Owns the entire detection-and-response stack instead of renting it. Provides centralized monitoring across every node in the portfolio, plus a pentest workbench and AI-assisted alert triage that would otherwise require an MSSP.

A full self-hosted security stack at /home/will/security-stack with three composed pieces: Wazuh SIEM (1514/1515), Elasticsearch (9200), and a RAG service backed by Qdrant for AI-assisted alert reasoning. A SOC dashboard fronts the alert queue and lets the operator query the RAG with natural language ("which hosts ran sudo today and have an unfamiliar process tree").

A dedicated pentest folder holds offensive tooling for periodic internal exercises. The whole stack runs in Docker Compose with separate compose files for SOC services and RAG service.

• > Wazuh agents on every Tailscale node
• > Elasticsearch index for log search
• > Qdrant vector DB for RAG-assisted triage
• > SOC dashboard + pentest tooling

• → Onboard one external pilot client
• → Productize as a "managed detection light" SKU
• → Auto-generate weekly threat-summary email