Open-Source Security Operations

The Bridge
Between

Enterprise-grade Security Operations, built entirely on free, open-source tools. Bridging the gap between those who can afford security — and those who can't.

Explore the Stack View on GitHub ↗

Security shouldn't be a luxury

Enterprise companies run full-scale Security Operations Centres with tools costing more than a deposit on a house. Meanwhile, small to medium businesses rely on basic antivirus and hope for the best.

This project exists to close that gap — showing that you can build a functional, realistic SOC environment using only free, open-source tooling. Logs collected. Suspicious activity detected. Alerts enriched with real threat intelligence. Incidents tracked properly, not left to gather dust in a dashboard.

The name reflects a simple truth — this project stands as the bridge between those who can afford enterprise security, and those who can't.

In plain English

It takes you from "something might be wrong" to "here's what's wrong, why it matters, and exactly what to do next" — without spending a penny on licensing.

What this demonstrates
  • Functional, realistic SOC environment
  • Automated investigation workflows
  • Structured, repeatable incident response
  • Infrastructure as code — repeatable, version-controlled deployments
  • Full-stack observability via Grafana and Prometheus
  • Zero licensing cost

Specialised tools that actually do their job

Instead of one expensive "do everything" platform, this project uses a focused stack where each tool is best-in-class at its specific role.

Wazuh
Wazuh
SIEM · XDR · Vulnerability Detection
Collects logs from across your environment, performs file integrity monitoring, vulnerability scanning, and rule-based detection — a single agent doing the work of four tools.
n8n
n8n
SOAR · Automation
Self-hosted, code-optional workflow engine. Actively blocks IPs via OPNsense, disables accounts via Entra, and revokes sessions — not just "sends an email".
DFIR IRIS
DFIR IRIS
Case Management
Structured incident tracking from triage to closure — with timeline, assets, and IOC links. The way a real SOC operates, not a dashboard of ignored notifications.
OPNsense
OPNsense
Firewall · IDS · Network Segmentation
Purpose-built firewall distro with deep packet inspection via Suricata and ET Open signatures. Controls segmentation and feeds network telemetry directly into the SIEM.
MISP
MISP
Threat Intelligence
Internal IOC database with feed ingestion. Every confirmed indicator feeds future detections, alongside live VirusTotal and AbuseIPDB enrichment.
Grafana
Grafana
Dashboards · Visualisation
Homelab dashboards turn raw Prometheus metrics into something you can read at a glance — system health, capacity trends, and security telemetry side-by-side.
Prometheus
Prometheus
Metrics · Time-Series Database
Pull-based metrics collection across the homelab — CPU, memory, disk, service health. The raw heartbeat data that powers every infrastructure dashboard.
Ansible
Ansible
Configuration · Patching · IaC
Agentless configuration management for the whole stack. Repeatable playbooks for patching, hardening, and snapshot rollback — infrastructure as code, not tribal knowledge.
Cost Comparison
SolutionCost (Approx)What you get
MSSP "SIEM" subscription £120k–£240k / year Repackaged open-source tooling with a support contract
Enterprise Security Stack £20k–£100k+ / year Full ecosystem — if you can actually afford it
The Bridge Between £0 licensing + ~£500 hardware Fully functional SOC stack on a couple of second-hand mini-PCs. One-off cost.

Real attacks, real automation

Each scenario is fully documented with payloads, timelines, and MITRE mappings — automated detection to enriched incident in seconds, not hours.

RDP Brute Force
MTTR ~9s
Wazuh Rule 60106
Failed authentication patterns detected, source IP enriched against threat intel, then blocked at the OPNsense edge automatically.
T1110
Suspicious Login
MTTR ~11s
M365 / Entra ID
Anomalous sign-in detected from M365 logs. Account is disabled and sessions revoked via Entra before the attacker can act.
T1078 · T1110.004
Malicious File Download
MTTR ~14s
Wazuh FIM + VirusTotal
File integrity monitoring catches the drop, hash is checked against VirusTotal and MISP, and a case is opened in DFIR IRIS with full context.
T1566.002 · T1204.002
C2 Beaconing
MTTR ~8s
Suricata · ET Open Rules
Suricata flags command-and-control traffic patterns. Destination IP is enriched, blocked, and the source host is flagged for investigation.
T1071.001 · T1571

Built to be taught, not just deployed

Every decision in this project is documented with the intent of teaching. Whether you're a student, a small business owner, or a career-changer — this is meant for you.

01
Understand the why
Every tool choice is explained in plain terms. No jargon gates. No assumed knowledge. You'll know why each component exists and what breaks if you remove it.
02
Follow the flow
The architecture is designed to be walked through end-to-end — from a log being generated on an endpoint, all the way to an incident being created in DFIR IRIS.
03
Replicate it yourself
Every component runs on free tooling. You don't need enterprise hardware or a company budget. A few VMs and some curiosity is all it takes to follow along.

Continuously evolving

The bridge is still being built. Here's what's coming next.

Compliance Checks CIS Benchmark scanning via Wazuh Security Configuration Assessment.
MTTD / MTTR Dashboards Tracking mean time to detect and respond — making performance measurable, not just visible.
Endpoint Isolation Automated response to isolate compromised endpoints via Wazuh active response before lateral movement can occur.
External MISP Feed Ingestion Automated ingestion of indicators of compromise from external threat intelligence feeds.
Multi-source Alert Correlation Improved logic to connect related events across multiple log sources into unified incidents.