AJT icon mark Aaron Johnson Tech — Security Operations, Detection Engineering, AI Security

AI security and workflow design case study

Private RAG Stack for SOC Notes

Built a local RAG workflow for private SOC notes so security procedures, triage notes, and playbooks can be searched with AI assistance without sending sensitive context to a public model by default.

OllamaOpenWebUIQdrantFastAPIDocker ComposePrivate RAGAI security
View GitHub repoBack to projects
Objective

Create a privacy-aware AI assistant pattern for SOC notes and procedures.

Storage

Qdrant stores vectorized notes for local semantic retrieval.

Interface

OpenWebUI connects to a local FastAPI retrieval tool.

Outcome

A private retrieval workflow with documented guardrails and operational boundaries.

Case-study summary

Security problem

SOC notes, incident procedures, and internal playbooks are useful for AI assistance, but they can include sensitive operational details. The goal was to preserve the benefit of AI-assisted retrieval while keeping the workflow local and controlled.

Environment

Local container stack using Ollama for models and embeddings, Qdrant for vector search, OpenWebUI for the analyst interface, Docker Compose for repeatable services, and FastAPI for a retrieval endpoint.

Build / implementation

Designed the service architecture, created a local ingestion/retrieval path, wired OpenWebUI to the retriever, and documented privacy and operational guardrails for safe use.

Validation

Validated that OpenWebUI could call the local retrieval tool and return evidence chunks from private notes through the local stack rather than relying on public upload workflows.

Analyst takeaway

What this proves to a hiring manager

This project shows AI-security judgment and practical implementation. It demonstrates how to think beyond “use an LLM” and design a safer workflow around data sensitivity, retrieval boundaries, local services, and analyst usability.

Skills demonstrated

Role-aligned capabilities

  • AI-assisted SOC workflow design
  • Private RAG architecture
  • Containerized local services
  • Vector search and retrieval design
  • Security guardrails and governance-minded documentation

Evidence gallery

Screenshots and artifacts

Architecture diagram showing local SOC notes flowing through ingest.py, Ollama embeddings, Qdrant, a FastAPI retriever, and OpenWebUI.
Private RAG architecture: local notes, local embeddings, Qdrant retrieval, FastAPI, and OpenWebUI.
Docker Compose service design showing Ollama, OpenWebUI, Qdrant, and a FastAPI retriever with localhost-bound ports.
Container service design for repeatable local deployment.
OpenWebUI Add Connection modal showing a private RAG Search OpenAPI tool pointed at the local retriever service.
OpenWebUI connection to the local RAG retrieval tool.

Continue reviewing

Related case studies

Next case studyWazuh Detection Engineering LabCustom SIEM alerting and analyst validation.Next case studyPhishing Defense & Investigation WorkflowRepeatable triage and escalation workflow for suspicious email reports.