Presidio is the most ambitious project I have ever built. It is not a single tool - it is an ecosystem of six systems that must work together seamlessly: Wazuh for SIEM and detection, Velociraptor for EDR, Shuffle for SOAR orchestration, DFIR-IRIS for case management, MISP for threat intelligence, and a unified SOC portal built on Grafana.
The first architectural decision was critical: every component runs on dedicated Proxmox infrastructure. No shared containers, no "let's run everything on one machine." It seems like overkill, but when Wazuh is processing thousands of events per second, the last thing you want is your case manager stalling because it shares CPU with the SIEM.
Integration: the real work
Installing six open source tools is easy. Making them talk to each other is where the real engineering begins. I wrote custom bridges to connect Wazuh to Shuffle, Shuffle to DFIR-IRIS, MISP to everything. Each integration required deeply understanding every component's API, handling different data formats, and implementing robust retry logic.
The five SOAR playbooks are the heart of automation. From initial triage to automatic enrichment with MISP, from automatic case creation in DFIR-IRIS to notification, every playbook was tested on real scenarios. The SSH brute force response playbook, for example, correlates Wazuh events with MISP data, creates a case, and can automatically block the IP - all in under 30 seconds.
The Grafana portal at 95% coverage was not built in a day. Every dashboard was built iteratively, talking with the people who would actually use it. Security metrics, not vanity metrics. Mean time to detection, response time, top alerts by severity, playbook status - information that actually matters during a SOC shift.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →