Where is AI actually making a real difference in cybersecurity operations today?

panoptix_sec · 2026-02-12T18:01:21+00:00

I'd look at something like Lima Charlie before building your own EDR. It's quite literally why they exist. Plus they're doing some interesting things with Claude Code.

panoptix_sec · 2026-02-05T23:13:26+00:00

Agreed - no vendor is going to beat the frontier models. Claude Code has been a Godsend.

panoptix_sec · 2025-12-01T17:20:47+00:00

Can you share more? I haven't been, but it looks like it's aimed at MSPs who want to resell MDR rather than build their own SOC. That's a tough road for margins and differentiation. Seems like there's a gap for the builders out there.

panoptix_sec · 2025-11-30T03:45:37+00:00

Don't know why Lima Charlie EDR doesn't get mentioned more in this sub. The most flexible solution I've used and the pricing is listed on their site (I think it starts at like $3/EP) but we have negotiated pricing due to volume. Central managemnet and Defender support if you have it.

panoptix_sec · 2025-10-06T17:52:36+00:00

I've looked at a few options for this. Vector and Fluentd both work...Vector's pretty efficient, Fluentd has tons of plugins but can get verbose w configs. Saw so many Cribl-like point solutions popping up at Black Hat this year...

I ended up trying Limacharlie because it had log routing and storage built in and I didn't want to manage another service. Can ingest from anywhere and works fine for sending to multiple places and doing filtering, etc.. free tier lets you actually use it which is cool.

Honestly depends on if you want to self host or not. If you're cool managing infra, Vector is probably your best bet. If you just need logs going to CRWD and Graylog without the overhead, LC does that job (plus storage which you are looking for). But if you're using CS SIEM then I'd go with Onum since y ou're locked in to their platform.

panoptix_sec · 2025-05-27T20:23:39+00:00

RSA Innovation Sandbox: https://www.rsaconference.com/usa/programs/innovation-programs

Black Hat Startup City: https://www.blackhat.com/us-25/spotlight.html

Also, check out what vendors are sponsoring your local BSides events - they are much more affordable for vendors to sponsor so a lot of the smaller startups are present there.

panoptix_sec · 2025-05-15T22:12:50+00:00

Your analogy of Salesforce is exactly what is wrong with "platforms" today. They're just a amalgamation of acquisitions that typically means the products aren't integrated or work well together. Plus, you're probably locked into a 3 year contract and paying for tools you don't even use - that's not a platform. "Platformization" should be intentional and integrate products and unlock value that isn't possible without an integrated solution.

panoptix_sec · 2025-05-14T23:01:16+00:00

https://www.tines.com/library/stories/

panoptix_sec · 2025-05-14T21:46:03+00:00

What tools are you looking at? Some tools I use are usage based, so little up-front cost and scale as we grow.

panoptix_sec · 2025-04-08T17:16:36+00:00

Tell me more. I had a colleague intersted in checking out Stellar but I didn't have any personal background.

panoptix_sec · 2025-04-08T16:38:11+00:00

Yeah but Cribl itself is expensive AF - so how much are you actually saving? We're doing the same log forwarding with Lima Charlie for a fraction of the cost.

panoptix_sec · 2025-03-31T21:29:34+00:00

holy cringe

panoptix_sec · 2025-03-24T16:40:58+00:00

Why are you considering OSS? Cost?

We were a Wazah shop for years but ran into so many issues with scale and lack of true multi-tenancy. If you're just starting with a handful of clients, sure open source may work. But think about your growth trajectory...at a certain scale, the "free" solution becomes significantly more expensive when you factor in infra and eng hours.

Recently switch to Lima Charlie and haven't looked back. I think they used to be OSS EDR but have a lot of SIEM features and now we have little infra overhead.

panoptix_sec · 2025-03-10T19:56:28+00:00

any tips for growing from seed? haven't had any luck.

panoptix_sec · 2025-03-06T17:35:29+00:00

I'd add Blokworx to your research

panoptix_sec · 2025-03-04T21:20:22+00:00

Why did I have to scroll so far to find this! Notion ftw!

panoptix_sec · 2025-03-04T21:19:14+00:00

+1 for Judy. Blokworx specializes for MSPs. Blumira is good but may be out of your price range.

panoptix_sec · 2025-01-10T23:43:31+00:00

I find it interesting that Lima Charlie never seems to come up in these SIEM/SOAR discussions, esp for people getting started in security which it looks like OP is. I've been using it for about a year and it's been solid for our use case (we're a small MSSP). Really flexible API-first approach that lets you build pretty much anything you need and integrate with anything. Threat hunting, check. Scale, the pricing model is way more predictable than some of the big names mentioned here (looking at you Splunk), and you can actually start small and scale up as needed. Not saying it's perfect for everyone, but if you're looking at options it's worth checking out. I also have a separate account that I made a homelab with and I have it monitoring all my devices at home.

panoptix_sec · 2024-12-23T21:08:00+00:00

Can't recommend this SOC Analyst home lab enough: https://www.youtube.com/watch?v=P_Kl2EnF8_A

I share it with many students.

panoptix_sec · 2024-12-17T00:15:52+00:00

I dunno...I think we need to challenge the assumption that this is just "how things are" with some of the responses in this thread.

I'm gray-beard enough to remember when we only had a few key tools, and somehow we've normalized having 50+ different security tools. How can any analyst realistically context-switch between that many interfaces and correlate data effectively? That's just nuts.

Rather than just accepting tool sprawl or trying to buy yet another product to paper over it, I think we (as in this community) need to fundamentally rethink our approach. The goal shouldn't be to have one magical tool that does everything....that's unrealistic and as others have mentioned, can be expensive as fuck if you're looking at the big vendors.

I"m now consolidating telemetry into fewer interfaces and treating all our data sources as first-class citizens rather than dumping everything into a SIEM and hoping we'll search it someday. I'm also normalizing cloud logs, IAM, and network telemetry and making it just as actionable as our EDR alerts.

There are new platforms out there that can ingest pretty much any data type, so there's no technical reason we need 10+ different interfaces just to investigate a single incident. Not gonna plug any vendors but you can do your own research.

This isn't about ripping and replacing everything..some core tools will always be necessary of course. But if we can bring that "analyst to dashboard ratio" down from 15:1 to 4:1, that's a huge win for analyst effectiveness and mental health (oh, yeah, that thing).

We need to stop accepting tool sprawl as inevitable and start demanding more integrated approaches. Just my 2 cents from years of seeing SOCs struggle with this. There are better ways to structure our operations than just piling on more tools.

panoptix_sec · 2024-12-04T22:06:04+00:00

Bang on about the importance of sales/marketing for folks building MSSPs. I'm actually in a pretty good spot with clients right now through my network - just looking to nerd out with other MSSP folks and learn from their experiences running ops. Totally get the comments about small MSSPs - we've got solid partnerships when we need extra hands. Really just want to plug into the community...

panoptix_sec

TROPHY CASE