Build a portable SOC with honeypot, Wazuh, and local AI in under a week

Building a real SOC usually means big budgets and server rooms. But one cybersecurity student proved you can assemble a miniature threat detection center on a laptop—using a honeypot, open-source SIEM, and a local AI assistant—all without sending data to the cloud.

Why a mini-SOC beats traditional labs

Most cybersecurity exercises rely on static PCAPs or scripted challenges that feel stale after the first run. That’s not how real attacks look. The goal was to create an environment where background noise from the internet—automated scans for weak SSH credentials, automated downloads, and persistence attempts—could be captured and analyzed in real time, all running locally.

The result was Valhalla SOC, a compact security operations center built entirely in Docker on a single machine. It captures live attack traffic, processes it through a SIEM, and even uses a local AI model to summarize alerts—no cloud dependencies, no third-party APIs, and no abandoned PDF reports.

The data pipeline: from honeypot to dashboard

The heart of the system is a controlled deception environment. Instead of using pre-made datasets, the project leverages real attack traffic by simulating both the attacker and the target.

• Cowrie runs as a fake SSH server on port 2222, logging every login attempt, command execution, and file download in JSON format.
• Wazuh ingests those logs, applies custom rules to detect brute force, malware downloads, reverse shells, and firewall manipulation, and maps findings to MITRE ATT&CK techniques.
• OpenSearch (the default indexer in Wazuh) stores historical data for querying and visualization.
• Ollama, running a lightweight qwen2.5-coder:7b model on the host, receives high-severity alerts and returns concise two-sentence summaries—fast and private.

On top of that, a custom React + FastAPI interface adds a ticketing system, a threat map, and a shared workspace for analysts. It doesn’t replace Wazuh’s dashboard but enhances it with daily workflow tools and team collaboration features.

The biggest technical hurdle wasn’t the architecture—it was making everything work on Windows. Docker Desktop, Ollama running outside the compose stack, and async PostgreSQL in Python required careful tuning. The first attempt failed with backend crashes and 500 errors until the team realized uvicorn’s event loop behaves differently on Windows. Real-world quirks that never appear in architecture diagrams.

Step-by-step setup: no magic, just Docker

Getting a SOC-grade environment running locally starts with a clean Docker Compose stack.

# docker-compose.yml excerpt
services:
  wazuh.manager:
    image: wazuh/wazuh:4.8.0
    ports:
      - "1514:1514"
      - "55000:55000"
  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
  cowrie:
    image: cowrie/cowrie:latest
    ports:
      - "2222:2222"
  postgres:
    image: postgres:15
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
  fastapi:
    build: ./backend
    depends_on:
      - postgres
      - wazuh.manager

Custom rules in wazuh_config/rules/ flag brute force attempts, successful logins on the honeypot, suspicious wget/curl downloads, and firewall-disabling commands. The integration with Ollama is handled by a Python script located in wazuh_config/integrations/custom-ollama.py, which processes only alerts rated level 5 or higher to avoid noise.

The backend handles authentication with httpOnly cookies, CSRF protection for mutations, audit logging, and real-time synchronization between Wazuh alerts and incident tickets. The frontend offers dark/light themes, a kanban-style workspace, direct SIEM queries to OpenSearch, and embedded runbooks linked to each ticket.

To deploy from scratch:

• Clone the repository
• Copy .env.example to .env and set variables
• Pull the AI model: ollama pull qwen2.5-coder:7b
• Launch the stack: docker compose up -d --build

For a full walkthrough, the README includes all commands, monitoring scripts, and dashboard configurations. Fifteen commands aren’t listed here, but the process is repeatable.

What real threat detection looks like here

In a typical lab session with the honeypot exposed and an automated attacker running in the background, the system behaves like a scaled-down SOC.

• Cowrie’s dashboard records thousands of events. In tests, over 8,000 critical alerts appeared in dedicated views, complete with timelines and top offending IPs.
• Wazuh rules fire consistently, tagging techniques such as T1110 (brute force), T1105 (tool transfer), and T1059 (command execution) using MITRE ATT&CK mappings.
• Automated monitors scan for brute force spikes, malware downloads, reverse shells, and crontab persistence every few minutes.
• Tickets auto-create from Wazuh alerts, allowing analysts to assign, update, and move incidents through workflow states.
• Ollama summaries provide quick context: “External IP attempting to download a script; treat as potential implant attempt,” giving analysts a first read without legal overreach.

Sample screenshots from the project repository show:

• Real-time Cowrie dashboard (04-cowrie-honeypot.png)
• MITRE coverage heatmap per agent (02-agente-mitre.png)
• Valhalla SOC login screen (11-login-valhalla.png)

Lessons learned—and what to improve

Key takeaways

• A honeypot teaches more in one afternoon than a week of reading about SIEM theory.
• Local AI models make sense in SOC workflows—but only if prompts and models are tightly controlled; no need for massive LLMs just to summarize an alert.
• The hardest part isn’t the UI or the AI—it’s integrating components securely: TLS certificates in Wazuh, log routing, webhooks, CORS policies, and CSRF defenses.

If rebuilt today, the priorities would shift

• Harden production readiness: signed webhooks, authenticated WebSockets, no default passwords, and automated secret rotation.
• Add a one-command "demo mode" for classroom use and testing.
• Separate the honeypot module from the main repository to reduce bloat and improve modularity.

An unexpected benefit emerged during development: conducting a security audit on the SOC codebase itself revealed serious flaws in authentication, API design, and Docker configurations. A powerful reminder that building a SOC doesn’t automatically make your environment secure by default.

Open-source blueprint for your own SOC

The entire project is public on GitHub, complete with step-by-step instructions, user manuals, and annotated screenshots. It’s designed to be reproducible, educational, and adaptable.

Repository: github.com/heindall92/Proyecto-Master-Ciberseguridad-Evolve-Yoandy

The stack is intentionally lightweight and runs on modest hardware—no GPUs or enterprise servers required. Whether for classroom demonstrations, cybersecurity training, or personal research, Valhalla SOC offers a practical template to simulate real-world threats without compromising privacy or budget.

For aspiring analysts and educators tired of static labs, this project proves that a powerful SOC can start on a laptop—and grow from there.