PROCSee

PROCSee turns your system into a crime scene — and autonomously investigates every process

Comment

Inspiration

Traditional security tools wait for threats—they poll, they alert, they react. They never ask, “What’s actually happening here?”

PROCSee was born from a simple question: what if a system could investigate itself, autonomously? Not just flag suspicious activity, not just log events, but actively reason about each process, decide what evidence matters, and follow the trail — without waiting for human analysts.

With Gemini 3 Pro, this became possible. Its 1M token context window, multi-turn reasoning, and dynamic thinking levels let PROCSee act like a real security analyst: maintaining investigative context, asking follow-up questions, and correlating evidence across the system — all automatically.

The goal isn’t just to detect fast malware. It’s to turn your system into its own crime scene investigator, watching every process, memory action, and system behavior, reconstructing what happened even after the traces vanish.

What it does

PROCSee is an autonomous security investigation system that detects and investigates suspicious processes in real-time using Gemini 3 Pro's advanced reasoning capabilities.

PROCSee doesn’t wait for alerts. It decides what to investigate. And when it sees something suspicious, it doesn’t just report it — it figures out why it’s suspicious, what other processes are involved, and what the threat tried to do.

Dual-Database Architecture for 100% Detection

  • Event-based monitoring captures ALL process creations with <10ms latency (even processes that live <1 second)
  • Raw events database stores complete forensic data for Gemini's autonomous queries
  • Summary database aggregates 1-minute intervals for pattern detection
  • No polling overhead, no missed detections

Gemini 3 Pro Autonomous Investigation

  • Gemini doesn't just analyze—it decides what additional data it needs and queries for it autonomously
  • Self-directed querying: QUERY_PROCESS, QUERY_TIMERANGE, QUERY_PATTERN, QUERY_NETWORK, QUERY_FILES
  • Multi-turn reasoning: Initial analysis → autonomous queries → re-analysis → confident verdict
  • Dynamic thinking levels: low for fast triage, high for deep forensic analysis
  • 1M token context maintains entire investigation history

Parallel Investigation Mechanisms

  1. Active Investigation: Behavior-triggered immediate response to suspicious processes
  2. Autonomous Monitoring: Every 60 seconds, Gemini analyzes system-wide patterns and autonomously queries for details

Behavior-Based Detection

  • 40+ MITRE ATT&CK command-line patterns (encoded PowerShell, credential access, persistence, LOLBins)
  • Parent-child relationship detection (browser spawning shells, Office apps executing scripts)
  • Network activity monitoring (high connection counts, external IPs)
  • System modification detection (registry changes, scheduled tasks)
  • Monitors ALL processes system-wide, focusing on behavior not location

Marathon Agent Capability

  • SQLite WAL mode for crash recovery
  • Automatic investigation resume after restart
  • State persistence at each phase transition
  • No data loss on unexpected shutdown

Interactive Dashboard

  • Real-time investigation tracking with WebSocket updates
  • Gemini conversation viewer showing autonomous queries in action
  • Detailed Markdown reports generated by Gemini (first-person investigation narratives)
  • Evidence timeline with integrity hashing
  • Configuration management with investigation profiles

How we built it

Backend (Python 3.10+)

  • FastAPI for REST API and WebSocket server
  • google-genai SDK (1.51.0+) with gemini-3-pro-preview model
  • WMI event-based monitoring for real-time process detection (pywin32)
  • psutil for cross-platform process information
  • SQLite with WAL mode for dual-database architecture
  • aiosqlite for async database operations

Gemini 3 Pro Integration

# Dynamic thinking levels for different analysis phases
thinking_config=types.ThinkingConfig(
    thinking_level="low",  # Fast triage
    include_thoughts=True
)

# Autonomous query protocol
response = await client.models.generate_content(
    model="gemini-3-pro-preview",
    contents=investigation_context,
    config=types.GenerateContentConfig(
        response_mime_type="application/json",
        temperature=1.0,
        thinking_config=thinking_config
    )
)

Autonomous Query System

  • Gemini specifies query action, parameters, and time ranges
  • Query handler executes against raw events database
  • Results fed back to Gemini for re-analysis
  • Complete audit trail in gemini_queries table

Frontend (React 18 + Vite)

  • Real-time dashboard with WebSocket integration
  • Markdown report viewer with syntax highlighting
  • Evidence timeline visualization
  • Gemini conversation display showing autonomous reasoning

Database Architecture

  • Raw events: Complete forensic data with size-based retention
  • Summaries: 1-minute aggregates for pattern detection
  • Investigations: State persistence with phase tracking
  • Gemini queries: Complete audit trail of autonomous queries

Development Process

  1. Built event-based monitoring with WMI for <10ms detection
  2. Designed dual-database architecture for forensic data + summaries
  3. Implemented autonomous query protocol for Gemini self-direction
  4. Created behavior-based detection engine (40+ MITRE patterns)
  5. Built investigation orchestrator with state persistence
  6. Developed React dashboard with real-time updates
  7. Integrated dynamic thinking levels for performance optimization
  8. Added detailed Markdown report generation by Gemini

Challenges we ran into

1. Database Locking with Concurrent Access SQLite's default configuration caused deadlocks when the agent wrote events while the API served queries. Solution: WAL mode, read-only connections for API queries (PRAGMA query_only = ON), separate read/write connections, and 60-second busy timeout.

2. Fast-Executing Processes Initial polling-based monitoring missed processes that executed and terminated in <1 second. Solution: WMI event-based monitoring with <10ms latency captures every process the moment it starts, even if it terminates immediately.

3. Context Window Management Feeding all raw events to Gemini exceeded token limits and was inefficient. Solution: Dual-database architecture—summaries for initial analysis, raw events available for autonomous queries only when Gemini needs specific details.

4. Balancing Speed vs. Reasoning Depth High thinking level for all analyses was too slow for real-time monitoring. Solution: Dynamic thinking levels—low for fast triage and interval summaries, high only for deep forensic analysis and report generation.

5. Gemini Uncertainty Handling Early versions had Gemini making confident assessments with incomplete data. Solution: Explicit confidence tracking, uncertainty fields in responses, and autonomous query system so Gemini can request missing data instead of guessing.

6. Investigation State Persistence Agent crashes lost investigation progress. Solution: Investigation snapshots at each phase transition, automatic resume on restart, and WAL mode for crash recovery.

7. Storage Management Unlimited raw event storage filled disk space quickly. Solution: Size-based retention with configurable limits, automatic cleanup of oldest data while protecting active investigations, and VACUUM after cleanup.

Accomplishments that we're proud of

100% Detection Rate with <10ms Latency Event-based monitoring catches every single process, even those that execute and terminate in less than 1 second. Traditional tools polling every 2-10 seconds miss these entirely.

True Autonomous Investigation Gemini doesn't just analyze provided data—it decides what questions to ask, executes queries autonomously, and iterates until reaching a confident verdict. This is self-directed AI investigation, not just pattern matching.

Dual-Database Architecture The separation of raw forensic data and aggregated summaries is elegant: Gemini analyzes patterns in summaries, then autonomously queries raw data for details. This keeps context focused while maintaining complete forensic capability.

Dynamic Thinking Levels Using thinking_level="low" for triage and thinking_level="high" for deep analysis optimizes the speed/reasoning tradeoff. Fast enough for real-time monitoring, deep enough for comprehensive forensics.

Marathon Agent Capability State persistence with automatic resume means investigations survive crashes and restarts. No data loss, no manual intervention required.

Behavior-Based Detection 40+ MITRE ATT&CK patterns implemented in the trigger engine. Focuses on what processes do (command-line patterns, parent-child relationships, network activity) rather than where they're located.

First-Person Investigation Reports Gemini generates detailed Markdown reports written in first person, explaining its investigation process, reasoning, and findings. These read like reports from a human analyst.

Complete Audit Trail Every autonomous query Gemini executes is logged with parameters, results, and timestamps. Full forensic timeline reconstruction and investigation replay capability.

What we learned

Gemini 3 Pro's Reasoning Capabilities Are Exceptional The multi-turn reasoning with autonomous querying exceeded our expectations. Gemini genuinely investigates—it doesn't just classify, it explores, questions, and iterates until confident.

Dynamic Thinking Levels Are Critical for Production Using thinking_level="low" for triage reduced analysis time from 8-12 seconds to 2-4 seconds while maintaining accuracy. High thinking level reserved for deep analysis provides the reasoning depth when needed.

1M Token Context Window Enables Stateful Investigation Maintaining entire investigation history in context (evidence, queries, findings) allows Gemini to build on previous analysis and recognize patterns across time. This is transformative for security analysis.

Event-Based Monitoring Is Non-Negotiable Polling-based monitoring fundamentally cannot detect fast-executing processes. WMI event callbacks with <10ms latency are the only way to achieve 100% detection.

Dual-Database Architecture Solves Context Management Separating summaries (for pattern detection) from raw events (for detailed queries) keeps Gemini's context focused while maintaining complete forensic data availability.

Confidence Tracking Prevents False Confidence Explicitly requiring Gemini to state confidence scores and uncertainties prevents overconfident assessments with incomplete data. The autonomous query system lets Gemini fill knowledge gaps instead of guessing.

SQLite WAL Mode Is Essential for Concurrent Access Default SQLite configuration causes deadlocks with concurrent reads/writes. WAL mode, read-only connections, and proper busy timeouts enable production-grade concurrent access.

Behavior-Based Detection Scales Better Than Signatures Focusing on process behavior (command-line patterns, parent-child relationships, network activity) catches novel threats that signature-based detection misses.

What's next for PROCSee

Cross-Platform Support

  • Linux and macOS monitoring using platform-specific event systems
  • Unified behavior detection across operating systems
  • Cloud deployment for multi-host monitoring

Threat Intelligence Integration

  • Autonomous querying of VirusTotal, AlienVault OTX, MISP
  • Gemini correlates local findings with global threat intelligence
  • IOC enrichment and attribution

Active Response Capabilities

  • Process suspension, network isolation, file quarantine
  • Gemini-recommended response actions with confidence scores
  • Automatic rollback for false positives
  • Human-in-the-loop confirmation for critical actions
  • Active Files Investigations

Collaborative Investigation

  • Multi-analyst workspace with shared investigations
  • Gemini as collaborative partner, not replacement
  • Investigation handoff and escalation workflows
  • Analyst feedback loop for continuous improvement

Advanced Memory Analysis

  • Memory dump collection for suspicious processes
  • Gemini analysis of memory artifacts (injected code, hooks, shellcode)
  • Malware family identification and attribution

Threat Hunting Mode

  • Hypothesis-driven investigation with Gemini
  • Historical data analysis for IOC sweeps
  • Behavioral baseline establishment and anomaly detection
  • Proactive threat discovery

Enterprise Features

  • Multi-tenant architecture for MSPs
  • Role-based access control and audit logging
  • SIEM integration (Splunk, Elastic, Sentinel)
  • Compliance reporting (SOC 2, ISO 27001)

Performance Optimization

  • Distributed architecture for high-volume environments
  • Query result caching for common patterns
  • Batch processing for historical analysis
  • GPU acceleration for pattern matching

Gemini Upcoming Versions Integration

  • Leverage next-generation reasoning capabilities
  • Extended context windows for long-term pattern recognition
  • Multimodal analysis (screenshots, network traffic visualization)
  • Enhanced autonomous investigation with deeper reasoning

PROCSee demonstrates that Gemini 3 Pro isn't just an AI model—it's an autonomous security analyst that investigates, questions, and reasons its way to confident verdicts. This is the future of AI-driven security operations.

Built With

Share this project:

Updates