// SECURITY OPERATIONS CENTER

SOC

DETECT. INVESTIGATE. RESPOND.

The front line of cyber defense. Learn what a SOC is, how alerts become investigations and why detection engineering is one of the most in-demand skills in cybersecurity.

LIVE ALERTS

[HIGH] Brute force SSH from 45.33.32.156 — T1110 [CRITICAL] Credential stuffing on /login — T1110.004 [MEDIUM] Sudo auth failure — T1078 [HIGH] Port scan detected — T1046 [MEDIUM] Segfault in production — T1203 [HIGH] Invalid user enumeration — T1078 [LOW] Admin path access blocked — T1190 [HIGH] Brute force SSH from 45.33.32.156 — T1110 [CRITICAL] Credential stuffing on /login — T1110.004 [MEDIUM] Sudo auth failure — T1078 [HIGH] Port scan detected — T1046 [MEDIUM] Segfault in production — T1203 [HIGH] Invalid user enumeration — T1078 [LOW] Admin path access blocked — T1190

Hours monitored daily

MITRE ATT&CK rules

Tests passing

Min response to HIGH alert

What is a SOC?

A Security Operations Center is a team that monitors an organisation's systems 24/7. They look for signs of attack in logs, alerts and network traffic. When something fires, they investigate, decide if it is real and respond. This project builds the core tools a SOC analyst uses daily.

Monitor

Logs from servers, firewalls and endpoints flow into a central location and are checked continuously.

Detect

Detection rules run against every log entry. When a pattern matches, an alert fires with a severity level.

Respond

Analysts investigate, contain the threat and document what happened. Then improve the rules so it is caught earlier next time.

🔍

Log Parser

Reads raw log files line by line. Detects whether each line is SSH auth, Apache access or syslog. Flags anything suspicious for the alert engine.

🚨

Alert Engine

Matches parsed log entries against YAML detection rules. Every match fires an alert with a severity level and a MITRE ATT&CK technique ID.

🌐

Threat Intel

Pulls source IPs from the logs and checks each one against AbuseIPDB. Returns an abuse confidence score so analysts know if the source is a known bad actor.

🛡️

Brute Force Detector

Uses a sliding time window to count failed login attempts per IP. Flags sources that exceed the threshold within the window — not just total count.

📊

Dashboard

Terminal overview showing log volume by type, top source IPs, HTTP status codes and the most recent suspicious events — all in one view.

📋

IR Playbook

Step-by-step response procedures for each alert type, based on NIST SP 800-61. Tells the analyst exactly what to do when a rule fires.

Live scanner simulation

This simulates exactly what the real parser and alert engine output. Click Run to see a fresh scan — with random IPs, attack patterns and MITRE tags.

Every line of every log is checked against every rule

The alert engine runs in milliseconds. Humans investigate what it flags.

soc-scanner — bash

$ python soc/log-parser/generate_logs.py && python soc/log-parser/parser.py --file sample.log --output parsed.json && python soc/alert-rules/alert_engine.py --logs parsed.json --rules rules.yaml

Click Run Scan to execute...

MITRE ATT&CK

MITRE ATT&CK is a globally recognised framework that maps attacker behaviour to specific techniques. Every detection rule in this project is tagged with a technique ID — so every alert tells you not just what happened, but what type of attack it is.

MITRE ATT&CK is the common language of detection engineering

When an alert fires, the technique ID tells you exactly what the attacker is doing and what comes next.

T1110

Brute Force

Credential Access

RULE-001

Repeated failed logins from one source. The attacker is trying to guess credentials.

T1110.004

Credential Stuffing

Credential Access

RULE-004

Multiple 401 responses to /login. Attacker is trying leaked username/password pairs.

T1078

Valid Accounts

Initial Access

RULE-002

T1078

Valid Accounts

Privilege Escalation

RULE-003

Sudo authentication failure. Someone tried to escalate privileges and failed.

T1190

Exploit Public App

Initial Access

RULE-005

Request to /admin was blocked. Could be a scanner probing for admin interfaces.

T1203

Client Exploitation

Execution

RULE-006

Segmentation fault detected. Could indicate an exploitation attempt against a process.

Why does this matter for a job?
MITRE ATT&CK appears in almost every SOC and detection engineering job description. Knowing the tactic-technique hierarchy, being able to map a log entry to a technique, and understanding what the attacker does next in the chain — these are interview questions you will face. This project gives you direct hands-on experience with all of it.

Incident response

When an alert fires, the SOC follows a structured process. Based on NIST SP 800-61 — the industry standard for incident handling. Every step matters because doing the wrong thing in the wrong order can make a breach worse.

Every second counts in incident response

The playbook exists so analysts do not have to think under pressure. The steps are already decided.

Triage

Alert fires. First question: is this real or a false positive? Check the source IP, the time, the context. Do not act until you know what you are dealing with.

Target: within 5 minutes

Contain

Stop the bleeding. Block the source IP. Isolate the affected system if needed. The goal is to prevent the attacker from moving further into the network.

For HIGH alerts: within 30 minutes

Investigate

Dig into the logs. What did the attacker do? Did they succeed? What other systems were touched? Build a timeline of events from the evidence.

Duration depends on complexity

Eradicate

Remove the threat. Delete the malware, close the compromised account, patch the vulnerability. Make sure the attacker has no way back in.

Before recovery begins

Recover

Bring affected systems back online. Verify they are clean. Monitor for recurrence. Get the business back to normal operation.

With continuous monitoring

Post-Incident Report

Write it up within 5 business days. What happened? What worked? What failed? What should be improved? Update the detection rules so it is caught faster next time.

Within 5 business days

Threat intelligence

Threat intelligence enriches alerts with context. When an IP address shows up in your logs, knowing whether it is a known attacker changes everything about how you respond. Try the demo below.

Context turns alerts into intelligence

An IP with a 97% abuse confidence score is not a failed login. It is a targeted attack from a known threat actor.

AbuseIPDB threat intelligence lookup

🔴

Abuse confidence score

AbuseIPDB returns a score from 0 to 100. Above 80 means the IP is almost certainly malicious. The score is based on community reports from security teams worldwide.

📍

IP geolocation

Knowing where an attack originates helps with attribution. Combined with the abuse score it tells you whether to escalate or treat as noise.

📂

Abuse categories

Reports are categorised: SSH brute force, port scan, web attack, spam. This tells you what the IP is known for — which helps predict what it will try on your systems.

Become a SOC analyst

Work through this checklist to see how much you already know. Each item maps to something this project covers. In a real interview, these are exactly the topics you will be asked about.

SOC analyst is one of the most in-demand entry-level cybersecurity roles

0 / 10 skills covered

Understand what logs are and why they matter

Logs are the primary data source for a SOC. Without them, you have no visibility into what is happening on your systems.
Know the difference between a false positive and a real threat

Triage is the first skill every analyst develops. The ability to quickly assess an alert and determine if it deserves further investigation.
Understand MITRE ATT&CK tactics and techniques

Being able to map an event to a tactic and technique shows you understand attacker behaviour, not just tool output.
Know what brute force looks like in logs

Repeated failed SSH logins from one IP. Failed password for root. Invalid user attempts. These are the patterns you need to recognise instantly.
Understand threat intelligence and IP reputation

Knowing how to enrich an alert with external context — AbuseIPDB, VirusTotal, Shodan — is a core analyst skill that separates good from average.
Know the NIST incident response lifecycle

Preparation, Detection, Containment, Eradication, Recovery, Post-Incident. Every SOC team uses some version of this framework.
Understand what a SIEM does

A SIEM collects logs from everywhere and correlates them to surface suspicious patterns. Splunk and Elastic are the most common. Know the concept even if you have not used one.
Can read and write basic Python

Not every analyst codes but being able to read the tools you use, modify a script or write a quick parser is a major differentiator in interviews.
Know what a detection rule looks like

Being able to read a YAML detection rule, understand what it matches and explain why the threshold is set where it is shows detection engineering awareness.
Understand the principle of least privilege

Why do so many incidents involve compromised accounts with too much access? Because access control failed. Understanding this connects SOC work to the broader security picture.