MAP THE BLAST RADIUS, BLASTR.
Graph-aware RAG security analysis for cross-layer DevSecOps (M.Sc. dissertation) — parses Terraform/IaC into NetworkX attack graphs, propagates "blast radius" across cloud layers, and pairs a LangGraph reasoning agent with FAISS + Sentence-Transformers RAG to explain and prioritise security misconfigurations. Know exactly what goes green before it goes boom.
A MISCONFIG IS NEVER JUST ONE RESOURCE
Security scanners hand you a flat list of findings. What they don't tell you is the Hulk question: if this one thing breaks open, how far does the damage spread?
BlastR answers it structurally — parsing Terraform into NetworkX attack graphs and propagating blast radius across cloud layers, so one weak security group is scored by everything it exposes. A LangGraph reasoning agent grounded in FAISS + Sentence-Transformers RAG then explains each misconfiguration and prioritises what to fix first — in plain, cited language.
"Severity isn't the finding. Severity is the blast radius."
- FILE SNAPSHOT
- Input — Terraform / IaC
- Graph — NetworkX attack graphs
- Radius — propagated across cloud layers
- Reasoning — LangGraph agent + FAISS RAG
- SLM — Qwen2.5-Coder-1.5B, LoRA/QLoRA
- Ships as — Typer CLI · FastAPI · React dashboard
FROM HCL TO PRIORITISED FIXES
Parse the IaC
Terraform is parsed into a NetworkX attack graph — resources become nodes, trust and reachability become edges.
Propagate the Blast
"Blast radius" propagates across cloud layers — a single misconfiguration is scored by everything it can reach, not just what it is.
Reason & Ground
A LangGraph reasoning agent paired with FAISS + Sentence-Transformers RAG explains each misconfiguration and prioritises remediation with grounded citations.
Fine-Tune the Specialist
A domain SLM — Qwen2.5-Coder-1.5B, fine-tuned with LoRA/QLoRA via HuggingFace Transformers + PEFT — trained on Terraform labelled with Checkov and Trivy.
Benchmark & Track
The fine-tune is benchmarked against a zero-shot baseline and tracked in LangSmith — the gains are measured, not assumed.
Ship Three Ways
A Typer CLI for pipelines, a FastAPI service for integration, and a React + TypeScript dashboard for humans.
STRONGEST THERE IS, PROVABLY
Graph-Aware, Not List-Based
Findings are ranked by cross-layer reachability — the graph knows that a public bucket feeding a privileged role is not a "low".
Grounded Explanations
Every priority call comes with a retrieved, cited explanation — security review that reads like a senior engineer wrote it.
A Domain Specialist SLM
Small model, gamma-boosted: fine-tuned on Checkov/Trivy-labelled Terraform so it speaks IaC security natively.
Measured, Not Vibed
Benchmarked against zero-shot and tracked in LangSmith — dissertation-grade rigour behind every claim.
CONTAINMENT ARCHITECTURE
Terraform / IaC
Source of Truth
Checkov + Trivy
Labelled Training Data
Attack Graph Engine
NetworkX · Blast-Radius Propagation Across Layers
LangGraph Agent
Reasoning + Prioritisation
FAISS RAG
Sentence-Transformers Grounding
Fine-Tuned SLM
Qwen2.5-Coder-1.5B · LoRA/QLoRA
Typer CLI
Pipelines
FastAPI
Service
React + TS Dashboard
Humans