SynapticSOC GitHub

Open-source SOC engineering project

Building a practical Security Operations Center

SynapticSOC is an independently built cybersecurity engineering project designed, integrated, and documented using real hardware, real telemetry, and realistic resource constraints.

Explore the Architecture View on GitHub
pfSense Wazuh Graylog n8n SOAR
Network Telemetry
Endpoint Visibility
Correlation & Triage
Evidence & Response

The Project

A SOC built under real constraints

SynapticSOC explores what it takes to make open-source security tools function as one connected operational system, rather than a collection of isolated dashboards.

01 / Visibility

Collect meaningful telemetry

Firewall, IDS, endpoint, and network visibility are brought together to improve the quality of security decisions.

02 / Correlation

Validate alerts with context

Alerts are enriched and compared against pfSense, Zeek, Wazuh, and Graylog evidence before an analyst response is recommended.

03 / Workflow

Document the analyst decision

Triage, acknowledgment, and response steps are designed to leave a clear record of what was observed and why action was taken.

Architecture

A connected detection and triage stack

The architecture is designed around telemetry quality, practical integration, and clear analyst workflow.

From raw events to analyst decisions

  • Collect network and endpoint telemetry
  • Parse and normalize events in Graylog
  • Detect activity through Wazuh, Snort, and Suricata
  • Validate visibility using Zeek and pfSense evidence
  • Enrich, triage, acknowledge, and retain the result
pfSense
Snort / Suricata
Wazuh Agents
Zeek
Graylog
OpenSearch
Enrichment
n8n Triage
Analyst Response

Current Capabilities

Evidence instead of marketing claims

The project is documented around capabilities that have been implemented, observed, and validated.

Firewall and IDS telemetry

Network events are collected from pfSense, Snort, and Suricata.

Endpoint visibility

Wazuh agents provide host-level events, detections, and context.

LAN-side validation

Zeek visibility helps determine whether observed traffic reached an endpoint.

SOAR-assisted triage

n8n workflows enrich alerts and support structured analyst acknowledgment.

Build Journal

Engineering decisions, documented

The journal will document the problems, failures, decisions, and lessons involved in building the project.

Coming Soon Zeek Integration

Integrating Zeek for LAN-side visibility

A practical account of the challenges involved in using Zeek to validate whether IDS-observed traffic reached an internal host.

Coming Soon SOAR Design

Designing a triage workflow under resource constraints

How enrichment, correlation, acknowledgment, and evidence retention were approached without over-automating response.

About SynapticSOC

A practical cybersecurity engineering project

SynapticSOC is built and documented as a technical portfolio, learning platform, and foundation for future open-source SOC research, education, and collaboration.