DAEMONv2.0
  1. [ OK ] mounting /var/log/transmissions
  2. [ OK ] entrigen · 5 modules online
  3. [ OK ] soc-os · 30 client environments
  4. [ OK ] ioc store · 2.8M indicators
  5. [ OK ] tines connector · online
  6. [ OK ] daemon ready
root@daemon:~# _

daemon_

security // logs // field notes

Notes from an MSSP detection-platform operator. What we ship, what we break, and what scales when a single SOC team is responsible for thirty client environments.

00// status
transmissions 02
last_tx 2026-05-08
crit_entries 00
platform_since 2025-04-01 410d online
01// recent_transmissions
TX_7473 2026-05-08 WARN Why we killed the SOAR mock fleet
TX_6414 2026-04-22 INFO Detection drift at MSSP scale
02// case_studies
stand by

Sanitized writeups of platform work — Entrigen, SOC-OS, the IOC pipeline — incoming.

For now, see operator(8).

03// operator

Neil Cushard — Director of Security Services, MSSP architect. Building Entrigen, a model-driven security operations framework serving 30 client environments and scaling toward 120. Five modules online; SOC-OS is the first daily driver.

Adjacent work: a synthetic alert generator that replaced our SOAR mock fleet, an IOC pipeline pulling 2.8M active indicators from MISP into a Tines-backed lookup, and a detection content pipeline that tracks per-tenant drift instead of forking rules.

man operator(8) → cat /contact →