Why we build security on open source
Most security monitoring is built on tools the customer can't fully see into and can't take with them. The detections are a black box. The data lives in someone else's format. The bill scales with ingest, so the cheapest move is always to log less — which is exactly backwards.
We build differently, on open-source tooling, for one reason that matters more than the others: you keep what we build.
The stack
Nothing exotic — the boring, proven open-source security stack, assembled and tuned well:
- Wazuh for endpoint detection, file integrity, and log analysis.
- Security Onion to tie network and host visibility together.
- Zeek and Suricata at the network layer — context and signatures.
- OpenSearch / ELK for search and the retention an audit expects.
- MISP for threat intelligence that turns into real detections.
Each piece is replaceable, auditable, and yours. None of it phones home to a vendor.
What "you keep it" buys you
- Every detection is readable. A rule that fires is a rule you can open, test, and change. When it's noisy, you fix it — you don't file a ticket and hope.
- Your data stays in open formats. If you stop working with us, you lose nothing. Export everything and walk.
- Coverage doesn't bankrupt you. Open-source ingest means logging more, not less — and that's also what makes the audit evidence real.
The catch, stated honestly
Open source isn't free in the way people hope. Someone has to tune it, patch it, and run it. A default Wazuh install will bury you in file-integrity noise. Suricata with every ruleset enabled is a wall of alerts nobody reads. The value isn't the software — it's the judgment to make it quiet and correct. That's the part we're paid for.
We run all of it ourselves, which is why we have opinions about, say, egress filtering with nftables or fingerprinting scanners at the edge.
The goal is to leave
Our engagements end with a handover: documentation, runbooks, and training, so your team owns what we built. We'd rather work ourselves out of a job than keep you dependent. Open source is what makes that possible — there's no license to claw back, nothing to hold hostage. You keep what we build. That's the whole pitch.