OSSEC, the open-source HIDS, was built by Daniel because commercial log analysis tools were too noisy and too expensive. Trunc.org is the cloud-native continuation of that idea. This is the practice area we have been working in longer than any other.
Pipeline design
Collection (agents, syslog, cloud-native log streams), normalization, enrichment, and routing. We pick the right tooling for your scale — sometimes that's a managed SIEM (Splunk, Elastic, Sumo, Datadog), sometimes it's open-source (Wazuh, Graylog), and sometimes it's Trunc.
Detection engineering
The hard part isn't collecting logs — it's knowing what to alert on. We build detection content (sigma rules, custom queries, correlation rules) calibrated to actually-seen attacker behavior, not paper threat models.
Tuning & noise reduction
We focus on signal density. A SOC drowning in alerts is a SOC missing real ones. Our job is often to delete more rules than we add.
Operate or hand off
We can run your SIEM as a managed service, build out an internal SOC, or train your team and roll off. Whatever shape fits.