Information
- Project Name: Next‑Gen CSOC Platform
- Start Date: 07 July, 2024
- Skills: Python / Flask / Angular / Wazuh / OpenSearch / MongoDB / Neo4j / Zoho API
- Project Name: Next‑Gen CSOC Platform
- End Date: Date 05 April, 2025
A full‑stack, multi‑tenant Cyber Security Operations Center platform was engineered to give security teams a single pane of glass for detection, response, asset governance, and executive reporting. Telemetry from 700 + endpoints flows through Wazuh into OpenSearch, enabling lightning‑fast queries and rich aggregations.
Front‑end functionality is delivered via Angular consuming Flask REST and WebSocket APIs, while micro‑services orchestrated with Docker & Kubernetes ensure horizontal scalability. The platform integrates natively with Zoho Desk for incident life‑cycle management and Neo4j for real‑time graph visualisation of alert relationships across the MITRE ATT&CK kill chain.
The challenge of project
We bring together all the necessary technology and services to help our clients solve their business problems.
- Massive log volume (> 900 GB/day) across heterogeneous sources
- True multi‑tenant data & RBAC isolation
- Sub‑minute alerting and < 5 s Zoho ticket synchronisation
- Near‑real‑time graph updates in the Event Map
- Extensible, self‑service reporting for non‑technical users
- Strict MAS, PCI‑DSS, and ISO 27001 compliance requirements
- Resource optimisation on constrained on‑prem hardware
- High‑availability upgrades with zero downtime
- Automated CI‑CD & GitOps pipeline for rapid releases
The Solution of project
- Wazuh → Kafka → OpenSearch ingestion pipeline with ILM hot/warm/cold tiers
- Bidirectional incident sync via Zoho Desk webhooks & REST
- Flask micro‑services with JWT auth and async Redis task queues
- Angular UI with RxJS streams and ngx‑graph visualisations
- Neo4j event graph for cross‑alert lineage and multi‑layer pivoting
- MongoDB replica‑set Logic Service for tenants, playbooks, SBOMs
- Scheduled & on‑demand PDF/CSV reports with granular time selection Kubernetes + Helm charts for reproducible deployments GitLab‑CI and Argo CD GitOps for push‑button environment promotion
What We’ve Done
Our delivery followed two‑week sprints over sixteen iterations, beginning with authentication and tenancy scaffolding before layering in alerting, incident workflows, threat‑hunting, reporting, and graph correlation. Continuous performance tuning kept OpenSearch P95 search latency below 500 ms, and automated tests validated every commit before container builds shipped to the staging cluster. This cadence let stakeholders see working software every fortnight, reducing risk and enabling rapid feedback loops.
Post‑deployment, we migrated 450 million historical events without service interruption, trained the SOC analysts on new playbooks, and executed a red‑team simulation to validate end‑to‑end detection and response within the first month of go‑live.
The result of project
The organisation achieved a 58 % reduction in mean‑time‑to‑detect and a 41 % reduction in mean‑time‑to‑respond. Automated board reports that once took three analysts two days now generate in under 15 minutes, while zero critical audit findings were observed in the first quarterly review. The platform’s tenant isolation has already enabled two new subsidiaries to onboard without additional hardware, demonstrating immediate ROI and future‑proof scalability.
