A multi-agent security monitoring system powered by a local LLM that audits Windows endpoints and generates AI-driven remediation guidance — fully offline.
A continuous endpoint security monitoring system that audits Windows configurations every 5 minutes and uses a local LLM with Retrieval-Augmented Generation (RAG) to explain findings and suggest fixes in plain English — without sending any data to the cloud.
Built a real-time auditing engine using native Windows APIs (pywin32, WMI, winreg) that scans: firewall rules, user privileges, registry policies, antivirus status, running services, and OS patch levels. Scans run automatically every 5 minutes.
Integrated a local LLM (Llama via Ollama) with a Retrieval-Augmented Generation pipeline. When the scanner detects a misconfiguration, the RAG system queries a local knowledge base of CIS Benchmarks, NIST guidelines, and Microsoft security baselines to generate context-aware remediation steps.
Built the local knowledge retrieval pipeline using ChromaDB and SentenceTransformers. Security standards documents are embedded and indexed locally — no internet required at any point.
Engineered a Windows service with a desktop monitoring dashboard and real-time notifications. Security officers can review detected vulnerabilities and approve or reject remediation actions interactively — the system never applies changes without approval.
Making the RAG pipeline fast enough to be useful was the main challenge. Embedding large security standards documents and querying them in real time required careful chunking strategy and index optimization in ChromaDB. The final implementation returns relevant context in under 2 seconds on consumer hardware.
A fully offline, AI-assisted security monitoring system that reduces manual configuration auditing workload while providing explainable, standard-aligned remediation guidance — without any dependency on cloud APIs or internet connectivity.
Key takeaway: What's the most important thing to know about this project?