Post-Incident Network Forensics Platform

Problem

Incident responders spend hours manually sifting through raw network logs — a slow process that delays containment and lets subtle attack patterns slip through.

Solution

Built a full pipeline: PCAP → Zeek → 56-feature extraction → KMeans anomaly detection → hybrid Python rule engine + LLM classification. Added a ChromaDB RAG layer so analysts can query session data in plain English.

Impact

Cuts manual triage to near-zero for common attack patterns. LLM outputs MITRE ATT&CK mappings directly in the analyst interface, bridging the gap between raw traffic and actionable intelligence.

Outcomes

• —KMeans (k=10) anomaly detection — 1.2% false-positive rate on benign traffic
• —Hybrid classification: deterministic rule engine + Qwen2.5-coder via Ollama
• —PDF and HTML report export — technical and managerial variants
• —Fully Dockerized with PostgreSQL persistence and ChromaDB RAG