Building a SOC (3/4): A SOC that Fits - Open-Source Blueprint

Why Open-Source?

For most organisations in Bosnia and Herzegovina – especially in academia, civil society, and the SME sector – the biggest obstacles to establishing a SOC are not threats, but cost and staffing. Commercial SIEM and SOAR platforms can cost tens of thousands of euros per year, which is simply unrealistic for local budgets.

The solution? An open-source SOC, built gradually, focusing on interoperability and community.

Core Layers of an Open-Source SOC

1. Log Collection and Processing – Wazuh and the ELK Stack

Wazuh is an open-source SIEM that provides agent-based log collection, threat detection, and event correlation.It is built on the ELK Stack (Elasticsearch, Logstash, Kibana), offering scalable analytics and visualisation without commercial licence costs.

Key benefits:

• Centralised log collection (servers, endpoints, networks).

• IDS/IPS integrations (e.g. Suricata).

• Customisable dashboards.

• Built-in vulnerability detection.

CSEC integration:Data from ShadowServer and the CSEC CVE Tracker can be correlated in Wazuh to identify vulnerable systems in Bosnia and Herzegovina.

2. Incident Management – TheHive and Cortex

TheHive is an open-source incident response platform that allows analysts to open, document, and track cases. It integrates seamlessly with Cortex, which automates the analysis of indicators (hashes, IPs, URLs).

Key benefits:

• Fully web-based, lightweight deployment.

• Compatible with MISP and Wazuh.

• Enables structured workflows and collaborative response.

CSEC integration: TheHive could serve as CSEC’s central platform for managing incidents reported by academia, CSOs, and partners across the region.

3. Threat Intelligence – MISP (Malware Information Sharing Platform)

MISP enables organisations to share and correlate Indicators of Compromise (IoCs) and threat data. It connects local and global threat feeds and can integrate with SIEM and IR systems.

Key benefits:

• Structured sharing using STIX/TAXII standards.

• Easier collaboration with international CERT/CIRT teams.

• Strengthens collective cyber resilience.

CSEC integration: CSEC already gathers real-world attack data through its DecoyNet honeypot network. These IoCs can be automatically pushed into MISP and shared with regional partners.

4. Network and Endpoint Visibility – Zeek, Suricata, and Velociraptor

Zeek (formerly Bro) and Suricata provide deep network traffic analysis, while Velociraptor offers endpoint visibility and forensic collection for Windows, Linux, and macOS. Together, they form the “sensor layer” of a SOC, generating raw data for the SIEM.

Key benefits:

• Deep packet inspection and behavioural analysis.

• Detection of intrusions and data exfiltration.

• Seamless integration with Wazuh and TheHive.

CSEC integration: Zeek and Suricata sensors could be deployed within CSEC’s DecoyNet infrastructure, turning honeypots into active telemetry sources for network-level threat monitoring.

Minimal Open-Source SOC Model (MVP)

Operational Recommendations

• Start small – integrate only a few sensors and data sources.

• Measure everything: incident count, detection time, response time.

• Automate repetitive tasks (hash lookups, IP reputation checks, reporting).

• Document every workflow – and capture lessons learned after each incident.

Conclusion: A SOC is an Ecosystem

An open-source SOC isn’t a “free version” of commercial software – it’s a different philosophy. It’s built on transparency, collaboration, and knowledge-sharing. For Bosnia and Herzegovina, this offers a path toward a sustainable, independent SOC model, built on open standards and regional cooperation.

In the next and final post – “The SOC as the Heart of Cyber Resilience” – we’ll explore how to move from a laboratory setup to a 24/7 operational centre and how to measure its maturity and performance.