Standing Up a Lean SOC on a Shoestring: A Practical Blueprint for Small Security Teams
For years, the Security Operations Center has carried an intimidating price tag. Enterprise SIEM licenses, dedicated analysts, 24/7 monitoring contracts — the traditional model assumes a budget that most small and mid-sized businesses simply do not have. The result? A significant portion of US organizations have been flying blind, lacking any centralized visibility into their own environments.
That assumption is increasingly outdated. A maturing ecosystem of open-source tools, freely available threat intelligence feeds, and community-developed playbooks has quietly shifted the calculus. Today, a small IT team with the right architecture and discipline can stand up a functional SOC at a fraction of the conventional cost — sometimes at no direct licensing cost at all.
This guide is not about cutting corners. It is about making deliberate, informed choices that align capability with the realities of lean operations.
Defining "Functional" for a Small-Team SOC
Before selecting a single tool, it is worth establishing what success looks like at this scale. A lean SOC does not need to replicate the capabilities of a Fortune 500 security team. It does need to accomplish four core objectives:
- Centralized log collection and correlation — aggregating events from endpoints, firewalls, and critical services into a single pane of glass.
- Alerting with meaningful context — generating alerts that are actionable, not just voluminous.
- Structured incident response — a defined workflow for triaging, investigating, and closing cases.
- Threat intelligence integration — enriching alerts with external context to accelerate decision-making.
With those objectives in mind, the free toolchain practically selects itself.
The Core Stack: Four Tools, One Architecture
Wazuh: Your SIEM and EDR Foundation
Wazuh is the cornerstone of any cost-conscious SOC. It functions simultaneously as a host-based intrusion detection system (HIDS), a log management platform, and a lightweight EDR solution. Agents are deployed on endpoints — Windows, Linux, and macOS — and forward normalized events to a central Wazuh manager.
Out of the box, Wazuh ships with hundreds of detection rules mapped to the MITRE ATT&CK framework. It also integrates with vulnerability databases to surface unpatched software on monitored hosts. For teams already running an ELK stack (Elasticsearch, Logstash, Kibana), Wazuh slots in naturally; for everyone else, it bundles its own indexer and dashboard.
Deployment complexity is moderate. Budget a weekend for initial setup, rule tuning, and agent rollout across your environment. The tuning phase is not optional — an untuned Wazuh instance will generate enough false positives to paralyze a small team. Suppress noise aggressively in the first two weeks.
OpenCTI: Structuring Your Threat Intelligence
Raw threat intelligence is only useful when it is organized, searchable, and connected to your detection layer. OpenCTI, developed by ANSSI (the French national cybersecurity agency) and now maintained by Filigran, provides exactly that — a structured platform for ingesting, storing, and visualizing threat intelligence data.
Through its connector ecosystem, OpenCTI can pull indicators of compromise (IOCs) from sources like MITRE ATT&CK, AlienVault OTX, CISA advisories, and Abuse.ch — all free. Those indicators can then be exported to Wazuh or used to manually enrich cases in your incident response platform.
For a small team, OpenCTI is most valuable during investigation, not real-time detection. When an alert fires, an analyst can quickly query OpenCTI to determine whether an observed IP, domain, or hash has known associations with threat actor campaigns.
TheHive: Case Management and Response Coordination
Alerts without a structured workflow create chaos. TheHive is an open-source security incident response platform that gives your team a consistent, auditable process for managing cases from detection through closure.
Each alert escalated from Wazuh can be promoted into a TheHive case, where analysts document findings, assign tasks, log evidence, and track remediation steps. TheHive also integrates with Cortex, its companion analysis engine, which can automate observable enrichment — querying VirusTotal, Shodan, or your OpenCTI instance automatically when a new IOC is added to a case.
The combination of TheHive and Cortex effectively automates the first fifteen minutes of an investigation, freeing analysts to focus on higher-order judgment calls.
Shuffle: Lightweight SOAR Without the Enterprise Price Tag
No SOC blueprint is complete without some degree of automation. Shuffle is an open-source Security Orchestration, Automation, and Response (SOAR) platform that connects your tools through a visual workflow builder. Common use cases for a lean SOC include automatically creating TheHive cases from Wazuh alerts, sending Slack or email notifications when high-severity events fire, and triggering IP reputation lookups on newly observed network connections.
Shuffle reduces the manual handoffs between tools — a critical consideration when your "team" might be one or two people wearing multiple hats.
Architecture at a Glance
The recommended deployment model for most small teams is a single on-premises or cloud-hosted Linux server running Wazuh, TheHive, Cortex, and Shuffle as Docker containers, with OpenCTI on a separate instance due to its memory requirements. A modest virtual machine with 16GB of RAM and 4 vCPUs will handle environments up to approximately 500 endpoints before performance tuning becomes necessary.
Network segmentation matters here. Your SOC infrastructure should sit on a management VLAN with strict inbound access controls. Analyst access should require VPN and multi-factor authentication — a SOC that can itself be compromised is worse than no SOC at all.
Alert Triage Workflow
Technology is only half the equation. Without a defined triage process, even the best toolchain produces confusion. A workable baseline workflow for a two-analyst team looks like this:
- Tier 1 (Automated): Shuffle ingests Wazuh alerts, enriches observables via Cortex, and creates TheHive cases for anything scoring above a defined severity threshold.
- Tier 2 (Analyst Review): The on-call analyst reviews new cases each morning and at midday, classifying each as a true positive, false positive, or requiring further investigation.
- Tier 3 (Escalation): Confirmed incidents are escalated to the senior team member or external IR support, with all case notes preserved in TheHive for continuity.
Document this workflow. Laminate it if you must. Consistency during an incident reduces decision fatigue and ensures nothing falls through the cracks.
Common Pitfalls to Avoid
Skipping the tuning phase. Alert fatigue is the primary reason lean SOCs fail. Invest time upfront in suppressing known-good behavior before declaring the platform operational.
Underestimating storage requirements. Log data accumulates quickly. Define a retention policy before deployment, and ensure your infrastructure can accommodate 90 days of logs at minimum — a common requirement for US compliance frameworks including PCI-DSS and HIPAA.
Neglecting documentation. Open-source tools evolve rapidly. Maintain internal runbooks for every integration so that institutional knowledge does not walk out the door when a team member leaves.
Treating the SOC as a set-it-and-forget-it system. Detection rules require regular updates. Subscribe to Wazuh release notes, monitor CISA Known Exploited Vulnerabilities updates, and refresh your OpenCTI connectors monthly.
The Bottom Line
A zero-dollar licensing bill does not mean a zero-effort SOC. Building and maintaining this stack requires skilled people, disciplined processes, and ongoing attention. What it does not require is a six-figure vendor contract.
For security professionals working within the constraints of small IT teams, this architecture represents a genuine opportunity to close visibility gaps that threat actors have historically exploited with impunity. The tools exist. The community knowledge exists. The barrier now is execution — and that is precisely the kind of challenge that CyberKit is built to help you overcome.