Skip to content
karim.semaan(open to work)
WorkExperienceAboutSkillsContactResume ↓
← All work
Bastion preview
Generative AIProtected2026

Bastion

AI cybersecurity assessment SaaS

Compresses a 10–12-week security engagement into one workflow: a multi-stage Claude pipeline (~80% token reduction) where every finding cites the evidence it came from and a human signs off.

NIST CSF 2.0 · maturity58% posture
  • Govern3/4
  • Identify3/4
  • Protect2/4
  • Detect2/4
  • Respond3/4
  • Recover1/4

    Synthetic controls. No real client or assessment data.

    Preview on synthetic controls only, with no real client or assessment data.

    Protected work

    Bastion runs real cybersecurity assessments on confidential client evidence, so source and data stay private. It's live as an invite-only deployment. Request a walkthrough for a guided tour of the running app.

    Request access

    Bastion (Next.js 15 + Supabase + Claude) replaces the spreadsheet/Word/PowerPoint sprawl of a 10–12 week security engagement with one workflow. Its AI is a real multi-stage pipeline: local section filtering → Claude Haiku relevance triage → Claude Sonnet deep analysis (~80% token reduction vs. passing the full document corpus to Sonnet directly) → Haiku self-verification → bottom-up discovery → a Pinecone RAG layer. Every output cites the evidence it came from and a human approves it. It supports 5 frameworks (NIST CSF 2.0, CIS v8, ISO 27001, SOC 2, CMMC 2.0), enforces the client/internal split at the database layer via Supabase RLS, and includes Stripe multi-tenancy and PDF/DOCX/PPTX report generation. It runs live as an invite-only deployment (a guided walkthrough is available on request), while this card's preview uses synthetic controls only, with no real client or assessment data.

    • Next.js 15
    • React 19
    • TypeScript
    • Supabase
    • Claude (Sonnet + Haiku)
    • Pinecone (RAG)
    • Stripe
    • Vercel

    Architecture · multi-stage Claude gap-analysis pipeline

    1. 01

      Evidence vault

      Client documents + controls, isolated per tenant at the database layer via Supabase RLS.

    2. 02

      Local section filtering

      A deterministic pre-filter narrows the corpus before any LLM tokens are spent.

    3. 03

      Claude Haiku: relevance triage

      A cheap pass keeps only the sections worth deep analysis.

    4. 04

      Claude Sonnet: deep gap analysis

      Full gap analysis on the survivors (~80% fewer tokens than analysing full context).

    5. 05

      Claude Haiku: self-verification

      A second pass checks each finding back against the cited evidence.

    6. 06

      Bottom-up discovery + Pinecone RAG

      Surfaces related findings across the vault; every output cites the evidence it came from.

    7. 07

      Human sign-off

      A consultant approves before anything reaches a client-ready report.

    Frameworks · NIST / CIS / ISO / SOC 2 / CMMC
    5
    Every finding
    cites evidence + human sign-off
    Tenant isolation
    Supabase RLS (client/internal)
    AI token reduction
    ~80% vs. full-doc-context baseline

    What I'd improve

    Add a Bastion-specific evaluation harness for the gap-analysis output: a 20-case golden set against real NIST CSF 2.0 controls so a prompt or model change is scored before it reaches a client report. The eval methodology is already built (see the Eval Gauntlet project — 24-case golden set, 4 scorers, regression-tested LLM output pipeline); the next step is a domain-specific benchmark for gap-finding precision/recall.

    Private · request access
    Want something like this? Get in touch →
    © 2026 Karim SemaanBuilt with Next.js, Tailwind & Supabase.LinkedIn ↗GitHub ↗