01 / Visibility
Observe the environment
Firewall, IDS, endpoint, and LAN-side telemetry are collected to support practical monitoring and investigation.
The Project
SynapticSOC
An open-source SOC operating model built under real-world constraints, focused on visibility, detection, correlation, controlled response, evidence handling, retention, and audit-aware operations.
What It Is
A practical SOC, not a tool showcase
SynapticSOC is a self-hosted open-source SOC project that connects firewall telemetry, IDS alerts, endpoint visibility, network evidence, log management, triage workflows, analyst acknowledgment, and evidence records into one operational security model.
02 / Correlation
Validate before responding
Alerts are compared against supporting evidence from pfSense, Wazuh, Zeek, Graylog, and enrichment workflows.
03 / Accountability
Record the decision
Analyst acknowledgment, evidence records, retention, and control summaries are used to support traceability and audit visibility.
Maturity Path
From monitoring to controlled operations
The project has matured from basic telemetry collection into a compliance-driven SOC workflow with controlled triage, retained evidence, and documented operational controls.
Phase 01
Visibility
Firewall, IDS, endpoint, and network visibility were established.
Phase 02
Detection & Correlation
Security events were normalized, enriched, and correlated across multiple sources.
Phase 03
Controlled Response
n8n workflows, analyst acknowledgment, evidence records, and retention were introduced.
Core Capabilities
Operational capabilities validated in the build
pfSense events support network context and edge visibility.
Snort and Suricata provide detection coverage at the network layer.
Wazuh provides host visibility, alerting, and compliance-oriented context.
LAN-side evidence helps validate whether observed traffic reached internal hosts.
Parsing, streams, search, and dashboards support investigation workflow.
Automation supports enrichment, triage routing, acknowledgment, and evidence recording.
Control Model
Controls that make the SOC defensible
SynapticSOC is being shaped around operational controls that support role separation, traceability, analyst accountability, evidence retention, and compliance-oriented security operations.
Control 01
RBAC
Role separation and access boundaries across SOC tools.
Control 02
Evidence handling
Defined handling of alert context, analyst decisions, and retained triage records.
Control 03
Retention
Retention rules and documentation for logs, alerts, evidence, and workflow records.
Limitations
Clear boundaries and non-claims
SynapticSOC does not claim certified compliance, managed detection and response coverage, enterprise high availability, or legal forensic chain of custody. Its value is in practical SOC engineering, transparent documentation, realistic constraints, and honest control development.