Skip to content
MB
Case studySOCDetection EngineeringIAMHardeningAutomation

Panther ASOC

An automated, scalable open-source SOC environment focused on proactive detection, response, IAM integration, hardening, and resilience.

Objective

Design a modular, production-minded SOC platform capable of monitoring and defending an enterprise-like environment.

Tech stack

Proxmox VEpfSenseActive DirectoryWazuhAnsibleSuricataTheHiveVeeamLDAP
Back to projects

Overview

Panther ASOC is an end-to-end open-source SOC environment built to behave like a small enterprise security platform rather than a one-off lab. The goal is to connect infrastructure, identity, network visibility, endpoint telemetry, incident handling, and backup resilience into one modular environment.

The project uses Proxmox VE for virtualization, pfSense for network control, hardened Active Directory for identity, Wazuh as the central SOC platform, Suricata for network detection, TheHive for incident handling, and Veeam Backup Community for recovery.

Context / Problem

Many home SOC projects stop at telemetry collection. They deploy a SIEM, forward a few logs, and call the environment complete. That is useful for learning syntax and dashboards, but it does not reflect how enterprise security teams actually operate.

I wanted the platform to answer more practical questions:

  • How do identity events and endpoint events support each other?
  • How can deployment and hardening be automated so the environment is repeatable?
  • How should network controls, directory services, detection rules, response playbooks, and backup strategy interact?
  • What does it take to make an open-source stack feel operational rather than decorative?

Architecture / Design

SOC architecture diagram

Planned visual: zones for identity, clients, SOC tooling, network security, backup, and response workflows.

The architecture is intentionally modular. Each component has a clear responsibility, and automation scripts make rebuilds predictable. This matters because a SOC environment should be testable and maintainable, not only impressive on a screenshot.

Implementation

Implementation focused on three workstreams.

First, I built the virtualized infrastructure and network boundaries with Proxmox VE and pfSense. This created the base for segmented services, domain assets, Linux and Windows clients, and monitoring components.

Second, I deployed and hardened Active Directory with Windows and Linux clients. Identity was not treated as a background dependency. It became a core source of access control, policy, authentication events, and operational context.

Third, I automated deployment and maintenance tasks with Ansible. Wazuh agent deployment, hardening steps, and recurring configuration tasks were scripted so the environment could be rebuilt and improved without manual drift.

Security Considerations

The project emphasizes security controls that would matter in a real environment:

  • identity hardening and centralized LDAP integration;
  • network segmentation through pfSense;
  • endpoint telemetry through Wazuh agents;
  • network detection through Suricata;
  • active response playbooks for selected detection scenarios;
  • backup and recovery through Veeam Backup Community;
  • custom detection rules connected to concrete response actions.

The platform is not positioned as a replacement for enterprise-grade SOC tooling. It is a controlled engineering environment for learning, testing, and demonstrating how SOC components fit together.

Trade-offs and Challenges

The main trade-off is depth versus operational scope. Adding tools is easy; making the environment coherent is harder. I prioritized integration quality, repeatability, and security relevance over adding every possible open-source component.

Another challenge was avoiding a pure dashboard mindset. A SOC platform should not only show alerts; it should help an analyst decide what happened, what identity or asset is involved, what action is available, and how the environment can recover.

Outcomes

Panther ASOC demonstrates:

  • a modular open-source SOC architecture;
  • automated agent deployment and hardening with Ansible;
  • centralized identity context through Active Directory and LDAP;
  • host and network detection using Wazuh and Suricata;
  • incident tracking through TheHive;
  • resilience planning through Veeam;
  • a foundation for custom detection engineering and response playbooks.

What I Learned

The project reinforced that detection engineering is not isolated from IAM. Identity data, access patterns, directory events, endpoint behavior, and network telemetry all shape the quality of an investigation.

It also reinforced the value of automation. A lab that can be rebuilt and extended is much closer to an engineering platform than a fragile demo environment.

Tech Stack

Proxmox VE, pfSense, Active Directory, Windows clients, Linux clients, Wazuh, Ansible, Suricata, TheHive, Veeam Backup Community, LDAP.

Repository and diagrams can be added here when the public release is ready.

Key Takeaways

  • SOC credibility depends on identity context, response paths, and resilience.
  • Automation makes the platform repeatable and closer to production practice.
  • Open-source tooling can demonstrate serious enterprise security thinking when the architecture is coherent.