Why we built our SOC on open source instead of buying SIEM-as-a-Service

A common question from prospects: "Why not just resell Splunk / Sentinel / CrowdStrike like everyone else?"

The honest answer: those are great products, and we use them when a client already has a license. But for the default stack we run on, we picked Wazuh + Elastic + MISP + TheHive on purpose. Three reasons.

1. The cost curve

A commercial SIEM at 1,000 endpoints with reasonable retention runs $10-25K/month. The same workload on open source runs under $2K/month in compute, plus the engineering hours to run it.

The economics flip somewhere around 100-500 endpoints. Below that, managed commercial often wins. Above that - and especially when log volume gets noisy - open source pulls ahead and stays there.

For our customers (SaaS startups and SMBs in the 50-2,000 endpoint range), open source is almost always cheaper delivered to them, even after our managed-services margin.

2. No vendor lock-in

Every commercial SIEM has a proprietary detection language. Splunk has SPL, Sentinel has KQL, Elastic has EQL, Sumo has theirs. Detection content written in one doesn't port.

We standardize on Sigma - an open detection format that compiles to most query languages.

title: Suspicious PowerShell from a service account
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    User|startswith: 'svc_'
  filter:
    CommandLine|contains: 'Get-WinEvent'
  condition: selection and not filter
level: high
tags:
  - attack.execution
  - attack.t1059.001

Every detection we ship is a Sigma rule, mapped to MITRE ATT&CK. If a customer ever wants to leave us, they take the rules with them and sigmac them into whatever stack comes next.

Try doing that with a Splunk Enterprise Security ruleset.

3. Transparency under pressure

When a critical alert fires at 2 a.m., the analyst on call needs to understand why it fired. With a proprietary "AI-powered correlation engine" that produces an alert with no explanation, the analyst is reduced to escalating because the box said so.

With open-source detections, every rule is inspectable. Severity, tags, detection logic, false-positive notes - all sitting in a YAML file we own. That's what lets a senior analyst make a confident triage decision instead of pinging Slack and waiting.

What we actually run

   Endpoints / Workloads
            │
            ▼
   Wazuh Agents  ───────►  Wazuh Manager  ──┐
                                            ├──►  Elastic / Kibana
   Sysmon + WinEventForward ────────────────┘         │
                                                      ▼
   Network: Suricata + Zeek ─────────────────►   Detections (Sigma rules)
                                                      │
   Cloud: GCP / AWS audit logs ─────────────►   Triage + Hunt (analyst)
                                                      │
                                                      ▼
                                               TheHive  ────►  MISP (intel)
                                                      │
                                                      ▼
                                              Cortex  (response automation)

• Wazuh - XDR + SIEM core. Agents on every endpoint, manager for correlation, integrated FIM, integrity monitoring, vulnerability detection.
• Elastic / Kibana - log pipeline + analyst search UI. The "data plane."
• Sigma + sigmac - detection-as-code. Rules sit in a Git repo, reviewed in PRs, tested in CI.
• TheHive - case management. Every escalated alert becomes a case with a timeline, owner, evidence and a postmortem.
• Cortex - analyzer + responder automation. IOC enrichment, sandbox detonation, contain-host workflows.
• MISP - threat intel sharing. IOCs we pull in, IOCs we share out (under TLP rules).
• Suricata + Zeek - network detection layer for east-west and egress visibility.

Every component is mature, has been used in production at scale by larger teams than ours, and has commercial support available if a customer wants it.

What this doesn't mean

A few caveats we're honest about:

• Open source isn't "free." The cost is paid in engineering time. We staff senior analysts who actually understand the stack - not L1 ticket-pushers.
• You still need EDR. Wazuh's endpoint capability is solid but it's not a full EDR. We integrate with whatever EDR a customer already has (Crowdstrike, SentinelOne, MS Defender, Elastic EDR).
• Some workloads are better served by commercial. Identity-heavy enterprises with Azure AD as the center of the universe often get more value from Sentinel. We'll say so.

The bigger argument

Cybersecurity products have a strange property: when you depend on a vendor's threat intel, you also depend on their decision about what to call a threat. Every commercial SIEM ships opinionated "out-of-the-box" content. Most of it is noisy. Tuning is real work.

By building on open source with our own detection content, we control what triggers an analyst. Customers get fewer alerts, higher-fidelity ones, and a SOC team that can defend the choice in writing.

That's the bet. The cost savings are nice. The transparency is the point.

---

Curious about how we'd scope a SOC for your environment? Get a SOC quote. Written proposal in 48 hours, no sales pitch in between.