SOC Architecture | Clavea Security
SOC Architecture

Engineering-first.
Zero-trust by design.

Our SOC platform was built from the ground up by engineers who have designed, deployed, and operated security operations centers and production infrastructure at scale. Every architectural decision reflects hard-earned lessons from real incidents and real infrastructure.

All inter-component communication goes through zero-trust verification — no implicit trust, no exceptions. The only traffic that bypasses this is outgoing notification channels (Slack, email, PagerDuty) and internal-network adapters where services like Prometheus and Grafana communicate directly through isolated network interfaces with no external exposure.

Design Principles

Zero-Trust by Default

Every connection between components is authenticated and encrypted. No implicit trust — even internal services verify identity on every request.

Network Isolation

Internal services like Prometheus and Grafana communicate strictly through their internal-network adapter. Only outgoing channels (Slack, email) and client-facing endpoints traverse external networks.

Horizontally Scalable

Each component is containerized and stateless. The SOAR dispatcher, enrichment engines, and monitoring stack scale independently based on alert volume.

Defense in Depth

Multiple layers of detection — SIEM correlation, threat intel matching, behavioral analysis, and infrastructure anomaly detection — so nothing slips through a single point of failure.

Live Architecture

Hover over any component to see what it does. Use the tabs to trace data flows through each operational layer.

CLIENT NETWORKEndpointsServersCloudNetworkSIEM NETWORKSIEMmetadata →STACKSTORMChasquiSOAR DispatchTaliahAutonomous AI OperatorMedjayInfrastructure WatchIRISPrometheusGrafanaFEEDSMISPCIRCLBotvrij.euURLhausFeodoThreatFoxOpenPhishSOURCESIntelOwlOpenCTIVirusTotalAbuseIPDBShodanCHANNELS
Data Streams
Security Alerts
Threat Intel
Case Updates
Enriched Intel
Notifications
Infra Metrics
AI Queries
Infra Context
CLAVEA
SECURITY OPERATIONS CENTER
Network Model
ZERO-TRUST ZONE

All connections between SIEM, SOAR, MISP, IntelOwl, IRIS, and AI operators are mutually authenticated with TLS and API tokens. Every request is verified regardless of network origin.

INTERNAL NETWORK

Prometheus and Grafana communicate strictly through their internal-network adapter — no external routing, no internet exposure. Metrics never leave the isolated monitoring subnet.

OUTGOING CHANNELS

Notification channels (Slack, Teams, email, PagerDuty) are outbound-only, write-only integrations. No inbound access is granted — alerts push out, nothing pushes in.