risk investigations.
An end-to-end prototype that turns normalized security events into user-relative anomaly scores and analyst investigation workflows.
Built with public benchmark data and synthetic demonstrations.
A security engineering portfolio project by Vyshyvka Studio
The detection thesis
An authentication, file access, or process execution may be harmless in isolation. Risk emerges from how actions relate to the person, their peers, and the sequence that came before.
Event-first detection
“Is this event malicious?”
Sequence-first detection
“Is this sequence surprising for this person?”
Kerberos auth. No IOC match.
In user's access scope. DLP clean.
1/5 threshold. No brute force pattern.
Post-failure re-auth. Normal retry.
Valid RBAC. UEBA score normal.
T1052.001. USB policy — verify.
T1048 possible. DLP — no trigger.
Device removal. No data in motion.
Every assessment is thorough. IOC lookups, MITRE mapping, DLP cross-references, UEBA scoring — genuinely good per-event analysis. But the sequence is a textbook exfiltration, and no amount of per-event enrichment can surface it.
See the system think
The interactive demo uses synthetic scenarios to show normalization, tokenization, sequence assembly, contextual scoring, and the narrative presented for investigation.
Scenario trace
Synthetic insider-risk sequence
Normalize
Tokenize
Sequence
Score
Investigate
A first-time resource access becomes significant when followed by an unusual export and destination change.
System shape
The public view keeps the architecture at the level needed to understand the product. A private walkthrough covers the implementation and tradeoffs in depth.
Receive vendor-neutral security events.
Map activity into a consistent OCSF contract.
Translate categorical behavior into a bounded vocabulary.
Assemble user, peer, resource, and sequence context.
Estimate coherence and relative surprise.
Preserve evidence for analyst review and action.
Prototype evidence
The numbers below describe the checked-in model and benchmark run. They are evidence of implementation depth—not claims of production effectiveness.
Public enforcement case
According to the SEC, unauthorized changes to fourteen Two Sigma investment models contributed to approximately $165 million in client harm. The activity continued for 21 months; a later SEC complaint alleges that an anonymous compensation post prompted the investigation.
“The individual changes were subtle. The sequence was not.”
Sources: SEC administrative order · SEC complaint
Read the public case studyBuilt end to end
Narrative connects the parts of security product work that are often shown separately.
Threat framing, behavioral detection, control analysis, and investigation design.
Sequence representation, transformer training, evaluation, and model compression.
Event contracts, data pipelines, stateful inference, and edge deployment design.
Triage, evidence presentation, user context, review state, and operational workflows.
Choose your depth
The public pages explain the thesis and show the product boundary without exposing the full implementation.
Why event-by-event detection misses the meaning that emerges across a sequence.
~8 min
The public explanation of behavioral modeling, context, scoring, and evaluation.
~12 min
A public SEC enforcement case examined through the lens of behavioral sequence risk.
~10 min
Synthetic scenarios showing the pipeline from normalized event to analyst narrative.
Interactive
Analytics preferences
Narrative Security uses optional Google Analytics to understand which public portfolio pages are useful. No Google tag loads until you accept, and private application routes are never measured.