A working security operations center in 2026 does not require a seven-figure license stack. The open-source detection ecosystem has matured to the point where small teams can stand up a credible SOC — log collection, network and endpoint detection, threat intelligence sharing, case management, automated response — without paying a vendor cent for the core engines. Wazuh has shipped four point releases since October 2025. Security Onion announced its 3.0 transition in March 2026. Suricata pushed 8.0.3 to fix security issues in January. The tools are moving fast.
What changed is not just the quality of any single project. It is that the categories now interlock cleanly: a Wazuh agent feeds a Suricata sensor’s alerts into TheHive, where a Cortex analyzer enriches an indicator from MISP and triggers a Shuffle playbook to isolate the host through Velociraptor. That stack is buildable in a quarter by two competent engineers. The cost is operational — tuning, rule maintenance, integration glue — not licensing. This is a working catalog of what to actually run, organized by the function it serves, with current versions and the pain points that come with each.
How to Read This Catalog
Every tool below is in active maintenance as of April 2026, with at least one release in the last six months and a credible community or commercial steward. Versions reflect the current stable release at time of writing. The tools are grouped by SOC function rather than ranked, because a SOC needs coverage across categories — running three SIEMs and no NDR is not a stack, it is a problem.
The tier labels in the reference graphic below map to deployment effort, not capability. Foundation tools you almost always want, Core tools fill specific gaps most SOCs hit, and Specialist tools solve narrower problems but solve them well.
Wazuh — The SIEM and XDR Foundation
Wazuh is the most defensible starting point for an open-source SOC stack in 2026. It bundles SIEM, XDR, file integrity monitoring, security configuration assessment, and vulnerability detection into one agent-and-manager architecture, and it ships against a release cadence most commercial vendors would envy. Version 4.14.5 landed on April 23, 2026, the fifth point release in the 4.14 line since October 2025. The 4.14.3 release in February added a CIS SCA policy for macOS 26 Tahoe, hardened cluster file transfer write paths, and replaced unsafe sprintf calls in the SCA decoder to prevent buffer overflows.
The agent is the part that earns its keep. It collects logs, runs FIM, evaluates configurations against benchmarks like CIS, PCI DSS, HIPAA, and GDPR, and reports vulnerability matches against installed packages — all through a single binary that runs on Linux, Windows, macOS, and increasingly recent additions like AlmaLinux 10 and Debian 13. The 4.14.2 release added detection of the -a never,task Audit rule in FIM whodata for Linux, the kind of detail that matters when you are tuning around noisy auditd workloads.
The pain points are real. Wazuh demands meaningful server resources at scale, the documentation can overwhelm new operators, and tuning rules across a heterogeneous fleet takes weeks. The alerting layer is straightforward Lucene-style queries against the Wazuh indexer (an OpenSearch fork), which means analysts comfortable with Elastic SIEM transition cleanly. Those coming from Splunk will spend time relearning correlation patterns.
Security Onion — The Network Detection Distribution
Security Onion is the closest thing to a turnkey NDR appliance in the open-source world, and the project just announced the most significant transition in its recent history. The current stable build is 2.4.211, with a hotfix released April 7, 2026 to resolve a Suricata BPF handling issue in TRANSITION mode. The project announced a 6-month EOL notice for the 2.4 line, with end-of-life set for October 1, 2026, and Security Onion 3.0 as the successor.
What ships in the box: Suricata for signature-based intrusion detection, Zeek for protocol metadata and file extraction, Elastic Stack for storage and search, Wazuh for endpoint visibility, Elastic Agent with osquery integration, and OpenCanary-based intrusion detection honeypots. Suricata 8.0.3 and Zeek 8.0.5 are the components currently bundled. The 3.0 release will drop Stenographer entirely and consolidate full packet capture under Suricata, which is why the project has been pushing operators to switch pcap mode to TRANSITION ahead of time. Oracle Linux 9 is the only supported base OS — Ubuntu, Debian, and other distros that were unofficially tolerated in 2.4 are removed in 3.0.
The trade-off with Security Onion is that the all-in-one nature both helps and hurts. New SOCs get a working sensor in an afternoon, but operators who want to deviate from the bundled component versions or replace Elastic with OpenSearch hit friction quickly. For organizations standing up a network-detection capability from zero, the time-to-value is unmatched.
Suricata and Zeek — The Detection Engines Underneath
Suricata and Zeek are worth understanding as standalone components, even if you deploy them through Security Onion. Both have substantial deployments outside that distribution, particularly in carrier networks and government SOCs.
Suricata is a multi-threaded IDS/IPS/NSM engine that consumes Snort-format rules and produces EVE JSON output for downstream pipelines. The 8.0.3 and 7.0.14 releases shipped on January 13, 2026 to address security issues — a reminder that detection engines themselves are attack surface and need patching like anything else. Suricata excels at signature matching at line rate; tuning rule sets and managing false positives is where the operational cost lives.
Zeek (formerly Bro) takes a different approach: it transforms raw packets into structured protocol logs — conn.log, dns.log, http.log, ssl.log, x509.log — that become the substrate for behavioral analytics and threat hunting. Zeek 8.0.5 is the current stable build. The Zeek-Suricata pairing is conventional in mature SOCs because each fills the other’s blind spots: signatures catch known-bad, Zeek’s metadata exposes anomalies that no signature was ever written for.
TheHive and Cortex — Case Management That Doesn’t Lock You In
TheHive and Cortex are maintained by StrangeBee and form the open-source case management and observable-enrichment layer. TheHive provides a collaborative incident response platform with case templates, task assignment, and integrations into SIEMs, EDRs, and threat intelligence platforms. Cortex, the companion engine, runs analyzers and responders against observables — IPs, domains, file hashes, URLs — through a library of community-maintained modules.
The pattern most SOCs adopt: an alert from Wazuh or Suricata fires into TheHive as a case, observables auto-extract from the alert, Cortex analyzers enrich each observable through VirusTotal, MISP, AbuseIPDB, and dozens of others, and responders trigger containment actions. The REST API surfaces the same operations for automation pipelines. StrangeBee operates an open-core model with paid tiers for organizations needing commercial support, but the community editions cover real production workloads.
MISP — Threat Intelligence Sharing That Actually Works
MISP (Malware Information Sharing Platform) is the de facto standard for IOC exchange among CSIRTs, ISACs, and security teams that need structured threat data flowing in and out of automated pipelines. It centralizes indicators — malicious IPs, domains, hashes, vulnerabilities — into events with rich taxonomies, supports automated ingestion of feeds via APIs, and exports indicators in formats that Suricata, Zeek, Snort, Bro, and most SIEMs can consume directly.
The value of MISP is not the platform in isolation — it is the network of communities sharing through it. Sector-specific ISACs, national CERTs, and industry sharing groups run MISP instances and federate selectively. A mid-size SOC that joins two or three relevant communities suddenly has a credible threat intelligence program without hiring a TI team.
Velociraptor — Endpoint Hunting and Forensics
Velociraptor is an endpoint monitoring and DFIR platform stewarded by Rapid7 since its 2021 acquisition, with founder Mike Cohen continuing to lead development. It remains fully open source — Rapid7 has stated repeatedly there are no plans to commercialize it — while a parallel hosted version exists inside Rapid7’s commercial Insight platform.
The tool’s distinguishing feature is VQL (Velociraptor Query Language), a SQL-like language that drives both interactive hunts and continuous monitoring rules. An analyst can author a VQL query that runs across thousands of endpoints, returns parsed output (NTFS MFT entries, prefetch artifacts, registry hives, process trees), and stitches the results back into a notebook for analysis. The 0.7.x line added an SSH accessor that lets plugins traverse remote filesystems for endpoints where deploying an agent isn’t feasible, and Sigma rule support that runs detections directly on the endpoint without forwarding events first.
For SOCs that need DFIR-grade visibility without the licensing cost of commercial EDR, Velociraptor is the answer. The trade-off is that it requires investment in VQL fluency to use well, and the artifact library, while extensive, expects analysts comfortable reading and writing queries.
Sigma and YARA — Detection Rules as Portable Artifacts
Sigma is a generic signature format for SIEM detections. The same rule, written once, converts to Splunk SPL, Elastic KQL, Microsoft Sentinel, Wazuh rules, and dozens of other backends through sigma-cli and pySigma. The community maintains thousands of detection rules in the SigmaHQ repository covering Windows event logs, Linux audit logs, cloud telemetry, and network metadata. For a SOC building detection-as-code practices, Sigma is the lingua franca.
YARA complements Sigma at the file level. YARA rules describe malware families through string patterns, byte sequences, and structural conditions, and they run against files at scale through scanners, EDR agents, and automated pipelines. The two tools together cover most of the detection authoring an internal threat hunting team needs to do.
osquery — Endpoints as a Database
osquery turns the operating system into a relational database. Hosts, processes, listening sockets, kernel modules, scheduled tasks, browser plugins, USB devices — all queryable through SQL. Linux Foundation’s osquery community continues active maintenance, and the tool ships natively in Security Onion’s Elastic Agent integration. For threat hunting, osquery is the thing analysts reach for when they need to ask “show me every host where a process is listening on a non-standard port and the binary is unsigned.”
Shuffle — SOAR Without the SOAR Pricing
Shuffle is the open-source SOAR layer that ties the rest together. Workflows are composable, the integration library is extensive, and the tool runs as containers on commodity infrastructure. The patterns most teams build first: an alert from TheHive triggers a Shuffle workflow that enriches observables through Cortex, queries Velociraptor for endpoint context, posts a summary to Slack with one-click containment buttons, and updates the case status. None of that workflow exists in any single tool — Shuffle is the connective tissue.
The competitor in this space is n8n, which is more general-purpose automation than SOC-specific. For pure security workflows, Shuffle’s pre-built integrations make the time-to-first-playbook shorter.
Honorable Mentions Worth Knowing About
The catalog above covers the load-bearing tools. Several others deserve mention because they fill specific gaps cleanly. Arkime (formerly Moloch) provides full-packet capture indexing and search at scale, useful for SOCs that need session-level forensics beyond what Suricata’s pcap captures. Wireshark remains the universal protocol analyzer for ad-hoc investigation. Nmap and OpenVAS (under Greenbone’s GVM) cover network discovery and vulnerability scanning. GnuPG and Keycloak sit at the edges — encryption and identity, both relevant when SOC work touches authentication or sensitive data handling. Comp AI, released April 7, 2026, offers an open-source alternative to compliance automation tools like Vanta and Drata, targeting SOC 2, ISO 27001, HIPAA, and GDPR through an AGPLv3-licensed codebase.
For DFIR specialists, mquire from Trail of Bits, released in March 2026, analyzes Linux memory dumps without requiring debug symbols — a real pain point for incident responders working on production kernels with no published symbols. Betterleaks, the successor to Gitleaks from author Zach Rice, brings updated secrets scanning to git repos and standard input.
Where Open-Source SOC Stacks Hit Their Limits
The honest part of this catalog is the part most vendor-sponsored guides skip: open-source SOC stacks have real ceilings. Cloud detection — particularly cross-account AWS, GCP, and Azure correlation with identity context — is where the open-source tooling lags behind commercial CNAPPs and cloud-native SIEMs. Identity-based attack paths require connecting workload, network reachability, and data access in ways that Wazuh and Security Onion alone don’t model well. Detection of business-logic abuse, BEC, and fraud patterns is similarly thin in open source.
The other ceiling is operational. Building this stack costs real engineering time. Tuning Wazuh rules across a heterogeneous fleet, maintaining custom Suricata rule sets, writing Cortex analyzers for vendor-specific APIs, debugging Shuffle workflows when an integration changes — these are full-time jobs at scale. Organizations that pick open source to save money but underinvest in operations end up with a worse SOC than one running well-tuned commercial tools. The cost moves from license fees to headcount and time.
Frequently Asked Questions
Can a small team actually run this stack?
A team of two to three engineers can stand up Wazuh, Security Onion, TheHive, MISP, and Shuffle in a quarter and have credible detection coverage by month four. Velociraptor adds another month. The realistic minimum to operate the stack at quality is two dedicated engineers, with rotation through analyst duty.
How does this compare cost-wise to a commercial SIEM?
A commercial SIEM at typical mid-market scale runs $150K–$500K per year in licensing alone. The equivalent open-source stack runs on infrastructure costs (often $20K–$60K per year for storage and compute) plus 1.5–3 engineers. The break-even depends on labor cost in your region and whether you would have hired those engineers anyway.
What about AI and LLM-based detection?
Security Onion 2.4.210 added local model support for its Onion AI Assistant in the Pro tier, with OpenAI-compatible endpoint support. Wazuh has community integrations for LLM-assisted alert triage. The open-source AI-for-SOC space is moving fast in 2026 but is not yet mature — most teams use LLMs for triage assistance rather than primary detection.
Should we wait for Security Onion 3.0?
If you are starting a new deployment in mid-2026, evaluate 3.0 directly. The 2.4 line reaches EOL on October 1, 2026, and 3.0 uses the same underlying components with full packet capture consolidated under Suricata. For existing 2.4 users, the upgrade path is documented and straightforward.
What This Catalog Doesn’t Promise
A working SOC is not a tool list. It is a set of practiced workflows around tools, with people who have done the work enough times to recognize what is normal and what is not. The open-source tools in this catalog give you the engines. The detection content, the runbooks, the tuning, the relationships with intelligence-sharing communities — those have to be built. The alternative — buying a commercial platform that ships with all of that included — is a defensible choice for organizations that don’t want to build, but it does not eliminate the work. It moves the work to vendor management and integration engineering, which are also full-time jobs.
The right question in 2026 is not “should we use open-source SOC tools?” It is “which categories should we own internally, and which should we outsource to vendors?” The answer differs by organization. The fact that a credible answer exists at all — that you can build a working SOC on free, well-maintained code — is the change worth noticing.
