SEIS 666 -- Class Project Submission¶
Track A: Knowledge Graph + AI System
University of St. Thomas | Spring 2026 | Instructor: Daniel Yarmoluk
Project¶
Nexus SecOps -- The Definitive Cybersecurity Operations Encyclopedia
| Live Site | nexus-secops.pages.dev |
| GitHub | github.com/SpaceCadet019/nexus-secops |
| Stack | MkDocs Material 9.7 + custom CSS/JS, deployed on Cloudflare Pages |
| Cost | $0 -- entirely free-tier infrastructure |
Domain Rationale¶
Cybersecurity operations is a domain with deep, interconnected concepts where prerequisite ordering is critical. You cannot learn Detection Engineering without first understanding SIEM fundamentals, log sources, and TTPs. You cannot perform Threat Hunting without first mastering Detection Engineering, Threat Intelligence, and data analysis.
This makes cybersecurity a perfect domain for knowledge graphs. The 448 concepts in Nexus SecOps have 620 directed prerequisite relationships across 10 taxonomy categories. These relationships are not optional metadata -- they are the structural backbone that determines learning effectiveness.
Who Would Pay for This?¶
| Audience | Value Proposition |
|---|---|
| CISOs building SOC training programs | Structured prerequisite chains eliminate guesswork in curriculum design. A CISO can generate a learning path from "analyst hire" to "threat hunter" with every prerequisite mapped. |
| Universities offering cybersecurity courses | 448 concepts with validated prerequisite ordering, ready to import into course design tools. Covers CompTIA CySA+, GIAC GCIH, and GIAC GCFA certification domains. |
| Individuals preparing for certifications | The Adaptive Path Generator creates personalized study plans based on current knowledge, using topological sort over the prerequisite graph. |
| SOC managers | Skills gap analysis: map a team's current capabilities against the graph to identify missing competencies and training priorities. |
Knowledge Graph Schema¶
The knowledge graph contains 448 nodes (cybersecurity concepts, IDs C001--C448) connected by 620 directed edges (prerequisite relationships) across 10 taxonomy categories.
| Element | Schema | Example |
|---|---|---|
| Node | {id, label, group, shape, title, url} | {id: "C024", label: "Detection Engineering", group: "T03", shape: "ellipse", ...} |
| Edge | {from, to} (directed: from is prerequisite of to) | {from: "C005", to: "C024"} -- "Log Sources" is prerequisite of "Detection Engineering" |
| Shape | box = foundation, ellipse = intermediate, star = goal | Foundations have no prerequisites; goals require many |
Storage format: JSON (vis.js compatible) with CSV interchange files for bulk analysis.
Interactive viewer: Knowledge Graph Viewer -- click any node to see its prerequisites, dependents, and linked chapters.
For full schema documentation including validation rules, see AI Architecture.
How AI Consumes the Graph¶
The Nexus Brain (autonomous agent) consumes the knowledge graph in multiple phases of its cognitive cycle:
-
PERCEIVE phase: Loads the full graph from
graph.json. Counts nodes per category, identifies isolated or weakly-connected subgraphs, measures graph density. -
ANALYZE phase: Traverses prerequisite chains to perform content gap analysis. For each concept node, checks whether the linked chapter has adequate depth. A concept with 5 prerequisites but only a paragraph of coverage is flagged as a gap.
-
REASON phase: Injects relevant subgraph context into LLM prompts. When the Brain is generating content about Cloud Container Security (C245), the prompt includes the full prerequisite chain:
This gives the LLM structural awareness -- it knows what concepts the reader has already learned and what to reference. -
Adaptive Path Generator: Uses topological sort over the prerequisite DAG to generate personalized learning paths. Given a target concept and a set of "already known" concepts, it computes the minimal prerequisite chain. Available at Path Generator.
GraphRAG: Before and After¶
The GraphRAG demo shows the same cybersecurity questions answered with and without graph context. Key patterns:
| Aspect | Without Graph | With Graph |
|---|---|---|
| Ordering | Flat bulleted lists, no dependency structure | Layered by prerequisite depth, explicit ordering |
| Specificity | Generic advice ("learn networking") | Specific concept references with C-IDs ("start with C005 Log Sources, then C018 SIEM Correlation") |
| Completeness | Misses non-obvious prerequisites | Traverses full prerequisite chain, surfaces indirect dependencies |
| Actionability | Vague study recommendations | Concrete learning paths with chapter links |
The delta is most dramatic for ordering questions -- "What should I learn before threat hunting?" -- where prerequisite chains matter most.
How AI Was Used to Build This¶
Claude Code (Primary Development Tool)¶
All content and infrastructure was built across 17 iterative development sessions using Claude Code. Each session followed a structured protocol defined in CLAUDE.md:
- Read priorities from
NEXT_SESSION.md - Stabilize:
mkdocs build --strictmust pass - Grow: execute scored priorities
- Update all state files and push
Claude Code authored all 50 chapters, 40 MicroSims, 26 labs, 56 attack scenarios, 150 purple team exercises, the gamification engine, the knowledge graph, CI/CD pipelines, and the custom dark-first theme.
Nexus Brain (Autonomous Agent)¶
The Brain runs Monday and Thursday via GitHub Actions, executing a 10-phase cognitive cycle (see AI Architecture for details):
graph LR
P[PERCEIVE] --> RC[RECALL]
RC --> A[ANALYZE]
A --> R[REASON]
R --> CR[CRITIQUE]
CR --> RF[REFINE]
RF --> ACT[ACT]
ACT --> E[EVALUATE]
E --> L[LEARN]
L --> RM[REMEMBER]
RM -.->|next cycle| PThe Brain autonomously generates threat intelligence blog posts, detection rules, attack scenarios, and content updates -- all validated through CI quality gates before merging.
Multi-LLM Routing¶
The Brain routes LLM requests across 4 free-tier providers using an epsilon-greedy multi-armed bandit:
| Provider | Model | Role |
|---|---|---|
| Mistral | Mistral Small | Primary reasoning |
| Gemini 2.0 Flash | Fast analysis | |
| Groq | Llama 3.3 70B | Low-latency critique |
| Cohere | Command R+ | Structured output |
Total infrastructure cost: $0. Every component runs on free tiers.
Content Scale¶
| Category | Count | Description |
|---|---|---|
| Chapters | 50 | Parts I--VII covering foundations through adversarial AI |
| Labs | 26 | Hands-on exercises with synthetic data |
| MicroSims | 40 | Interactive HTML simulations (browser-based) |
| Attack Scenarios | 56 | SC-009 through SC-064, narrative threat simulations |
| Purple Team Exercises | 150 | PT-001 through PT-150, red+blue team drills |
| CTF Challenges | 25 | Capture-the-flag style exercises |
| Quizzes | 50 | One per chapter, auto-graded |
| Exam Simulator | 100Q | 38-domain certification prep simulator |
| Benchmark Controls | 300+ | 79 AI-specific controls |
| Knowledge Graph Concepts | 448 | Nodes with taxonomy classification |
| Prerequisite Edges | 620 | Directed prerequisite relationships |
| GitHub Actions Workflows | 10 | Brain, CI, auto-merge, content freshness, etc. |
| Interactive Tools | 17 | IR Tabletop Generator, Attack Sim Terminal, Detection Query Browser, etc. |
| IR Playbooks | 10 | Incident response runbooks with decision trees |
| Blog Posts | 13 | Threat intelligence articles |
10-Minute Demo Script¶
| Time | Action |
|---|---|
| 0:00--1:00 | Open nexus-secops.pages.dev. Show the hero section and stat cards (50 chapters, 300+ controls, 40 sims, etc.). Point out the dark-first theme and responsive design. |
| 1:00--3:00 | Navigate to the Knowledge Graph Viewer (Learn > Learning Graph > Graph Viewer). Show the 448-node graph with color-coded taxonomy categories. Click a concept node (e.g., "Detection Engineering") to show its prerequisites panel and linked chapter. Zoom into a cluster to show the prerequisite chain structure. |
| 3:00--5:30 | Open the GraphRAG demo results. Walk through Question 1: "What are the prerequisites for Detection Engineering?" Compare the "Without Graph" response (generic flat list) vs. the "With Graph" response (specific C-ID references, layered by prerequisite depth, with chapter links). Highlight how the same LLM produces dramatically different quality with structured context. |
| 5:30--7:30 | Switch to GitHub. Open docs/ai-architecture.md and show the 10-phase Brain cycle Mermaid diagram. Explain PERCEIVE through REMEMBER. Show the multi-LLM router table. Open a Brain-generated PR to show an example of autonomous content creation with reasoning trace in the PR description. |
| 7:30--9:00 | Live demo: Run python scripts/graph_rag_demo.py --question "What should I learn before threat hunting?" in a terminal. Show the real-time output: first the response without graph context, then the response with graph context injected. Point out the structural difference in output quality. |
| 9:00--10:00 | Summary: "Structure beats prompts. The same LLM with structured knowledge graph context produces dramatically better answers than raw prompting. Nexus SecOps demonstrates this at scale -- 448 concepts, 620 prerequisite edges, consumed by an autonomous AI agent that maintains and grows the site without human intervention." |
Rubric Alignment¶
| Criteria | What Nexus SecOps Delivers |
|---|---|
| Domain selection and justification | Cybersecurity operations: 448 concepts with natural prerequisite ordering. The domain's interconnected structure makes knowledge graphs essential, not optional. Detailed rationale with 4 paying audience segments. |
| Knowledge graph design | 448 nodes, 620 edges, 10 taxonomy categories, 3 shape types, 6 validation rules. Stored as vis.js-compatible JSON with CSV interchange. Interactive viewer with click-to-explore navigation. |
| AI integration with graph | Three-layer architecture: Knowledge Graph + Nexus Brain (10-phase autonomous agent) + GraphRAG. The Brain consumes the graph for content gap analysis, prerequisite chain traversal, and context injection into LLM prompts. |
| Before/after demonstration | GraphRAG demo with 5 cybersecurity questions. Without graph: flat, generic lists. With graph: specific C-ID references, prerequisite-ordered, with chapter links. Delta is measurable and dramatic. |
| Technical implementation | Full-stack: MkDocs Material site, 10 GitHub Actions workflows, epsilon-greedy multi-LLM router, CI quality gates, autonomous PR generation and merging. All free-tier, $0 cost. |
| Scale and depth | 50 chapters, 26 labs, 40 simulations, 56 scenarios, 150 exercises, 25 CTF challenges, 100Q exam, 300+ controls, 17 interactive tools. This is not a demo -- it is a production reference. |
| Presentation quality | Live site at nexus-secops.pages.dev with dark-first theme, responsive design, gamification (XP, streaks, achievements), PWA offline support, keyboard shortcuts, and command palette. |
| Documentation | CLAUDE.md (project protocol), AI Architecture doc (system design), EVOLUTION_LOG.md (17 sessions of iterative development), CONTRIBUTING.md (community contribution guide). |