SOCrates

The problem: A new CVE drops every 19 minutes. A senior SOC analyst spends two-plus hours triaging a single critical vulnerability, pulling NVD data, cross-referencing CISA's Known Exploited Vulnerabilities catalog, mapping the kill chain to MITRE ATT&CK, drafting a Sigma detection rule, prioritizing remediation. By the time the report is written, three more zero-days have dropped. This is how SOC analysts burn out in 18 months. The solution: SOCrates is a multi-agent autonomous SOC analyst. You give it a CVE ID. Three specialized AI agents (orchestrated by CrewAI, running on a single AMD Instinct MI300X) produce a full incident response report in under a minute. - Scout:(Llama 3.3 70B) fetches live threat intelligence from the NVD API, checks CISA KEV for active exploitation, and pulls vendor advisory excerpts from Fortinet, Palo Alto, MSRC, and others. - Adversary: (Llama 3.3 70B) simulates the full six-phase kill chain, names the real offensive tools an attacker would use (Sliver, Cobalt Strike, Mimikatz), maps the threat to documented APT groups via MITRE ATT&CK Group profiles, and reasons about CVE chaining. - Coroner: (Qwen 2.5 72B) synthesizes everything into a MITRE ATT&CK–mapped report with a sigma-cli–validated Sigma rule and effort-labeled remediation steps. Target audience: Enterprise SOC teams, MSSPs, security engineers, and CISOs who need to triage CVEs faster without sending sensitive threat intel to external APIs. What's unique: All three 70B-class models live in 192GB of VRAM simultaneously - no model swapping, no cloud round-trips, no per-token billing. SOCrates is on-premises and air-gapped deployable, which is what enterprise security actually requires. Threat intel never leaves your network. Built in 8 days as a solo dev with, on $100 of AMD Developer Cloud credits (thank you!!) and an AI coding assistant :) Stack: CrewAI, Llama 3.3 70B, Qwen 2.5 72B, Ollama, Gradio, NVD API, CISA KEV, MITRE ATT&CK v16, AMD Instinct MI300X.