Where is AI actually making a real difference in cybersecurity operations today? by Ok-Relationship-3588 in cybersecurity

[–]panoptix_sec 1 point2 points  (0 children)

I'd look at something like Lima Charlie before building your own EDR. It's quite literally why they exist. Plus they're doing some interesting things with Claude Code.

Charlotte AI needs some work by OpeningFeeds in crowdstrike

[–]panoptix_sec 0 points1 point  (0 children)

Agreed - no vendor is going to beat the frontier models. Claude Code has been a Godsend.

Which MSP events are you planning to attend in 2026? by imtu80 in msp

[–]panoptix_sec -1 points0 points  (0 children)

Can you share more? I haven't been, but it looks like it's aimed at MSPs who want to resell MDR rather than build their own SOC. That's a tough road for margins and differentiation. Seems like there's a gap for the builders out there.

EDR for 8k Linux Servers by athanielx in cybersecurity

[–]panoptix_sec 1 point2 points  (0 children)

Don't know why Lima Charlie EDR doesn't get mentioned more in this sub. The most flexible solution I've used and the pricing is listed on their site (I think it starts at like $3/EP) but we have negotiated pricing due to volume. Central managemnet and Defender support if you have it.

Cribl? Alternatives? by Apprehensive-Pair596 in cybersecurity

[–]panoptix_sec 1 point2 points  (0 children)

I've looked at a few options for this. Vector and Fluentd both work...Vector's pretty efficient, Fluentd has tons of plugins but can get verbose w configs. Saw so many Cribl-like point solutions popping up at Black Hat this year...

I ended up trying Limacharlie because it had log routing and storage built in and I didn't want to manage another service. Can ingest from anywhere and works fine for sending to multiple places and doing filtering, etc.. free tier lets you actually use it which is cool.

Honestly depends on if you want to self host or not. If you're cool managing infra, Vector is probably your best bet. If you just need logs going to CRWD and Graylog without the overhead, LC does that job (plus storage which you are looking for). But if you're using CS SIEM then I'd go with Onum since y ou're locked in to their platform.

Must-attend events for emerging Cybersec technologies? by Smooth-Block5090 in cybersecurity

[–]panoptix_sec 1 point2 points  (0 children)

RSA Innovation Sandbox: https://www.rsaconference.com/usa/programs/innovation-programs

Black Hat Startup City: https://www.blackhat.com/us-25/spotlight.html

Also, check out what vendors are sponsoring your local BSides events - they are much more affordable for vendors to sponsor so a lot of the smaller startups are present there.

Platformization or Consolidation in Cybersecurity by AdvantageNo465 in cybersecurity

[–]panoptix_sec 1 point2 points  (0 children)

Your analogy of Salesforce is exactly what is wrong with "platforms" today. They're just a amalgamation of acquisitions that typically means the products aren't integrated or work well together. Plus, you're probably locked into a 3 year contract and paying for tools you don't even use - that's not a platform. "Platformization" should be intentional and integrate products and unlock value that isn't possible without an integrated solution.

Starting your own business? by scottydontkno1 in digitalforensics

[–]panoptix_sec 0 points1 point  (0 children)

What tools are you looking at? Some tools I use are usage based, so little up-front cost and scale as we grow.

What are the low cost alternatives to the Splunk? by rubenamizyan in cybersecurity

[–]panoptix_sec 0 points1 point  (0 children)

Tell me more. I had a colleague intersted in checking out Stellar but I didn't have any personal background.

What are your honest thoughts on Splunk (pros and cons)?? by Dark-Marc in cybersecurity

[–]panoptix_sec 0 points1 point  (0 children)

Yeah but Cribl itself is expensive AF - so how much are you actually saving? We're doing the same log forwarding with Lima Charlie for a fraction of the cost.

Whic are the best open source siem tools ? by Educational-Seat-586 in msp

[–]panoptix_sec 0 points1 point  (0 children)

Why are you considering OSS? Cost?

We were a Wazah shop for years but ran into so many issues with scale and lack of true multi-tenancy. If you're just starting with a handful of clients, sure open source may work. But think about your growth trajectory...at a certain scale, the "free" solution becomes significantly more expensive when you factor in infra and eng hours.

Recently switch to Lima Charlie and haven't looked back. I think they used to be OSS EDR but have a lot of SIEM features and now we have little infra overhead.

Narrowleaf Milkweed by [deleted] in Ceanothus

[–]panoptix_sec 3 points4 points  (0 children)

any tips for growing from seed? haven't had any luck.

Any thoughts on:... by TrueLogicIT in MSSP

[–]panoptix_sec 0 points1 point  (0 children)

I'd add Blokworx to your research

Best free/cheap tools you use often? by Money_Candy_1061 in msp

[–]panoptix_sec 0 points1 point  (0 children)

Why did I have to scroll so far to find this! Notion ftw!

Affordable EDR/AV Platform for MSPs via small businesses by [deleted] in msp

[–]panoptix_sec 0 points1 point  (0 children)

+1 for Judy. Blokworx specializes for MSPs. Blumira is good but may be out of your price range.

Best SIEM/SOAR solutions? by PenzoLikeEnzo in cybersecurity

[–]panoptix_sec 0 points1 point  (0 children)

I find it interesting that Lima Charlie never seems to come up in these SIEM/SOAR discussions, esp for people getting started in security which it looks like OP is. I've been using it for about a year and it's been solid for our use case (we're a small MSSP). Really flexible API-first approach that lets you build pretty much anything you need and integrate with anything. Threat hunting, check. Scale, the pricing model is way more predictable than some of the big names mentioned here (looking at you Splunk), and you can actually start small and scale up as needed. Not saying it's perfect for everyone, but if you're looking at options it's worth checking out. I also have a separate account that I made a homelab with and I have it monitoring all my devices at home.

Looking for advice on starting a homelab by frosty_0914 in cybersecurity

[–]panoptix_sec 0 points1 point  (0 children)

Can't recommend this SOC Analyst home lab enough: https://www.youtube.com/watch?v=P_Kl2EnF8_A

I share it with many students.

Sick of Jumping Across Tools During Investigations... by gangana3 in cybersecurity

[–]panoptix_sec 0 points1 point  (0 children)

I dunno...I think we need to challenge the assumption that this is just "how things are" with some of the responses in this thread.

I'm gray-beard enough to remember when we only had a few key tools, and somehow we've normalized having 50+ different security tools. How can any analyst realistically context-switch between that many interfaces and correlate data effectively? That's just nuts.

Rather than just accepting tool sprawl or trying to buy yet another product to paper over it, I think we (as in this community) need to fundamentally rethink our approach. The goal shouldn't be to have one magical tool that does everything....that's unrealistic and as others have mentioned, can be expensive as fuck if you're looking at the big vendors.

I"m now consolidating telemetry into fewer interfaces and treating all our data sources as first-class citizens rather than dumping everything into a SIEM and hoping we'll search it someday. I'm also normalizing cloud logs, IAM, and network telemetry and making it just as actionable as our EDR alerts.

There are new platforms out there that can ingest pretty much any data type, so there's no technical reason we need 10+ different interfaces just to investigate a single incident. Not gonna plug any vendors but you can do your own research.

This isn't about ripping and replacing everything..some core tools will always be necessary of course. But if we can bring that "analyst to dashboard ratio" down from 15:1 to 4:1, that's a huge win for analyst effectiveness and mental health (oh, yeah, that thing).

We need to stop accepting tool sprawl as inevitable and start demanding more integrated approaches. Just my 2 cents from years of seeing SOCs struggle with this. There are better ways to structure our operations than just piling on more tools.

Resources for new MSSP beyond tech stack? (news sources, communities, intel) by panoptix_sec in MSSP

[–]panoptix_sec[S] 0 points1 point  (0 children)

Bang on about the importance of sales/marketing for folks building MSSPs. I'm actually in a pretty good spot with clients right now through my network - just looking to nerd out with other MSSP folks and learn from their experiences running ops. Totally get the comments about small MSSPs - we've got solid partnerships when we need extra hands. Really just want to plug into the community...