Machine Learning on pyToshka's DevSecOps Blog

The Judge Pattern: Cross-Checking LLM Verdicts

ping@pytoshka.me (pyToshka) — Fri, 22 May 2026 00:00:00 +0000

When a large language model returns a confident verdict - “this document is fraudulent”, “this alert is benign”, “this transaction is safe” - the natural instinct is to trust it. The model wrote a fluent rationale, cited the right fields, and reached a clean conclusion. The problem is that fluency is not correctness. In a low-stakes setting, an occasional wrong answer is noise. In a high-stakes pipeline, where a single verdict can deny someone a job, close a critical security incident, or release a fraudulent payment, the cost of a confident wrong answer is real and asymmetric.

Wazuh + AWS Bedrock: AI Security in Docker (Part 1)

ping@pytoshka.me (pyToshka) — Mon, 16 Mar 2026 00:00:00 +0000

Introduction

In the previous article we embedded a local Ollama model directly into the Wazuh Dashboard chat via ML Commons. That approach provides full control over data with no cloud dependencies. In this series we take a parallel path: using AWS Bedrock - specifically Claude Sonnet 4.5 - as the inference backend, while all security data stays strictly within the local Docker network.

Ollama in Wazuh Dashboard: AI Security Analysis

ping@pytoshka.me (pyToshka) — Wed, 21 Jan 2026 00:00:00 +0000

Introduction

Integrating local language models directly into the Wazuh interface opens fundamentally new capabilities for information security teams. Unlike cloud-based AI solutions, Ollama enables security event analysis entirely within an organization’s isolated infrastructure, eliminating the transmission of confidential data beyond the network perimeter. Embedding an AI assistant into the Wazuh dashboard provides SOC analysts with instant access to intelligent alert interpretation, automatic incident correlation, and response recommendation generation directly within the workflow context. This approach significantly reduces the time required for initial threat analysis and decreases the cognitive load on specialists, allowing them to focus on strategic decision-making instead of routine event processing. Meanwhile, full control over the model and data remains within the organization, which is critically important for regulatory compliance and internal security policies.

The Catcher in the Prompt: Day 60

ping@pytoshka.me (pyToshka) — Sat, 17 Jan 2026 00:00:00 +0000

The Catcher in the Prompt

Series Navigation:

Part 1: The Day the LLM Stood Still
Part 2: The Catcher in the Prompt (you are here)
Part 3: Only 1984 Tokens Remain

Day 60

Your own personal Jesus

The Day the LLM Stood Still: World Without AI

ping@pytoshka.me (pyToshka) — Fri, 26 Dec 2025 00:00:00 +0000

Series Navigation:

Part 1: The Day the LLM Stood Still (you are here)
Part 2: The Catcher in the Prompt
Part 3: Only 1984 Tokens Remain

November 18, 2025, is the Day the LLM Stood Still….

Dear diary.

It’s been 15 days since the LLM bubble burst. I’m writing from beneath the rubble of RAM sticks and charred NVIDIA GPUs. The air is dry, smelling of data center dust and burnt silicon. It’s calmer now, but the first days were hell.

Joining the Wazuh Ambassador Program

ping@pytoshka.me (pyToshka) — Thu, 11 Dec 2025 00:00:00 +0000

I’m excited to announce that I have officially joined the Wazuh Ambassador Program. This is a significant milestone in my journey with open-source security, and I’m honored to represent and contribute to a platform that has become central to my professional work.

My Journey with Wazuh

My path with host-based intrusion detection started long before Wazuh existed – with OSSEC, its predecessor. When Wazuh emerged as a fork and began evolving into the comprehensive security platform it is today, I transitioned along with it. That was over 10 years ago, and Wazuh has been an integral part of my security infrastructure work ever since.

Two LLM Security Assistants for Wazuh and AWS Analysis

ping@pytoshka.me (pyToshka) — Tue, 07 Oct 2025 00:00:00 +0000

When Your SOC Analyst Can’t Keep Up (Or Just Needs a Break)

Let’s be honest: analyzing thousands of security events every day isn’t the most exciting job.

Wazuh LLM: Fine-Tuned Llama 3.1 for Security Analysis

ping@pytoshka.me (pyToshka) — Thu, 02 Oct 2025 00:00:00 +0000

Introducing Wazuh LLM: Why Specialized Security Analysis Matters

In the cybersecurity world, SOC specialists deal with massive streams of security events daily. Analyzing each alert requires deep knowledge, experience, and time. That’s why I created a specialized language model to assist security analysts in their day-to-day operations.

Building ML Threat Intelligence with Honeypot Data

ping@pytoshka.me (pyToshka) — Wed, 24 Sep 2025 00:00:00 +0000

Introduction

Picture this: you’re staring at security logs with thousands of events streaming in daily. Which ones are actually dangerous? Which can you safely ignore? Traditional signature-based detection is like playing whack-a-mole with cybercriminals - they’ve gotten really good at dodging known signatures faster than we can create them.

RAG for Wazuh Documentation: Step-by-Step Guide, Part 2

ping@pytoshka.me (pyToshka) — Wed, 05 Mar 2025 00:00:00 +0000

Related Reading:

Wazuh Integration with Ollama Series - Learn how to integrate Wazuh with Ollama
Wazuh LLM Security Event Analysis - Specialized model for Wazuh events

Prerequisites and Environment Setup

For local RAG development, ensure you have the following requirements:

RAG for Wazuh Documentation: Step-by-Step Guide, Part 1

ping@pytoshka.me (pyToshka) — Sun, 02 Mar 2025 00:00:00 +0000

Introduction to RAG

Retrieval-Augmented Generation (RAG) is a method that allows the use of information from various sources to generate more accurate and useful responses to questions.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 4)

ping@pytoshka.me (pyToshka) — Sat, 01 Mar 2025 00:00:00 +0000

Continuing the Series: Integrating a Wazuh Cluster with Ollama - Part 4. Configuration and Implementation

Related: Check out our Wazuh LLM fine-tuned model for specialized security event analysis.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 3)

ping@pytoshka.me (pyToshka) — Thu, 27 Feb 2025 00:00:00 +0000

Wazuh and Ollama: Part 3. Creating Integration Between Your Wazuh Cluster and Ollama

Wazuh offers vast and nearly limitless possibilities for integration with various systems. Even if a specific feature is missing, you can always create your own custom integration.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 2)

ping@pytoshka.me (pyToshka) — Wed, 26 Feb 2025 00:00:00 +0000

Wazuh and Ollama: Part 2. Deploying the Wazuh Cluster

Now it’s time to set up Wazuh, which we will integrate with Ollama.

Enhancing Wazuh with Ollama: Cybersecurity Boost (Part 1)

ping@pytoshka.me (pyToshka) — Mon, 24 Feb 2025 00:00:00 +0000

Introduction

Welcome to the first part of our guide on enhancing Wazuh with Ollama!

Mitigation Anomaly Revelation Keeper(MARK)

ping@pytoshka.me (pyToshka) — Wed, 04 Dec 2024 00:00:00 +0000

Overview

Mitigation Anomaly Revelation Keeper (MARK) is an advanced security platform designed to proactively defend against cyber threats by leveraging cutting-edge IP reputation analysis and machine learning. With a focus on identifying and neutralizing malicious actors, MARK offers unparalleled insight into attacker behavior and statistical trends to fortify your organization’s defenses.