Each module has a defined role, dependencies, and outputs. I'm designing them to run alone where it makes sense; full SIEM mode connects them through OCSF events and shared APIs.
01Private beta
Intel plane — Briefr
Threat intelligence and investigation
Self-hosted analyst intelligence pane — CVE context, IOC enrichment, change deltas, and detection engineering (Forge). Not log ingestion.
- NVD, CISA KEV, EPSS, MITRE ATT&CK and ATLAS; exploit feeds (Sploitus, OSV, CIRCL, and others)
- IOC lookup for IP, hash, and domain; What changed panel; Risk Score and asset profile matching
- Three-level correlation, investigation panel, Forge hunt packs (Sigma + SIEM snippets), CSV/Excel/PDF export
- Enrichment APIs for downstream Jupiter Enrich and Detect modules
Technology: FastAPI, SQLite, React
Availability: Private beta. Proprietary today; open-source licensing under evaluation. Not open for public access.
Standalone: Yes — useful without any other Jupiter module.
Feeds: Enrich and Detect modules with CVE context, IOC reputation, and ATT&CK mapping.
02Planned
Data plane — Collect
Log and event ingestion
Ingest security events from network devices, servers, cloud platforms, and applications into a dedicated pipeline.
- Syslog, agents, HTTP/webhook, and cloud audit sources
- Flow-based routing with backpressure (e.g. Apache NiFi)
- Delivery to normalization with source and tenant metadata
Technology: Pipeline TBD; Apache NiFi evaluated as primary example
Depends on: None (entry point for the data plane).
Standalone: Limited — events need normalization and storage to be useful.
Feeds: Normalize module with raw or lightly wrapped events.
03Planned
Data plane — Normalize
Parsing and OCSF schema
Parse heterogeneous log formats and map fields to a consistent Open Cybersecurity Schema Framework (OCSF) event model.
- Per-source parsers and field extraction
- OCSF-aligned event classes and attributes
- Timestamp normalization, deduplication keys, source tagging
Technology: OCSF
Depends on: Collect.
Standalone: No — sits between Collect and Enrich.
Feeds: Enrich module with structured OCSF events.
04Planned
Data plane — Enrich
Pipeline intelligence and context
Add threat intel, asset context, and IOC matches to events before storage and detection.
- Briefr intel API integration (CVE relevance, IOC reputation)
- Asset and identity context (host, user, criticality)
- Geo, ASN, and feed-based IOC matching on log fields
Technology: Stream or batch processors in the ingestion pipeline
Depends on: Normalize; optional Briefr for intel lookups.
Standalone: No — requires normalized events from upstream.
Feeds: Store module with enriched OCSF events.
05Planned
Data plane — Store
Log management and search
Durable storage, retention tiers, indexing, and a query API for search and aggregations.
- ClickHouse hot storage with retention policies
- Search and aggregation API for dashboards and hunts
- Cold archive tier for long-term retention
Technology: ClickHouse
Depends on: Enrich (or Normalize for a minimal pipeline).
Standalone: Yes as a log platform — detection adds SIEM alerting on top.
Feeds: Detect, Hunt, and Govern modules.
06Planned
Operations plane — Detect
Rules, playbooks, and alerting
Turn stored events into alerts using configurable rules, playbooks, watchlists, and IOC-driven logic.
- Rule engine (format under active design)
- Playbooks for alert routing and multi-step response workflows
- User-defined watchlists, suppressions, and severity overrides
- IOC and intel-driven detection using Enrich and Briefr context
- Optional automation orchestration (platform TBD)
Depends on: Store; Enrich recommended for context-aware rules.
Standalone: Requires Store and a populated event pipeline.
Feeds: Hunt module with alerts; notification channels (email, webhook, chat).
07After rules
Operations plane — Analyze
Context-aware detection
Advanced analytics and context-aware algorithms layered on top of a working rule-based Detect module.
- Entity baselines and behavioral anomaly signals
- Risk scoring across asset criticality, intel, and rule hits
- ML-assisted detection when data volume and feedback justify it
Technology: Deferred until rule-based detection is stable
Depends on: Detect, Store, and sufficient operational telemetry.
Standalone: No — ships after Detect rules and alerting are proven.
Feeds: Detect and Hunt with scored signals and prioritization.
08Planned
Operations plane — Hunt
Investigation and cases
Analyst workflows across logs and intel: search, timelines, pivots, and case management.
- Log search, timelines, and cross-entity pivots
- Case records linking alerts, queries, IOCs, and notes
- Intel-side investigation today via Briefr; log-side hunting with Store
Depends on: Store for log hunts; Briefr for intel pivots.
Standalone: Intel hunting via Briefr today; full hunt requires Store.
Feeds: Govern audit trail; analyst exports and reports.
09Planned
Govern — Govern
Compliance and platform policy
Retention enforcement, access audit, and compliance reporting across all modules.
- Retention and legal-hold policies on stored data
- Audit log of queries, config changes, and access
- Exportable compliance reports
- Platform auth and RBAC as the stack matures
Depends on: Store; expands as more modules ship.
Standalone: No — applies across Store, Detect, Hunt, and platform access.
Feeds: Compliance stakeholders and security operations oversight.