Analyst Correlation Engine
Local-first RAG system for correlating security logs with MITRE ATT&CK intelligence.
$ cat story.md
The idea came from a recurring problem at work: analysts have logs, they have threat intel, but connecting the two requires manual lookups and domain knowledge that takes years to build.
The goal is a local system where you can ask questions like 'what techniques do we have coverage for?' or 'which of these log patterns map to ATT&CK?' and get grounded, citable answers.
Planning phase. The RAG architecture is mostly figured out. The open question is whether local embedding quality is good enough for the retrieval quality the use case needs.
$ git status
Planning phase. Architecture defined, paused while working through foundational AI courses.
$ ls ./components
- -RAG pipeline design for structured knowledge bases
- -Local embedding models vs. API embeddings
- -pgvector for production vector search
- -Domain-specific retrieval quality evaluation
?Local embedding quality: good enough for precise technique matching?
?How to handle the structured/hierarchical nature of ATT&CK in a flat vector store?