Modular self-hosted security platform

I'm a security enthusiast putting together composable tools for log ingestion, OCSF normalization, ClickHouse storage, detection, hunting, and threat intelligence. They can plug into a full SIEM when connected — or run standalone where that makes more sense.

1 module in private beta · 7 planned · 1 deferred until rules ship

Intel plane, data plane, operations plane

I don't want one monolithic SIEM that only ships when everything is done. I split threat intelligence from log processing so each part can ship, run, and mature on its own timeline.

Intel plane — Briefr

CVE feeds, change deltas, IOC enrichment, MITRE context, Forge detection packs, and analyst investigation. This is what I use to answer: what's being exploited, what changed, what does this indicator mean, does it affect my stack?

Private beta — the part I ship and use today.

Data plane — Collect through Store

Ingest logs from diverse sources, normalize to OCSF, enrich with intel and asset context, and store in ClickHouse for search and retention.

Pipeline in design (e.g. Apache NiFi).

Operations plane — Detect, Hunt, Analyze

Rules, playbooks, and alerts first — that's what I'm designing next. Context-aware analytics come after rule-based detection works. Hunting and cases tie logs and intel together.

Detection design in progress.

Briefr — what I built first

I started here because I wanted better CVE and IOC context in my own workflow. Briefr is a self-hosted analyst intelligence pane — five tabs (BRIEF, FEED, IOC LOOKUP, INCIDENTS & NEWS, FORGE). It does not ingest syslog or replace a log pipeline; correlation today is intel-side (CVE ↔ IOC ↔ incidents ↔ detection packs), not log correlation.

// Investigation workflows

How I move through Briefr during real analysis — cross-tab pivots, not separate tools.

Briefr investigation workflow from CVE feed through investigate, IOC lookup, verdict, and incidents context
Briefr investigation workflow — cross-tab pivots

// Correlation, scoring & context

  • Stack relevance — CVE feed and asset profile filtered to what runs in my environment, not every NVD entry
  • What changed — CVSS, EPSS, KEV, and PoC deltas with 24h / 48h / 7d windows on the BRIEF tab
  • KEV + EPSS + PoC + Risk Score — exploitation likelihood and stack-weighted ranking on the same CVE record
  • Three-level correlation — shared OTX IPs, actor/sector match, and temporal vendor anomalies in the drawer
  • CVE → IOC pivot — lookup from the BRIEF feed or investigate panel carries context into enrichment
  • ATLAS technique tags — incidents linked to MITRE ATLAS for campaign-level context
  • Forge hunt packs — Sigma and SIEM snippets tied to ATT&CK techniques my CVEs map to
  • Downstream APIs (planned) — Enrich and Detect modules will consume Briefr intel when the log pipeline ships

Private beta at briefr.projectjupiter.in (access restricted). Proprietary today; open-source licensing under evaluation. Not open for public access or beta requests at this time.

Nine modules

Each module has a defined role, dependencies, and outputs. I'm designing them to run alone where it makes sense; full SIEM mode connects them through OCSF events and shared APIs.

01Private beta

Intel planeBriefr

Threat intelligence and investigation

Self-hosted analyst intelligence pane — CVE context, IOC enrichment, change deltas, and detection engineering (Forge). Not log ingestion.

  • NVD, CISA KEV, EPSS, MITRE ATT&CK and ATLAS; exploit feeds (Sploitus, OSV, CIRCL, and others)
  • IOC lookup for IP, hash, and domain; What changed panel; Risk Score and asset profile matching
  • Three-level correlation, investigation panel, Forge hunt packs (Sigma + SIEM snippets), CSV/Excel/PDF export
  • Enrichment APIs for downstream Jupiter Enrich and Detect modules

Technology: FastAPI, SQLite, React

Availability: Private beta. Proprietary today; open-source licensing under evaluation. Not open for public access.

Standalone: Yes — useful without any other Jupiter module.

Feeds: Enrich and Detect modules with CVE context, IOC reputation, and ATT&CK mapping.

02Planned

Data planeCollect

Log and event ingestion

Ingest security events from network devices, servers, cloud platforms, and applications into a dedicated pipeline.

  • Syslog, agents, HTTP/webhook, and cloud audit sources
  • Flow-based routing with backpressure (e.g. Apache NiFi)
  • Delivery to normalization with source and tenant metadata

Technology: Pipeline TBD; Apache NiFi evaluated as primary example

Depends on: None (entry point for the data plane).

Standalone: Limited — events need normalization and storage to be useful.

Feeds: Normalize module with raw or lightly wrapped events.

03Planned

Data planeNormalize

Parsing and OCSF schema

Parse heterogeneous log formats and map fields to a consistent Open Cybersecurity Schema Framework (OCSF) event model.

  • Per-source parsers and field extraction
  • OCSF-aligned event classes and attributes
  • Timestamp normalization, deduplication keys, source tagging

Technology: OCSF

Depends on: Collect.

Standalone: No — sits between Collect and Enrich.

Feeds: Enrich module with structured OCSF events.

04Planned

Data planeEnrich

Pipeline intelligence and context

Add threat intel, asset context, and IOC matches to events before storage and detection.

  • Briefr intel API integration (CVE relevance, IOC reputation)
  • Asset and identity context (host, user, criticality)
  • Geo, ASN, and feed-based IOC matching on log fields

Technology: Stream or batch processors in the ingestion pipeline

Depends on: Normalize; optional Briefr for intel lookups.

Standalone: No — requires normalized events from upstream.

Feeds: Store module with enriched OCSF events.

05Planned

Data planeStore

Log management and search

Durable storage, retention tiers, indexing, and a query API for search and aggregations.

  • ClickHouse hot storage with retention policies
  • Search and aggregation API for dashboards and hunts
  • Cold archive tier for long-term retention

Technology: ClickHouse

Depends on: Enrich (or Normalize for a minimal pipeline).

Standalone: Yes as a log platform — detection adds SIEM alerting on top.

Feeds: Detect, Hunt, and Govern modules.

06Planned

Operations planeDetect

Rules, playbooks, and alerting

Turn stored events into alerts using configurable rules, playbooks, watchlists, and IOC-driven logic.

  • Rule engine (format under active design)
  • Playbooks for alert routing and multi-step response workflows
  • User-defined watchlists, suppressions, and severity overrides
  • IOC and intel-driven detection using Enrich and Briefr context
  • Optional automation orchestration (platform TBD)

Depends on: Store; Enrich recommended for context-aware rules.

Standalone: Requires Store and a populated event pipeline.

Feeds: Hunt module with alerts; notification channels (email, webhook, chat).

07After rules

Operations planeAnalyze

Context-aware detection

Advanced analytics and context-aware algorithms layered on top of a working rule-based Detect module.

  • Entity baselines and behavioral anomaly signals
  • Risk scoring across asset criticality, intel, and rule hits
  • ML-assisted detection when data volume and feedback justify it

Technology: Deferred until rule-based detection is stable

Depends on: Detect, Store, and sufficient operational telemetry.

Standalone: No — ships after Detect rules and alerting are proven.

Feeds: Detect and Hunt with scored signals and prioritization.

08Planned

Operations planeHunt

Investigation and cases

Analyst workflows across logs and intel: search, timelines, pivots, and case management.

  • Log search, timelines, and cross-entity pivots
  • Case records linking alerts, queries, IOCs, and notes
  • Intel-side investigation today via Briefr; log-side hunting with Store

Depends on: Store for log hunts; Briefr for intel pivots.

Standalone: Intel hunting via Briefr today; full hunt requires Store.

Feeds: Govern audit trail; analyst exports and reports.

09Planned

GovernGovern

Compliance and platform policy

Retention enforcement, access audit, and compliance reporting across all modules.

  • Retention and legal-hold policies on stored data
  • Audit log of queries, config changes, and access
  • Exportable compliance reports
  • Platform auth and RBAC as the stack matures

Depends on: Store; expands as more modules ship.

Standalone: No — applies across Store, Detect, Hunt, and platform access.

Feeds: Compliance stakeholders and security operations oversight.

How I'm wiring the modules together

Events flow left to right through the data plane. Briefr sits on the intel plane and feeds Enrich and Detect. Analyze is dashed because I plan to ship it after rule-based detection is working.

Project Jupiter SOC architecture diagram showing intel plane, data pipeline, storage, and operations modules
Project Jupiter module architecture — intel, pipeline, storage, operations

Solid connectors are designed interfaces. Dashed Analyze is a later phase for me. Ingestion pipeline example: Apache NiFi — final stack still under evaluation.

Build order

I'm not publishing dates. This is the sequence that makes engineering sense to me — dependency order, not marketing promises.

  1. Now
    Briefr

    Private beta — threat intel and investigation

  2. Next
    Collect · Normalize · Store

    Minimal OCSF pipeline into ClickHouse (NiFi-class ingestion)

  3. Then
    Detect

    Rules, playbooks, IOC-driven alerts; automation platform TBD

  4. Then
    Enrich ↔ Briefr

    Wire intel APIs into the live event pipeline

  5. Then
    Hunt + cases

    Log timelines, pivots, and case records

  6. Later
    Analyze

    Context-aware and ML-assisted detection after rules prove out

  7. Ongoing
    Govern

    Retention, audit, and compliance across modules

What exists today

  • Briefr — private beta at briefr.projectjupiter.in (access restricted). Five-tab analyst intel pane: morning brief, CVE feed, IOC lookup, incidents & news, and Forge detection packs. Proprietary; open-source licensing under evaluation.
  • Collect through Govern — architecture defined on this page; I haven't shipped implementation publicly yet.
  • This site — platform overview only; not a product dashboard.

Self-hosted — I'm not building a hosted SaaS.

Detection rule format and automation orchestration are under active design.

Not accepting beta sign-ups on this page.

About

I'm Harsha Vardhan — a security engineer building practical, self-hosted tools for analysts and small teams. Project Jupiter is my long-term platform for that work.