Introduction
In an increasingly complex digital era, cyber threats continue to evolve at a rapid pace. Organizations of all sizes need security systems that are both robust and efficient. Enter T-Guard an innovative Security Operations Center (SOC) solution that harnesses the power of leading open-source tools into a single, cohesive platform.
T-Guard is not just a collection of security tools. It is a complete ecosystem designed to provide comprehensive protection for your digital assets. Developed with support from Universitas Indonesia - Japan International Cooperation Agency (UI-JICA Project) , this project demonstrates how collaboration between academia and security practitioners can produce truly impactful solutions.
Why T-Guard?
T-Guard addresses a major challenge organizations face when building a SOC: integration. Instead of hiring a large team to manage multiple disparate platforms, T-Guard unifies four key pillars of cybersecurity under one roof:
| Component | Function | License |
|---|---|---|
| Wazuh | Real-time monitoring, threat detection, and compliance | GPL v2.0 |
| DFIR-IRIS | Incident management and digital forensics | LGPL v3.0 |
| Shuffle | Security workflow automation (SOAR) | AGPL v3.0 |
| MISP | Open-source threat intelligence platform | AGPL v3.0 |
By combining these four tools, T-Guard delivers a complete defense lifecycle: detection (Wazuh), intelligence (MISP), automated response (Shuffle), and incident management (IRIS).
Simple Installation
One of T-Guard's greatest strengths is its ease of installation. Within minutes, you can have a fully functional SOC up and running.
Prerequisites
- OS: Ubuntu 24.04 LTS (fresh machine recommended)
- Connection: Broadband internet
Minimum requirements (trial deployments):
- CPU: 8 cores
- RAM: 16 GB (swap memory required)
- Storage: 100 GB
Standard requirements (production environments):
- CPU: 8 cores
- RAM: 32 GB (no swap needed)
- Storage: 250 GB
Installation Steps
Installation is performed through an interactive command-line script. Here's the overview:
-
Clone the repository:
git clone https://github.com/sguresearcher/nusantara.git cd nusantara chmod +x setup.sh ./setup.sh -
Main menu options:
-
1→ Update system & install dependencies (Docker, etc.) -
2→ Install T-Guard SOC package (choose environment: local VM or cloud) -
3→ Module integration (API keys, webhooks) -
4→ Use case simulation menu
-
The installation process runs automatically. Upon completion, you will receive a table with dashboard access information for each module:
| Service | URL | Username | Password |
|---|---|---|---|
| Wazuh | https://<ip> |
admin |
SecretPassword |
| IRIS | https://<ip>:8443 |
administrator |
MySuperAdminPassword! |
| Shuffle | http://<ip>:3001 |
Create your own | Create your own |
| MISP | https://<ip>:1443 |
admin@admin.test |
admin |
Note: SSL warnings in your browser are normal due to self-signed certificates. For production, installing official certificates is recommended.
Use Cases: Proving T-Guard's Capabilities
The T-Guard documentation provides three simulated attack scenarios to demonstrate how all components work together automatically.
1. Brute-Force Detection
Scenario: Simulated repeated login attempts against SSH.
Results:
- Wazuh detects the brute-force attempts
- Alerts are sent to Shuffle
- Shuffle automatically creates a new incident ticket in IRIS
- The SOC team can immediately review attack details and begin investigation
2. Malware Detection with Auto-Response
Scenario: A malicious file (malware) is uploaded to the system.
Results:
- Wazuh detects the file
- Integration with VirusTotal (API key required) confirms the file as malware
- Wazuh automatically executes a response (e.g., deleting the file)
- Alerts and automated responses are recorded in the Wazuh dashboard
- A new incident ticket is created in IRIS
3. Web Defacement Detection
Scenario: A sample website page is defaced.
Results:
- Wazuh's Integrity Monitoring module detects file content changes
- Alert with rule ID 550 (Integrity Checksum Changed) is triggered
- The SOC team is immediately notified of unauthorized changes to web assets
Threat Intelligence Integration with MISP
One of the most powerful features is the integration with MISP (Malware Information Sharing Platform). After installation, administrators can import over 100 threat feeds from MISP's defaults.json.
Quick steps:
- Navigate to
https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json - Copy the entire JSON content
- In MISP Dashboard: Sync Actions → Feeds → Import Feeds from JSON
- Select all feeds → Enable Selected → Fetch and Store All Feed Data
The threat intelligence from MISP is then used by Wazuh to enrich detection and perform IOC (Indicators of Compromise) matching.
Automation Workflow: Connecting the Pieces
A key highlight of T-Guard is how Shuffle orchestrates actions between components. For example, when Wazuh detects an alert:
- A webhook trigger in Shuffle receives the alert
- Shuffle extracts relevant data (source IP, rule description, log details)
- The workflow calls the IRIS module to create a new case with all alert information
- The SOC team sees a complete, auto-populated ticket ready for investigation
This automation eliminates manual hand-offs and accelerates response times dramatically.
Conclusion
T-Guard is concrete proof that enterprise-grade SOC solutions can be built from well-integrated open-source components. This project is ideally suited for:
- Organizations looking to build an internal SOC with limited budgets
- Security teams wanting workflow automation without building from scratch
- Educational institutions and researchers studying modern SOC architecture
With clear installation guides, available testing scenarios, and community support, T-Guard offers a fast path toward maturing your organization's cybersecurity capabilities.
Resources & Links
| Resource | Link |
|---|---|
| Official T-Guard Website | https://tguard.org/ |
| Installation Documentation | https://docs.tguard.org/installation |
| GitHub Repository | https://github.com/sguresearcher/nusantara |
| License Information | Available on GitHub (mix of GPL, Apache, AGPL, LGPL) |
Closing Thought: Cybersecurity is not about the most expensive tools it's about the most integrated systems that are ready to respond. T-Guard proves that open source can be a solid foundation for building the digital fortresses of tomorrow.
Top comments (0)