From Zero to 140 Features: How I Built a Cloud SOC Platform as a Solo Developer

How AI, open-source security tools, and relentless iteration turned a side project into a full-featured Security Operations Center.

The Problem

Here's a number that should scare you: 90% of small and medium businesses in Southeast Asia have zero security monitoring.
Not weak monitoring. Not basic monitoring. Zero.
They run their business, store customer data, process payments — all with no visibility into who's poking around their network. The reason? Traditional SOC platforms cost $100-300 per device per month. For an SMB with 50 endpoints, that's $60,000-$180,000 per year. Most can't justify that, so they just... hope for the best.

I decided to fix this. Alone.

What I Built

VRadar is a cloud-native SOC (Security Operations Center) platform that monitors networks, detects threats using AI, and responds automatically. Here's what 140+ features look like after 36 development phases:

The Core Stack

• HIDS: Wazuh Manager 4.14.2 (3,000+ detection rules) — monitors every host
• NIDS: Suricata IDS — analyzes network traffic in real-time
• Database: PostgreSQL for relational data, ClickHouse for 1M+ security logs (fast analytical queries)
• Cache: Redis with JWT blacklist for instant token revocation
• Frontend: Next.js 15 with dark cyberpunk dashboard
• Backend: Node.js + Express + TypeScript, 32 API modules
• AI: GPT-4o-mini for threat analysis + autonomous agents ### The Five AI Agents This is what makes VRadar different. Instead of just collecting logs and showing dashboards, VRadar has 5 autonomous AI agents that actually do things:
• AI Operator — Triages every alert automatically. Reads the alert, checks threat intelligence (AbuseIPDB, VirusTotal, MITRE ATT&CK), assigns severity, and decides if it needs human attention. Handles 80% of alerts without human intervention.
• AI Monitor — Runs 9 health checks every 30 minutes (6 infrastructure + 3 security). Detects anomalies, generates incidents, escalates via Telegram.
• AI Optimizer — Self-defense mechanism. When it detects flooding or scanning patterns, it auto-blocks attacking IPs and adjusts firewall rules.
• AI Care — Customer support chatbot powered by RAG (Retrieval-Augmented Generation). Trained on product documentation, answers questions 24/7.
• AI Marketing — Generates SEO-optimized blog posts and social media content from knowledge base. ### Security That Watches Itself The platform doesn't just monitor your network — it monitors itself:
• HIDS + NIDS running on the VRadar server itself
• Auto-escalation: Alert → AI Triage → Incident → Notification → Auto-Response
• Threat defense middleware that auto-blocks IPs showing scanning/flooding behavior

- Compliance scoring against ISO 27001 (28 controls), PCI DSS v4.0 (27 controls), NIST CSF 2.0 (25 controls)

The Architecture

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│   Wazuh     │────▶│              │────▶│  ClickHouse │
│   Agents    │     │   Backend    │     │  (1M+ logs) │
└─────────────┘     │   (Node.js)  │     └─────────────┘
                    │              │
┌─────────────┐     │  32 Modules  │     ┌─────────────┐
│  Suricata   │────▶│  5 AI Agents │────▶│ PostgreSQL  │
│   (NIDS)    │     │  80 Controls │     │  (Prisma)   │
└─────────────┘     └──────┬───────┘     └─────────────┘
                           │
                    ┌──────▼───────┐
                    │   Next.js    │
                    │  Dashboard   │
                    │ (Dark Theme) │
                    └──────────────┘

12 Docker containers, orchestrated with Docker Compose. The entire platform runs on a single VPS with 23GB RAM.

Lessons Learned Building Solo

1. AI is a Force Multiplier, Not a Replacement

GPT-4o-mini costs ~$2-5 per tenant per month for alert triage. At that price, every SMB can afford AI-powered security analysis. But it's not magic — you need:

• Structured prompts with context (alert data + threat intel + historical patterns)
• Fallback logic when AI fails (and it will)
• Caching (Redis) to avoid redundant API calls — saved 94% on AI costs ### 2. Open Source is Your Superpower Wazuh + Suricata give you enterprise-grade HIDS + NIDS for free. The real value I added:
• Integration layer (webhook forwarding, ClickHouse storage)
• AI triage on top of raw alerts
• Multi-tenant SaaS wrapper
• One-click agent installation scripts (Windows/Linux/macOS) ### 3. Security is Non-Negotiable from Day 1 Before going public, I did a full security hardening:
• Penetration test: reduced risk from 6.2/10 to 2.8/10
• OWASP Top 10: 9/10 pass
• 3-layer rate limiting (Nginx → Express → per-endpoint)
• MFA, JWT blacklist, bcrypt-12, AES-256-GCM encryption
• ClickHouse/Redis authentication, Cloudflare DDoS protection
• Fail2ban banned 14 attacking IPs within the first 30 minutes of installation ### 4. Ship Fast, But Track Everything 36 phases in 5 weeks. Every feature documented in CONTEXT.md (1,200+ lines). Every commit purposeful. The key: time-box features to 2-4 hours max, ship, observe, iterate. --- ## The Numbers | Metric | Value | |:---|:---| | Features | 140+ | | Development phases | 36 | | API modules | 32 | | Compliance controls | 80 (ISO + PCI + NIST) | | Security logs stored | 1,062,253 | | AI agents | 5 | | Docker services | 12 | | Pentest risk score | 2.8/10 | | QA score | 8.0/10 | | Starting price | $25/device/month | | Competitor price | $100-300/device/month | --- ## What's Next VRadar is live and serving customers in Vietnam. We're expanding to ASEAN markets with a simple pitch: get 80% of enterprise SOC capabilities at 20% of the cost. The platform is built for SMBs with 10-500 endpoints. If you're an IT manager tired of having zero visibility into your security posture, or an MSSP looking for a white-label SOC platform — I'd love your feedback. 🔗 vradar.io --- I'm Dong, a developer from Vietnam building security tools for businesses that can't afford a Fortune 500 security budget. Ask me anything in the comments. ---