Skip to content
ANIRUDDH ATREY
QR Code - Contact Aniruddh Atrey
Cybersecurity

Building AI-Powered Cybersecurity Automation for India's Ministry of Defence

How I architected Phantom — a modular cybersecurity automation framework integrating 10+ security tools with LLM-powered triage that improved threat detection by 80% for 50+ government assets.

January 15, 2026 · 4 min read
AICybersecurityPythonLangChainDjango
Building AI-Powered Cybersecurity Automation for India's Ministry of Defence
Cybersecurity Building AI-Powered Cybersecurity Automation for India's Ministry of Defence
Django 4.2Python 3.11ASGILangChainLangGraphSQLmapOWASP ZAPNmapNucleiSelenium WireAMASSFastAPI

The Problem: Manual Vulnerability Assessments at National Scale

India’s Ministry of Defence oversees 50+ mission-critical government web assets — each a potential attack vector for nation-state adversaries. Security teams were drowning in manual vulnerability assessments: fragmented tooling, no centralized reporting, and scan-to-report cycles that took days instead of hours.

With new CVEs emerging daily and Advanced Persistent Threats (APTs) targeting sovereign infrastructure, the existing workflow was dangerously slow. My network intrusion detection research at the University of Florida had already shown that ML could outperform traditional methods — now it was time to apply that at national scale. The government needed a unified, automated cybersecurity orchestration platform that could think faster than the threats it was built to stop.

Why Off-the-Shelf Wasn’t an Option

Commercial vulnerability scanners have three fundamental problems for defense-grade work:

  1. Data sovereignty — scan results from government assets cannot leave sovereign infrastructure
  2. Tool fragmentation — each scanner (SQLmap, Nmap, ZAP, Nuclei) operates in isolation with no shared context
  3. Triage bottleneck — raw scan output is noise until a human analyst classifies, prioritizes, and generates remediation guidance

What the Ministry needed was not another scanner. It needed an orchestration layer — a system that coordinates multiple scanners, auto-triages results using AI, and generates actionable reports in real-time.

The Architecture: Plugin-Based Automation with LLM Triage

I designed Phantom as a modular, plugin-based framework where any new security tool could be integrated without modifying the core engine.

Core Stack

  • Django 4.2 + Python 3.11 + ASGI — chosen for battle-tested ORM, admin interface, and async capabilities
  • ASGI over WSGI — because in cybersecurity, waiting for synchronous responses is not an option
  • LangChain + LangGraph — LLM pipeline for auto-classifying vulnerabilities and generating developer-ready summaries

The 10+ Tool Integration Layer

Each tool runs as an isolated plugin with a standardized output interface:

  • SQLmap — SQL injection detection and exploitation
  • OWASP ZAP — Dynamic Application Security Testing (DAST)
  • Nmap — Network reconnaissance and service fingerprinting
  • Nuclei — Template-based vulnerability scanning
  • Selenium Wire — Browser-based probes for client-side vulnerabilities
  • Wappalyzer — Technology stack fingerprinting
  • AMASS — Subdomain enumeration at scale
  • Dirsearch — Directory and file brute-forcing
  • Ghauri — Advanced SQL injection testing

VM Orchestration Engine

The most complex subsystem: geo-network segmented virtual machine provisioning. The system elastically scales 10+ virtual nodes based on scan workload, distributing jobs across Django/FastAPI microservices with intelligent scheduling via Crontab.

The Results

⚠️

Some implementation details are classified under India’s Ministry of Defence. The metrics shared here are approved for public disclosure.
0%Better Detection
0%Scan Efficiency Gain
0%Faster Reporting
0+Assets Secured

The AI Triage Pipeline

The LangChain + LangGraph pipeline was the force multiplier. Raw scan data from 10 tools generates thousands of findings — most are duplicates, false positives, or low-severity noise. The LLM pipeline:

  1. Deduplicates findings across tools using semantic similarity
  2. Classifies by CVSS score with contextual metadata
  3. Generates developer-ready remediation summaries
  4. Prioritizes based on asset criticality and exploitability

This reduced the security analyst’s triage workload by approximately 90%.

Key Takeaway

Phantom proved that defense-grade cybersecurity can be both automated and intelligent. The modular architecture means new tools can be added in hours, not weeks. The LLM triage means analysts focus on critical threats, not noise. And the VM orchestration means the system scales with the threat landscape.

The framework now protects 50+ sovereign assets for India’s Ministry of Defence — running 24/7 with zero human intervention for routine scans.

Aniruddh Atrey · Cybersecurity Lead, INNEFU Labs

This project was built at INNEFU Labs, a DRDO-affiliated laboratory, under the Ministry of Defence of India. Some implementation details are classified.

Explore More:

Aniruddh Atrey

Written by Aniruddh Atrey

Technology entrepreneur, AI & Data Science engineer, and cybersecurity specialist. Co-Founder & COO of F1Jobs.io, Founder & CTO of MetaMinds. Building the future with AI.

GitHub LinkedIn About

Discussion

Keep Reading

How AI is Saving Lives on Indian Highways
AI & ML

How AI is Saving Lives on Indian Highways
From University Research to Production: Network Intrusion Detection with ML
AI & ML

From University Research to Production: Network Intrusion Detection with ML