BUILDING A SOC (1/4): Why we need a SOC - and where to start

As Cybersecurity Awareness Month unfolds, we’re launching a short blog series on a topic that’s often mentioned but rarely demystified - building a Security Operations Centre (SOC). Over the coming weeks, we’ll explore how to set up a SOC step by step, using open-source tools, realistic budgets, and local expertise.

What a SOC is - and why it matters

A Security Operations Centre is the heartbeat of any serious cyber defence capability. Its purpose is not simply to “watch logs,” but to monitor, detect, and respond to cyber threats in real time.

For organisations in Bosnia and Herzegovina — from academia and media to SMEs — a SOC is the next logical step toward structured cyber resilience and compliance with regulations such as NIS2 and GDPR (Article 32).

The BiH reality: limited resources, strong potential

Bosnia and Herzegovina still lacks a national framework for centralised security monitoring. But that doesn’t mean building a SOC is out of reach. On the contrary — open-source ecosystems make it entirely feasible to launch a functioning SOC with modest budgets. What’s needed are people, processes, and clear design principles.

This is where CSEC fits in — bridging technology, community, and practice.

Our existing resources — the DecoyNet honeypot network, ShadowServer data for BiH, and CVE Tracker — already form the nucleus of an operational monitoring environment. These datasets and tools offer precisely the kind of visibility that any SOC needs for threat detection, correlation, and incident analysis.

The first step: define purpose and scope

Building a SOC doesn’t start with software installation — it starts with a question:

“What exactly are we trying to protect, and why?”

Is the goal to protect academic networks? Civil society? Small businesses? The answers shape your SOC’s architecture, staffing, and cost.

Our approach: small steps, measurable impact

In this series, we’ll show how to begin with a minimal yet functional model — a SOC-as-a-lab — and gradually evolve it into a full-fledged operational centre. We’ll explore how open-source tools (like Wazuh, TheHive, Cortex, MISP, Zeek, and Velociraptor) can deliver visibility and detection power without commercial licence costs.

What comes next

Our next post, “From Logs to Response: The Anatomy of a Modern SOC”, will unpack the SOC’s core functions and architecture. We’ll then move on to a practical open-source SOC blueprint and local implementation guidance.

Our goal is simple — to show that building a SOC is not a luxury, but an achievable step toward resilience, with limited funds and resources, even in Bosnia and Herzegovina.