Inspiration
We started from the everyday reality of SOC analysts drowning in noisy, incomplete alerts while still being expected to “never miss” a real incident. The challenge prompt about decision-making under uncertainty perfectly matched that pain point, so we set out to build a tool that doesn’t just add more dashboards, but actually helps analysts think more clearly. We were also inspired by how triage works in medicine: prioritize what is most critical, show why, and make the next step obvious.
What it does
SecuroServ ingests synthetic SOC alert data and turns it into a clear, ranked queue of what to investigate first, along with explanations of why each item matters. It groups related alerts into “stories” around users, hosts, or IPs and surfaces key signals like severity, confidence, external IPs, and unusual activity. For each story, SecuroServ shows a concise summary, a timeline of events, and suggested next investigative steps so an analyst can understand the context in seconds rather than minutes.
How we built it
We built SecuroServ as a full-stack web app using Node.js for the backend, React for the frontend, and MongoDB for persistence. On the backend, we parse the CSV alert data, normalize timestamps, and store enriched events and “stories” in MongoDB. The frontend React app connects to the backend API, visualizes the prioritized queue, and offers filters by time range, severity, source, and entity. We designed UI components around an analyst workflow: start with a ranked list, drill into a story, inspect the event timeline, and see suggested pivots (user, host, IP, domain).
Challenges we ran into
One challenge was designing a triage score that feels helpful but not “magical” or opaque; we had to balance simplicity with usefulness. Another challenge was modeling relationships between alerts to form meaningful stories without overfitting to the sample data. On the frontend side, we needed to avoid overwhelming the analyst with too many charts or options while still exposing enough detail to support real decisions. Integrating the data model cleanly between Node.js, MongoDB, and React also required several iterations to keep queries efficient and the UI responsive.
Accomplishments that we're proud of
We are proud that SecuroServ produces an immediately understandable “what to look at first and why” view instead of just another table of alerts. The story-based grouping and evidence panels make the reasoning behind each priority visible, which aligns well with how real analysts explain their decisions. We also managed to ship a polished end-to-end stack (Node.js + React + MongoDB) within the hackathon timeframe, including a clean UI and a workflow that feels realistic rather than purely academic.
What we learned
We learned how important transparency is in security tooling: a slightly less “smart” system that clearly shows its signals and assumptions is often more valuable than a black-box model. From a technical side, we deepened our experience with building REST APIs in Node.js, designing React components around real user flows, and modeling event data in MongoDB for fast filtering and aggregation. We also learned a lot about handling noisy, incomplete datasets and representing uncertainty explicitly instead of hiding it.
What's next for SecuroServ
Next, we want to plug SecuroServ into live data sources and streaming pipelines so it can support near real-time triage, not just batch datasets. We’d also like to experiment with more advanced correlation logic and optional ML to suggest stories and summaries, while still grounding every insight in concrete events that the analyst can inspect. Finally, we plan to refine the UI with role-based views, better collaboration features (notes, assignments, status), and exportable incident reports so SecuroServ can fit directly into existing SOC workflows.
Log in or sign up for Devpost to join the conversation.