BrainSOC
In productionMulti-tenant SIEM
Collects security events from across an estate, correlates them, and turns the result into something an analyst can act on — running on our own infrastructure before anyone else’s.
Why BrainSOC exists
A SIEM earns its keep on the day an attack is halfway through, not on the day it is installed. BrainSOC collects events from endpoints, network devices, storage and virtualisation platforms, normalises them, applies detection rules, and connects related activity across sources — so a port scan, a failed login and a lateral move surface as one case rather than three unrelated rows in three tools.
It watches our own estate today. That is the honest scope of its production use: it is our SIEM, monitoring our infrastructure, with no external tenants yet. Everything we learn running it against ourselves goes back into it before we offer it as a service.
In operation
What is running today
The precise scope of its use right now — not what it could do.
- Running continuously on Braincap infrastructure, monitoring our own estate
- Collectors polling our firewalls, virtualisation, storage arrays and hosting panels
- Endpoint agents enrolled and reporting; cases and threat-intelligence watchlists in daily use
- No external tenants yet
Capabilities
What it does
Nothing disappears quietly
Events arrive over syslog, HTTP or our own agent. When a pipeline saturates, the event is accounted for rather than silently dropped — a SIEM that loses events during a flood is worse than no SIEM, because you trust it.
An agent that survives the network
It buffers locally when the server is unreachable, replays without flooding it on reconnect, and remembers where it was so a restart does not re-send history. It is built to stay small enough that nobody notices it on the host.
Updates the agent verifies itself
Agents check a cryptographic signature before replacing themselves, keep a backup, and roll back on failure. With no key configured they refuse every update rather than trusting one — a fleet of auto-updating agents is otherwise the perfect way in.
Detection rules you can change at 3am
Rules use the open Sigma format and reload while the engine runs. A rule that will not compile does not take the others down, and a bad reload rolls back on its own.
Correlation across sources
Activity is tracked per entity across every source, with a risk score built from evidence rather than a single alert — so the picture forms from what actually happened, not from whichever tool shouted first.
Collectors for the gear that is really out there
Firewalls, application delivery controllers, switching, fibre-channel fabrics, enterprise storage, virtualisation and hosting panels — written against the appliances in front of us and debugged against their real behaviour, not their documentation.
Roadmap
What comes next
- External tenants and managed-service onboarding
- GPU-accelerated detection, with the CPU path always present
Interested in BrainSOC?
Tell us about the problem you are trying to solve — an engineer answers, not a form.