Learn SOC with AI
A project by
IES Rafael Alberti · CIFP N.º 1 Cuenca · Aktios
A real Security Operations Center deployed at the school with professional, open-source tools on top of Proxmox, plus an AI layer that helps teachers build cases and students learn to solve them.
A real SOC, not a simulator.
AI applied with purpose, not a generic chatbot.
An open source and reproducible project.
— Infrastructure
Two layers, one project
01 ·
A real SOC on Proxmox
-
Wazuh SIEM · EDR
Wazuh
Collects, correlates and alerts on security events.
-
Malcolm Traffic analysis
Malcolm
Indexes pcaps and answers queries.
-
Velociraptor DFIR
Velociraptor
Endpoint forensics, collecting artefacts.
-
OPNsense Firewall
OPNsense
Blocking rules applied on real traffic.
- And more
Full stack
And more
TheHive, T-Pot, vulnerable machines…
02 ·
Two extensions, one panel
For teachers
MENTORA
A browser extension that records the teacher solving a case (screen, voice and actions). Outputs a PDF guide and a case file ready to load in SOCIA.
MENTORA
Recording
The session is being captured.
SOCIA
Case in progress
SSH brute force from 185.220.101.4
- Open the alert in Wazuh
- Find the source IP in the logs
- Inspect the traffic in Malcolm
- Block the IP in OPNsense
- Close the case with a report
— Hint 3
The outbound traffic is UDP, so filter by port in Malcolm before going further.
For students
SOCIA
A browser extension that loads the case, follows the student, hands out hints with a small LLM, and emits a final PDF evaluation. Runs with or without server.
— Teacher panel
SOCIA Server
The extensions are coordinated through a web panel deployed as a Docker container at the school: classes, cases, live dashboard and evaluations.
Live
SSH brute force from 185.220.101.4
Per-student progress
Lucía Domínguez
Step 3 of 5 · Inspecting Malcolm
Marcos Hernández
Finished · 5 of 5
Sara Quintero
Stuck · no progress for 4 min
Iván Cabrera
Step 2 of 5 · Searching IP in logs
— In class
A session, end to end
We design every step around teachers and students alike.
- 01
Spin up the server
The teacher starts the application container and gets access to the web panel.
- 02
Create the class
A name, optionally an allowed email domain. The system produces a short code and a QR.
- 03
QR onboarding
Students scan the QR with the instructions. They identify by email or free-form name.
- 04
Launch the case
A single button fires the assigned incident for the whole class. Progress is watched live, step by step.
- 05
Evaluate on close
When the student finishes, a PDF is produced with path, hits, deviations and a reasoned grade.
— Who
Three teams, one project
SOCIA is a three-way collaboration between two public vocational training schools and a cybersecurity company. Each side brings something the others cannot: pedagogy, scale and industry experience.
-
Cybersecurity F. P.
IES Rafael Alberti
Coordinates the project and builds the AI layer: the MENTORA and SOCIA browser extensions, the teacher panel and the pedagogical integration with the cybersecurity curriculum.
Visit site
-
Cybersecurity F. P.
CIFP N.º 1 Cuenca
Validates the infrastructure and the AI layer in their own classroom. Documents the deployment so any other school can reproduce it.
Visit site
-
Cybersecurity company
Aktios Security Services
Designs, installs and configures the SOC infrastructure: the Proxmox server and the professional stack, and contributes real-world cases.
Visit site
— Funding
F. P. Innovation — 2023 call
Funded by the Spanish Ministry of Education, Vocational Training and Sports, under the Recovery, Transformation and Resilience Plan.
