You're staring at an alert. "AI Detection: Port Scanning -- HIGH." The badge is red. The IP is 192.168.1.1. Now what?
If you're a human analyst, the next 45 minutes look something like this:
Open a terminal. Run whois 192.168.1.1. Realize it's RFC-1918. Close the terminal.
Check the DHCP table. Figure out it's the gateway.
Open Wireshark. Filter by IP. Wait for it to load. Scroll through 6,000 flows.
Notice 24 unique destination ports. Manually count them.
Open the MITRE ATT&CK Navigator. Search for T1046. Read the technique description.
Check if this IP has been seen before. Query the SIEM. Wait. Scroll. Count.
Check the firewall logs. Did Firewalla see this? Did the ASA block it?
Check if any external IPs were involved. Parse through NAT translations.
Correlate timestamps. Build a timeline. Write it up.
Brief your team lead.
That's an hour of work. Per alert. And you have 800 more in the queue.-----What If the Machine Did All of That -- On Every Alert -- Before You Even Clicked?
That's what Beadwindow v12 does. When you click into an alert investigation page, seven analytical engines fire simultaneously. By the time the page renders -- roughly 200 milliseconds later -- you're looking at the finished intelligence product.
Not raw data. Not a log dump. A synthesized assessment with reasoning.
Here's what the system produces for that same port scanning alert, automatically:Neural Analysis
Anomaly Score: 0.85
Models Used: mranv/siem-llama-3.1:v1 (Fred, SIEM Analyst)
Threat Indicators:
- 20 ports scanned from single source [HIGH]
"Horizontal port scanning indicates network reconnaissance"
- 1 unique target host [LOW]
"Single target -- could be targeted attack or service probe"
- MITRE ATT&CK: T1046 (Network Service Discovery) [HIGH]
"Behavioral pattern matches known adversary technique"
- Detection confidence: 40% [MEDIUM]
"Confidence derived from behavioral pattern matching against known attack signatures"
- Source: 192.168.1.1 [INFO]
"Originating IP captured from SPAN port mirror on USW-Pro-48"
Every indicator comes with a reason. Not just "what" -- why.
AI Assessment with Full Reasoning Chain"Detection engine identified Port Scanning originating from 192.168.1.1. Mapped to MITRE ATT&CK T1046 (Network Service Discovery) -- this technique is used by adversaries to enumerate network services and identify exploitable entry points. Observable evidence: 20 ports probed, 1 target host. Fred (SIEM Analyst, siem-llama-3.1) scored 85/100: HIGH confidence threat requiring immediate SOC attention. Ethel (Risk Analyst) has not yet validated this finding -- single-model assessment only. FLAGGED: Queued for manual SOC analyst review and triage."
This isn't a template. It's generated dynamically from the actual evidence, AI scores, MITRE mapping, and verdict state of each individual alert. Different alert? Different narrative. Every time.Network Evidence: PCAP-Level Pattern Analysis
The system pulls 50 related network flows and analyzes them for patterns:
PORT SCAN: 24 unique destination ports contacted --
indicates systematic service enumeration
MULTI-TARGET: traffic to 9 distinct hosts --
suggests automated scanning or lateral movement
Protocol breakdown: UDP: 29 flows, TCP: 21 flows
Data volume: 51.9 KB transferred (51.9 KB out, 0.0 KB in)
That asymmetric traffic pattern (51.9 KB out, 0.0 KB in) tells its own story -- outbound probing with no responses. Classic reconnaissance.Source Intelligence: Who Is This IP?
This is where it gets interesting. The system doesn't just tell you the IP address. It tells you who it is:
192.168.1.1
[RFC-1918 Internal] [Ubiquiti USG/Gateway] [gateway]
Reverse DNS: unifi.localdomain
Behavior: High port and destination diversity -- consistent with
NAT gateway or router (6,037 outbound flows, 6,805 inbound,
4,711 unique dest ports)
Alert History: 800 alerts (Port Scanning: 600, Reconnaissance: 200)
First seen: 2026-02-10 | Last seen: 2026-02-11
For an internal IP, the system automatically traces external contacts -- who was this host talking to outside the network in the 30-minute window around the alert? It enriches each external contact with reverse DNS, Firewalla GeoIP data, and cross-references against the alert database.
For an external IP like 160.79.104.10 (150 alerts on file), the intelligence is even more pointed:
160.79.104.10
[Public Internet] [scanner]
Reverse DNS: none (hiding behind privacy/CDN)
Behavior: Elevated port diversity suggests scanning or enumeration
Targeted internal hosts: 192.168.1.102 (Mac Mini M4 SIEM) -- 132 flows
An external IP with no reverse DNS, scanner behavior, and 132 flows aimed directly at our SIEM server. That's actionable intelligence. That's a candidate for an abuse notification to the ISP. That's a future SWARM escalation target. IOC Cross-Referencing..
Every alert is automatically correlated against:
The alert corpus: "This IP has appeared in 800 total alerts"
Block actions: "IP was blocked via auto-response on 2026-02-10"
Firewall logs: "Firewall observed 47 flows, actions: allow. GeoIP: US"
Behavioral indicators: "20 ports scanned targeting 1 host -- moderate intensity"
Full Event Timeline
Not just "alert created." A complete chain of custody:
SPAN Capture: "SPAN port (en11) captured suspicious traffic from 192.168.1.1 via USW-Pro-48 port mirror"
Detection: "Alert generated: AI Detection: Port Scanning"
Fred Analysis: "Fred (AI SIEM Analyst) completed analysis -- threat score: 85/100. HIGH confidence: attack pattern matches known signatures."
AI Verdict: "Flagged for MANUAL REVIEW -- analyst must confirm or dismiss."
If a block action was taken, it's in the timeline. If an audit log entry exists, it's there. The full story, chronologically, with severity ratings on every event.-----The Philosophy: Show Your Work
Here's the thing about AI in security operations. The industry has spent years building black boxes. "Trust the score." "It's AI." "The algorithm detected it."
That's not good enough for a SOC.
When a human analyst investigates an alert, they build a mental model. They trace connections. They form hypotheses. They document their reasoning. And when they brief their team lead, they don't say "the score was 85." They say why.
Beadwindow v12 does the same thing. Every score has a reason. Every indicator has context. Every assessment has a narrative. The AI doesn't just detect -- it explains.
This isn't about replacing analysts. It's about giving them the finished product so they can make decisions instead of doing data entry.
The difference between a Level 1 analyst and a Level 3 analyst isn't knowledge -- it's speed. A Level 3 knows what to look for and where to find it. Beadwindow gives every analyst Level 3 speed on every alert, from their first day.-----The Numbers
Task | Human Analyst | Beadwindow v12 |
Identify source IP role | 5-10 min | Instant |
Reverse DNS + GeoIP | 2-5 min | 2 seconds |
MITRE technique mapping | 5-10 min | Instant |
Network flow analysis | 15-30 min | Instant |
IOC cross-referencing | 10-20 min | Instant |
External contact tracing | 15-30 min | Instant |
Build investigation timeline | 10-15 min | Instant |
Write assessment narrative | 10-15 min | Instant |
Total | ~90 minutes | ~200 ms |
That's not an optimization. That's a paradigm shift.-----What's Next?
This is the foundation. The source intelligence pipeline is ready for:
Abuse notifications: Automated emails to ISP abuse contacts for US-based providers hosting scanners
SWARM escalation: AI-coordinated multi-model threat hunting and defense on high-confidence alerts --2ndAmendmentCyber.
Temporal analysis: "This IP scans us every Tuesday at 3 AM" -- pattern-of-life detection
Reputation scoring: Aggregated threat scores that improve over time as the corpus grows
The alert investigation page isn't just a viewer anymore. It's the SOC analyst's co-pilot.-----Beadwindow is an on-premise SIEM/XDR platform built on FastAPI, running on Apple Silicon, with dual-AI analysis (Fred + Ethel), SPAN port capture, and synthesized intelligence that shows its work. Every alert. Every time.
By Jeffery Stutzman, Beadwindow Project, https://2ndAmendmentCyber.com
"F**KIN A"
