DEV Community

Muhammad Aminu Musa
Muhammad Aminu Musa

Posted on

Automating Threat Hunts: Building a SOC on a Startup Budget

#soc #threatdetection #cybersecurity #automation

You don't need a SOC to act like you have one.

That's the mindset that changed how I think about security operations for early-stage companies. Most startups under 50 people assume they can't afford enterprise threat detection infrastructure. Splunk, CrowdStrike, Palo Alto, the list reads like a budget horror show.

But here's what I've learned building out detection capability on essentially zero budget: automation gets you 80% of the way there. The remaining 20% is triage, context, and human instinct. And you can buy the first 80% with mostly open-source tools and a few cloud credits.

This is how to build it.

The Core Problem

A Security Operations Center has one job: detect threats fast, triage intelligently, respond effectively. In enterprise environments, this is handled by SIEMs, EDR, and teams of analysts watching dashboards.

In a startup? You have maybe one security person, if you're lucky. And they're probably also doing compliance, AppSec, and half the engineering team's code reviews.

The answer isn't hiring. It's automation.

Step 1: Centralize Your Logs First

You can't detect what you can't see. The first investment is always log aggregation.

For most startups: CloudTrail for AWS activity, VPC Flow Logs, application logs, authentication logs. You don't need Splunk — ELK Stack handles millions of events per day on commodity hardware. Elastic Cloud has a generous free tier for small workloads.

filebeat.inputs:

  • type: log paths:
    • /var/log/cloudtrail/* fields: service: cloudtrail environment: production

The goal: all logs in one place within 60 seconds of an event occurring.

───

Step 2: Detection at Scale with Sigma Rules

Logs sitting in Elasticsearch don't detect anything. You need detection logic.

Sigma changes the game. It's a generic signature format that converts to any SIEM. Instead of learning Splunk's query language, you write one rule that deploys everywhere:

title: Suspicious AWS API Call from New Region
id: f47ac10b-58cc-4372-a567-0e02b2d3f159
status: experimental
description: Detects AWS API calls from a geographic region the user has not previously used
author: Your SOC Team
level: high
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName:
- ConsoleLogin
- GetSessionToken
responseElements:
ConsoleLogin: Success
condition: selection

The Sigma GitHub repo has thousands of community-written rules covering MITRE ATT&CK techniques. Prioritize initial access, credential access, and exfiltration.

───

Step 3: Automate Alert Triage

Here's where most startups give up. They set up detection, get their first 47 alerts, and spend an entire Tuesday triaging low-severity noise.

The answer isn't fewer alerts. It's smarter triage.

Critical — active breach indicators, wake someone up immediately. High — suspicious behavior, possible initial access, triage within an hour. Medium — anomalous but explainable, triage within 24 hours. Low — policy violations, batch review weekly.

For critical and high: set up a Slack webhook to a dedicated security-alerts channel. For medium and low: one hour every Monday morning.

───

Step 4: Automate Response Playbooks

When an alert fires, your first response shouldn't be "figure out what to do." It should be "run the playbook."

Here's a real example for suspicious ConsoleLogin from a new region:

  1. Check if the IP is in a known VPN exit node list
  2. Check if the user has history of logging in from this location
  3. If not, revoke the session token immediately via AWS CLI
  4. Notify the user via Slack DM5. Document everything with timestamp and action taken

This playbook takes 30 seconds manually. When automated with SOAR, it runs in 3 seconds. Open-source options: Shuffle, TheHive, Cortex.

Step 5: Feed Threat Intelligence Into Your SIEM

Pull IOCs known malicious IPs, domains, file hashes into your SIEM. When a rule matches, alert severity goes up immediately.

Free sources: AlienVault OTX, AbuseIPDB, VirusTotal (500/day free), CISA KEV.

Pull these daily. Correlate against your logs. The moment an IP from AbuseIPDB hits your web server, that's a high-severity alert.

The Honest Cost

Here's what a startup SOC actually costs:

• ELK Stack: $50-200/month on Elastic Cloud
• Threat intel feeds: free
• Sigma rules: free
• Shuffle SOAR: free, open source

Total: under $200/month for a detection capability that would cost $50k+ in enterprise tooling.

The one thing you can't buy: human judgment. Schedule time every week to review what your automation caught.

What You Take Away From This

  1. Centralize your logs first - you can't detect what you can't see
  2. Write detection as code - Sigma rules are portable and version-controlled
  3. Automate triage-PagerDuty for criticals, weekly review for everything else
  4. Write playbooks before you need them - speed of response matters more than perfection
  5. Feed threat intel into your SIEM - Sigma rules + live IOCs catches most initial access attempts
  6. Under $200/month buys you 80% of enterprise detection the remaining 20% is human judgment

You don't need a SOC. You need SOC thinking automated detection, structured response, continuous improvement.

Build the machine. Let it hunt while you sleep.

Top comments (0)