AI Data Analyst

Came back to the project after getting a Dell Pro Max GB10 (128GB unified memory). The new hardware meant I could run 70B models locally. Pointed the agent at real data (Splunk BOTS v1, 5M log lines) and every tool call timed out. The old tools loaded entire 1.5GB files into memory per query. Zero findings.

Rebuilt the tool layer: a single Python script streams all data sources into a SQLite index with pre-computed anomaly scores, entity relationships, and temporal bins. Tools went from 30-second timeouts to sub-millisecond lookups. Ran three models (Hermes 4 70B, Nemotron Cascade 30B, GPT-OSS 20B) against the same dataset. Hermes found 9 threats including ransomware C2 infrastructure. GPT-OSS finished in 24 seconds.

Added behavioral scoring that catches threats with zero IDS alerts (scanner 23.22.63.114 had behavioral_score=100 with no alerts). Built role labeling (client/server/scanner/sparse) for peer comparison. Added similar_behavior detection using Jaccard similarity on auth username sets with star topology for exact-match groups. Discovered a coordinated brute-force campaign: 69 IPs sharing an identical 25-username wordlist.

Solved the context management problem that kills most agent loops at scale. Scratchpad-based architecture: evict old messages after each finding, inject progress at the top of context every turn, cache entity details, track dedup pairs, detect stuck loops. Went from agents that loop forever to clean 21-call investigations with zero wasted turns.