Hey r/netsecstudents,

I'm currently in a Fachinformatiker für Anwendungsentwicklung retraining program in Germany, targeting a career in cyber defense and threat intelligence. As a hands-on learning project I built a home SOC suite from scratch on my Windows machine.

What it is:

A five-program endpoint monitoring suite:

• PowerShell collectors running continuously — outbound connections with geolocation, inbound port monitoring, per-process CPU/RAM, scheduled task changes, power events, registry run key monitoring

• Python correlation engine — ingests all collector logs into SQLite, runs 40 correlation rules across short/operational/campaign time windows

• Live Flask dashboard — collector health, alert feed, resource graphs, severity colour coding, Start Day / End Day workflow

• Forensic engine (Phase 9, in planning) — post-event super timelines, process lineage, beacon analysis

• Forensic dashboard (Phase 9, in planning) — display layer for forensic conclusions, colour-coded status, report generation, no analysis logic

Design philosophy:

• Collector silence is a detection signal, not a reliability bug

• Every alert must be explainable — what triggered it, what evidence, what confidence

• Raw logs are immutable source truth, SQLite is operational query truth

• Built with red team thinking applied to blue team tooling

GitHub: https://github.com/Nate-ryan-7690/home_SOC_suite

Would genuinely appreciate feedback on the architecture, detection logic, gaps I've missed, or anything that looks wrong. Still learning — brutal honesty welcome.