Running a Personal SOC: Bringing Production Security Practices Home

At work, nobody questions why we have logging, alerting, and a daily look at what changed overnight. At home, the same network runs a NAS, a media stack, Home Assistant, and a handful of containers. And for years my only "security monitoring" was noticing something was broken.

So I built myself a small, read-only security operations setup for the homelab: a daily audit script and a cross-domain digest agent that correlates it with everything else running on the network. Nothing here is novel security research. The interesting part is which production habits turned out to be worth carrying home, and which ones I deliberately left at the office.

Two layers, not one

The setup is split into two pieces with different jobs.

The daily audit is the boring, deterministic layer. Once a day it collects, locally and read-only:

Two layers, not one

The setup is split into two pieces with different jobs.

The daily audit is the boring, deterministic layer. Once a day it collects, locally and read-only:

Running a Personal SOC: Bringing Production Security Practices Home

Running a Personal SOC: Bringing Production Security Practices Home

Related reading

Building a Local AI SOC Analyst on an M1 MacBook Pro

I Spent Hours Fighting a Silent Subnet Conflict to Build an Isolated ICS…

Build a Low-Cost Home SOC: Enterprise Security on a Budget

Self-Hosting Self: When Your Infrastructure IS Your Identity

Virtual SOC Analyst

SOC-in-a-Box: One LLM, Eight Hats, A Production-Bar AI SOC on a Single GPU

Related reading

Building a Local AI SOC Analyst on an M1 MacBook Pro

I Spent Hours Fighting a Silent Subnet Conflict to Build an Isolated ICS…

Build a Low-Cost Home SOC: Enterprise Security on a Budget

Self-Hosting Self: When Your Infrastructure IS Your Identity

Virtual SOC Analyst

SOC-in-a-Box: One LLM, Eight Hats, A Production-Bar AI SOC on a Single GPU