Threat Trace: An IoT Forensic Simulator Powered by Gemma 4 — Key Questions Answered

Threat Trace is an IoT forensic investigation simulator that transforms any incident scenario into a six-stage, interactive case study. Built on Gemma 4 31B Dense, it generates a complete investigation—evidence, decision points, consequences, and a downloadable forensic report—from a single API call. Designed for small IT teams and resource-constrained environments, especially in the Caribbean, it leverages Gemma 4's large context window and structured output capabilities to deliver realistic training without expensive lab setups. Below we answer common questions about its design, use of Gemma 4, and real-world applications. Jump to the first question.

What Exactly Is Threat Trace and How Does It Work?

Threat Trace is a browser-based training tool that simulates a full IoT forensic investigation. You describe an incident—like a suspicious smart water pressure sensor at a children's hospital—and Gemma 4 31B Dense generates an entire case in one shot: all six stages, each with real evidence, decision points, and consequences. During gameplay, no further API calls are needed because the entire investigation is precomputed and cached. This makes responses instant and deployment cost-free, enabling unlimited replays. The simulator is built for people without access to expensive forensic labs, particularly small IT teams in Caribbean institutions that face common IoT incidents and must meet reporting requirements for bodies like the JCF Cybercrime Unit.

How Does Gemma 4 31B Dense Power the Simulator?

Gemma 4 31B Dense is the core engine. All heavy computation happens at the moment you submit a scenario: one API call produces the complete investigation—all stages, choices, consequences, narratives, and the final report. This architecture, which we call front-load everything, eliminates any runtime API calls, so gameplay is instantaneous. Gemma 4’s thinking mode ensures structured JSON output with near-perfect reliability when forced into the correct format—critical because the game state depends on parsable responses. Without this mode, parse failure rates hover around 50%; with it, failures are almost zero. The open model also keeps the tool accessible: no closed APIs, no licensing fees, no barriers for underserved communities.

Why Was the 256K Context Window Crucial for This Project?

IoT incidents are rarely simple; they involve logs from multiple devices, network captures, firmware dumps, and infrastructure context. Gemma 4’s 256K context window allows the model to hold an entire incident description and the generated investigation in one prompt, reasoning across all details coherently. No other open model offers that capacity. For example, a scenario about a smart water pressure sensor at a hospital might include encrypted packets, maintenance logs, nurse observations, and network flow data. The 256K window ensures Gemma can connect the dots—mapping the behavior to ATT&CK technique T1041 (Exfiltration Over C2 Channel)—without losing track of any evidence. This breadth is essential for realistic forensic simulations.

How Does the Simulation Handle Wrong Decisions and Chain of Custody?

Each investigation stage presents a choice with real consequences. If you make a wrong call—like mishandling evidence or breaking the chain of custody—the simulation adapts. Contaminated evidence might become inadmissible, or the case could completely derail, requiring a restart. This isn’t a quiz; it’s a dynamic training tool that teaches proper forensic procedure. Gemma 4 precomputes every possible outcome for each decision point, so the game responds instantly. The final forensic report reflects your choices, highlighting mistakes and their impact. This design helps users internalize best practices without real-world risk, ideal for small IT teams that rarely get hands-on forensic training.

Can You Share a Real-World Example of Threat Trace in Action?

When we tested the tool with the scenario “A smart water pressure sensor at a children's hospital in Mandeville began sending encrypted packets during maintenance windows—always 1AM–3AM, never consecutive nights. A nurse in the maternity ward noticed hot water pressure dropped every time the anomaly occurred.”, Gemma 4 immediately mapped it to T1041 (Exfiltration Over C2 Channel). It built the entire case around an Industrial IoT water pressure sensor, generating real evidence like network logs and firmware analysis. But the model went further: it connected the timing to hospital maintenance schedules, the water pressure drops to actual patient impact, and the encrypted packets to a C2 server. The depth of reasoning—devices, infrastructure, human observations—was surprising and validates the 256K context approach.

How Does Threat Trace Cater to Caribbean Institutional Needs?

Threat Trace was built specifically for the Caribbean context: small IT teams, limited hardware budgets, and reporting requirements from entities like the JCF Cybercrime Unit. Traditional forensic labs are expensive and rarely accessible. By running entirely on Gemma 4 (an open model) and caching all cases after a single API call, the tool becomes free to deploy and replay—ideal for resource-constrained environments. The scenarios are also tailored to incidents that occur in the region, such as smart water sensor exploits in hospitals or attacks on agricultural IoT. This combination of low cost, realistic training, and compliance with local reporting standards makes Threat Trace a practical solution for building forensic readiness.

What Does the Downloadable Forensic Report Include?

After completing the six-stage investigation, Threat Trace generates a downloadable forensic report that mirrors real-world formats. It includes an incident summary, evidence collected (with chain-of-custody status), analysis of findings tied to ATT&CK techniques, decisions made and their consequences, and recommendations. The report is designed to be directly usable for actual reporting to authorities like the JCF Cybercrime Unit. If you made mistakes along the way, the report highlights lapses—such as broken custody or corrupted evidence—so you can learn from them. This end-to-end documentation transforms the simulation from a mere game into a genuine training and reference artifact.