PRISM
Decomposing threats. Composing clarity.
| Project Name | PRISM |
|---|---|
| Type | AI Exploration — Concept Prototype |
| Product Owner | Wen Liu |
| Tech Stack | Next.js 16 + React 19 + Tailwind CSS v4 (Single-file interactive prototype) |
| Current Version | v1.0 |
| Doc Status | v1.0 |
| Live Demo | wensproject.com/ai-explorations/prism-demo |
Version History
| Version | Date | Changes | Author |
|---|---|---|---|
| v1.0 | 2026-03-28 | Initial version: full PRD | Wen Liu |
1. Background & Problem
Current Problems
- SOC analysts face fragmented alert data without a unified threat context view
- MITRE ATT&CK framework is industry standard, but its mapping in actual tools is often unintuitive
- Threat response typically requires switching between multiple tools, increasing MTTR
- 40% of operators abandon triage because raw ML outputs are incomprehensible
Design Opportunity
- Visualize MITRE ATT&CK technique mapping as an intuitive interactive dashboard
- Create an end-to-end SOC workflow: Detect → Investigate → Respond → Verify
- Demonstrate AI explainability design applied to cybersecurity
2. Goals & Metrics
| Goal Type | Description | Metric | Target |
|---|---|---|---|
| Efficiency | Unify alert → investigate → respond in one interface | Tool-switching count | 5+ → 1 |
| Comprehension | ML scores → readable risk summaries | Triage abandonment | 40% → <10% |
| Speed | Automated response execution | MTTR | -60% |
| Portfolio | Security + AI design capability | Interview impact | — |
3. Users & Scenarios
Target User Persona
| Attribute | Description |
|---|---|
| Role | SOC Analyst (Tier 1-2) |
| Environment | SOC, 24/7 shift rotation |
| Pain Points | Alert fatigue, tool-switching, unexplainable ML |
| Goals | Fast triage, accurate response, reduced MTTR |
User Journey Map
1
Dashboard Overview
| Touchpoint | PRISM main dashboard |
|---|---|
| Action | View active incidents, severity, MITRE tags |
| Emotion | Alert — scanning highest priority |
2
Incident Detail + ATT&CK Map
| Touchpoint | Incident detail → ATT&CK matrix |
|---|---|
| Action | View attack chain, affected assets, timeline |
| Emotion | Focused — understanding attack path |
3
Automated Response
| Touchpoint | Response panel — auto-execution + progress |
|---|---|
| Action | Confirm → auto-execute isolate/reset/notify |
| Emotion | Trust — step-by-step visibility |
4
Summary + Dashboard Update
| Touchpoint | Summary → dashboard update |
|---|---|
| Action | Review actions, confirm status change |
| Emotion | Satisfied — contained and updated |
4. Feature List
| Module | Feature | Priority | Status |
|---|---|---|---|
| Dashboard | Active incident list (severity + MITRE + status) | P0 | v1.0 ✅ |
| Dashboard | Incident stats overview | P0 | v1.0 ✅ |
| Incident Detail | Attack chain + timeline | P0 | v1.0 ✅ |
| ATT&CK Map | ATT&CK matrix interactive view | P0 | v1.0 ✅ |
| Response | Auto-response + progress animation | P0 | v1.0 ✅ |
| Summary | Response summary report | P0 | v1.0 ✅ |
| Dashboard | Real-time status update | P0 | v1.0 ✅ |
| Navigation | 6-screen interactive navigation | P0 | v1.0 ✅ |
| AI Triage | ML score explainability | P1 | v2 |
| Collaboration | Collaborative triage + handoff | P2 | Planned |
5. Detailed Design
5.1 Dashboard
Interaction Flow
flowchart TD
A[Dashboard loads] --> B[Display incident stats bar]
B --> C[Render incident list sorted by severity]
C --> D{User clicks incident row}
D --> E[Navigate to Incident Detail]
C --> F[MITRE tags shown inline per incident]
C --> G[Status badges: Open / Investigating / Contained]
Rules
- Sorted by severity: Critical → High → Medium → Low
- Each row: ID, title, severity, status, MITRE tags, user, devices, time
- Stats bar shows per-severity counts
5.2 Incident Detail + ATT&CK Matrix
Interaction Flow
flowchart TD
A[Incident Detail Page] --> B[Show attack chain timeline]
A --> C[Show affected user + device info]
A --> D[Display MITRE ATT&CK tags]
D --> E{User clicks ATT&CK tag}
E --> F[Highlight technique in ATT&CK matrix]
A --> G{User clicks Respond button}
G --> H[Navigate to Response panel]
Rules
- Matrix columns: Initial Access → Execution → Persistence → Credential Access → Lateral Movement → Collection
- Matched techniques highlighted, others dimmed
- Click for technique details
5.3 Automated Response
Interaction Flow
flowchart TD
A[Response Panel] --> B[Show recommended actions]
B --> C["1. Isolate compromised endpoints"]
B --> D["2. Reset credentials"]
B --> E["3. Block malicious IPs"]
B --> F["4. Notify security team"]
C & D & E & F --> G{User confirms execution}
G --> H[Execute with progress animation]
H --> I[Each step shows: Running → Complete]
I --> J[All complete → Navigate to Summary]
Rules
- Sequential execution with progress animation
- Status: Pending → Running → Complete
- Auto-navigate to summary on completion
6. Business Flowcharts
Core SOC Workflow
flowchart TD
START([Alert Triggered]) --> DASH[Dashboard - View Incidents]
DASH --> SELECT{Select Incident}
SELECT --> DETAIL[Incident Detail]
DETAIL --> ATTACK[ATT&CK Matrix View]
ATTACK --> ASSESS{Assess Severity}
ASSESS -->|Critical/High| RESPOND[Automated Response Panel]
ASSESS -->|Medium/Low| MONITOR[Continue Monitoring]
RESPOND --> EXEC[Execute Response Actions]
EXEC --> |"1. Isolate"| EXEC
EXEC --> |"2. Reset Creds"| EXEC
EXEC --> |"3. Block IPs"| EXEC
EXEC --> |"4. Notify Team"| EXEC
EXEC --> SUMMARY[Response Summary]
SUMMARY --> DASH_UPDATE[Dashboard Updated - Status: Contained]
6-Screen Prototype Flow
flowchart LR
S1["Screen 1
Dashboard"] --> S2["Screen 2
Incident Detail"] S2 --> S3["Screen 3
ATT&CK Map"] S3 --> S4["Screen 4
Response Execution"] S4 --> S5["Screen 5
Summary"] S5 --> S6["Screen 6
Dashboard Updated"]
Dashboard"] --> S2["Screen 2
Incident Detail"] S2 --> S3["Screen 3
ATT&CK Map"] S3 --> S4["Screen 4
Response Execution"] S4 --> S5["Screen 5
Summary"] S5 --> S6["Screen 6
Dashboard Updated"]
7. Edge Cases
| Scenario | Handling |
|---|---|
| No active incidents | Empty state: All clear |
| Response action fails | Red status + retry + skip option |
| Unknown ATT&CK technique | Gray tag: Unknown Technique |
| Demo mode | Static mock data, preset interaction paths |
8. Roadmap
| Phase | Key Features | Status |
|---|---|---|
| v1.0 | 6-screen interactive prototype | Done ✅ |
| v2.0 | AI explainability, ML visualization, real-time data | Planned |
| v3.0 | Collaborative triage, integrations | Future |
9. Appendix
Design Specs
| Property | Value |
|---|---|
| Theme | Dark SOC dashboard |
| Base BG | #0a0f1a |
| Card BG | #141b2d |
| Accent | #3b82f6 |
| Severity | Critical: red / High: orange / Medium: yellow / Low: blue |
MITRE ATT&CK Tags Used
ATT&CK techniques in prototype:
- Initial Access — T1566 Phishing
- Credential Access — T1003 OS Credential Dumping
- Lateral Movement — T1021 Remote Services
- Execution — T1059 Command & Scripting
- Collection — T1005 Data from Local System
- Persistence — T1053 Scheduled Task/Job