Building an Open-Source-First SOC for 25+ Clients
What it actually takes to run SIEM, EDR, and threat hunting for dozens of tenants on Wazuh and Elastic — without drowning in alerts or licensing fees.
Everyone wants a SOC. Almost no one wants the bill that comes with a brand-name SIEM priced per gigabyte. So we built ours open-source-first — Wazuh for the agent and detection layer, Elastic for storage and search, and a lot of opinionated glue in between.
Here's what running it for 25+ client environments taught me.
Multi-tenancy is a detection problem, not just a storage problem
The easy part is keeping each client's data separate. The hard part is writing detection content that's generic enough to reuse but specific enough to matter. We solved this with IOC-driven content: a shared library of correlation rules, parameterized per tenant, backed by playbooks and runbooks so a Tier-1 analyst can action an alert without paging me.
Tune for false positives, relentlessly
Correlating endpoint logs with threat-intel feeds let us auto-block malicious IPs — but the first version was noisy. Custom rule development and threat-intel integration eventually cut false positives by 30%. That number is the difference between a SOC people trust and one they mute.
The takeaway
Open-source-first isn't about being cheap. It's about owning your detection logic instead of renting someone else's black box. When a novel attack shows up across clients, I can write a rule once and ship it everywhere — that's the whole game.