An open-source SOC for businesses that can't afford a £15k/month MSSP.
Quick Start | The Stack | Use Cases | Deployment | NIST CSF | ISO 27001
Enterprise SOCs run on six-figure tooling. SMBs run on antivirus and hope for the best. This project is the bridge — a fully functional, automated SOC built entirely on free, open-source tools. Logs in, enriched incidents out, IPs blocked, accounts disabled, no licensing fees.
It takes you from "something might be wrong" to "here's what's wrong, why it matters, what to do next."
| Tool | Role | Why |
|---|---|---|
| OPNsense | Firewall + IPS | Purpose-built firewall with inbuilt Suricata rules |
| Wazuh | SIEM / XDR | Log collection, rule-based detection and vulnerability scanning |
| n8n | SOAR automation | Workflow engine; integrates with every tool via REST |
| MISP | Threat intelligence | Internal IOC database with feed ingestion |
| DFIR IRIS | Case management | Incident tracking from triage to closure |
| Ansible | Configuration management / IaC | Agentless playbooks for provisioning and patching |
| Prometheus | Metrics collection | Scrapes CPU, memory, disk, and service health |
| Grafana | Dashboards / visualisation | Turns Prometheus metrics into infrastructure health and telemetry |
Each tool runs as a Docker Compose stack on its own VM. Reasoning: Deployment/00-prerequisites.md.
A single-pane dashboard for quick access to every tool in the stack. If you want a simpler, ready-made alternative, Homepage is a lightweight self-hosted dashboard that integrates with most of the stack out of the box and deploys as an additional Docker Compose service.
| Solution | Cost | What You Get |
|---|---|---|
| MSSP "SIEM" subscription | £120k–£240k/year | Repackaged tooling + support |
| Enterprise security stack | £20k–£100k+/year | Full ecosystem, if you can afford it |
| The Bridge Between | £0 licensing | Fully functional SOC stack |
The stack can run a a couple second-hand mini-PCs (Lenovo M920q, HP EliteDesk, Dell Optiplex) with 32–64 GB RAM. Everything else is free.
- 00 — Prerequisites — hardware, hypervisor, network plan, VM provisioning
- 01 — OPNsense — firewall, VLANs, Suricata IDS, syslog forwarding
- 02 — Wazuh — SIEM stack, agent enrolment, syslog receiver
- 03 — n8n — SOAR engine, credentials, Wazuh webhook integration
- 04 — MISP — threat intel platform, feed configuration, API key
- 05 — DFIR IRIS — case management, customer setup, API key
- 06 — Integration — end-to-end pipeline wiring and live test
- 07 — Ansible — playbooks for provisioning, patching, and hardening
- 08 — Prometheus + Grafana — infrastructure metrics and SOC dashboards
- 09 — Hardening — TLS, credential rotation, ufw tuning
Estimated deployment time: a week, assuming prerequisites are in place.
- End-to-end SOC pipeline — detection to enriched incident in under 15 seconds
- Real automation — n8n actively blocks IPs via OPNsense, disables accounts via Entra, and revokes sessions; not just "sends an email"
- Threat intel integration — AbuseIPDB, OTX AlienVault, abuse.ch (MalwareBazaar / ThreatFox), and MISP all feed enrichment decisions before any case is opened
- Infrastructure as code — Ansible playbooks provision, patch, and harden the full stack; Proxmox cron handles VM snapshots for rollback
- Full-stack observability — Prometheus scrapes every VM; Grafana surfaces infrastructure health and security telemetry side-by-side
- Compliance alignment — full mapping to NIST CSF (all five functions) and ISO 27001 controls
- Realistic use cases — brute force, account compromise, malicious file download, and C2 beaconing; all fully documented with payloads and timelines
| Scenario | Source | MITRE Technique | Automated MTTR |
|---|---|---|---|
| RDP Brute Force | Wazuh rule 60106 | T1110 | ~9 sec |
| Suspicious Login | M365 / Entra | T1078, T1110.004 | ~11 sec |
| Malicious File Download | Wazuh FIM + abuse.ch MalwareBazaar | T1566.002, T1204.002 | ~14 sec |
| C2 Beaconing | Suricata ET rules | T1071.001, T1571 | ~8 sec |
| Area | Improvement | Status |
|---|---|---|
| IaC | Ansible playbooks for provisioning, patching, and hardening | Complete |
| IaC | Proxmox cron snapshot strategy for rollback | Complete |
| Monitoring | Grafana + Prometheus for infrastructure metrics | Complete |
| Compliance | CIS Benchmark checks via Wazuh SCA | Planned |
| Metrics | MTTD / MTTR tracking dashboards | Planned |
| Response | Automated endpoint isolation via Wazuh active response | Planned |
| Threat Intel | Automated IOC ingestion from external MISP feeds | Planned |
| Correlation | Improved multi-source alert correlation rules | Planned |
Built and maintained by Tidjani Lamour, Cyber Security Professional.
If this project is useful to you, star the repo.

