CITADEL SOC

Open Source Security Operations Center — Public Administration

Systems Operational
Mission Statement

Defending Public Infrastructure
Through Open Intelligence

CITADEL is a fully open-source Security Operations Center platform purpose-built for public administration. Combining real-time threat detection, automated incident response, threat intelligence sharing and forensic analysis into one integrated platform — built on transparency, sovereignty and community trust. This soc.trials.vip deployment is the second-generation CITADEL platform: fully automated and replicable through GitLab CI/CD pipelines, with platform-wide Keycloak single sign-on and Wazuh agents auto-enrolled on every node.

4
Cluster Nodes
13
Active Services
GitOps
Replicable Deployment
100%
Open Source

Platform Services

🛡
Live

Wazuh

wazuh.soc.trials.vip

SIEM & XDR platform. Real-time endpoint monitoring, intrusion detection, vulnerability scanning and compliance (CIS benchmarks) across all nodes.

SIEM XDR IDS Compliance
🔬
Live

DFIR-IRIS

iris.soc.trials.vip

Incident Response platform (DFIR-IRIS). Fully open-source collaborative case management with native Keycloak OIDC — evidence tracking, task assignment and timeline analysis.

IR Case Mgmt Collaboration
⚙️
Live

Cortex

cortex.soc.trials.vip

Analysis engine. Automated observable analysis via 300+ analyzers — IPs, hashes, URLs, domains. Active response capabilities for threat neutralisation.

Analysis Enrichment Response
🌐
Live

MISP

misp.soc.trials.vip

Threat Intelligence Platform. Structured sharing of indicators of compromise (IoCs), threat actors and attack patterns across trusted communities.

TIP IoC Sharing STIX/TAXII
Live

Shuffle

shuffle.soc.trials.vip

SOAR platform. Visual workflow automation connecting all SOC tools. Automate alert triage, enrichment, notifications and incident creation.

SOAR Automation Workflows
🔑
Live

Keycloak IAM

keycloak.soc.trials.vip

Identity & Access Management. Single Sign-On across all platform services via OIDC/SAML. Centralised user management and role-based access control.

SSO OIDC IAM

Management Services

🚔
Live

Ciso Assistant

ciso.soc.trials.vip

Governance, Risk and Compliance (GRC) and NIS2 framework management platform for public administration.

Governance Risk Compliance
🤖
Live

Agent Smith

paperclip.soc.trials.vip

Autonomous AI agent workflows for security operations.

AI Agents
💬
Live

Chat

mattermost.soc.trials.vip

Team messaging and collaboration via Mattermost.

Chat Collaboration

Alert Flow Architecture

Wazuh Agents Wazuh Manager Shuffle SOAR IRIS Case Cortex Analysis MISP Intel Response
Security events from monitored endpoints flow through Wazuh for detection and correlation. High-severity alerts trigger automated Shuffle workflows that create DFIR-IRIS cases, enrich observables via Cortex analyzers, cross-reference MISP threat intelligence, and execute active response actions — all without manual intervention.

Platform Roadmap

Phase 1 — Complete
Core Infrastructure

Hybrid x86/ARM64 k3s cluster, Longhorn distributed storage, HTTPS ingress with Let’s Encrypt, GitLab CI deployment pipelines, Wazuh agents on all nodes.

Phase 2 — Complete
SOC Services

DFIR-IRIS, Cortex, Shuffle, MISP, full Wazuh stack deployed and accessible. Password rotation complete.

Phase 3 — Complete
Identity & SSO

Keycloak IAM deployed. OIDC SSO live across Wazuh, DFIR-IRIS, Cortex, MISP and Shuffle. Centralised realm citadel-soc.

Phase 4 — Active
Automation Pipelines

Wazuh→IRIS alert pipeline. Cortex analyzers configured. Shuffle playbooks for automated triage.

Phase 5 — Upcoming
Threat Intel Feeds

MISP community feeds. IRIS↔MISP bidirectional sync. CIS benchmark remediation.

Phase 6 — Upcoming
Production Hardening

HA setup, encrypted backups, network segmentation, audit logging, security baseline 90%+.