FFalak/ SOAR · SIEM
v0 · Built in the open

Security operations, engineered in the open.

Falak is a SOAR/SIEM platform for multi-tenant environments. Endpoint agents, relay nodes, and a control plane that detect, correlate, and respond — without the black box.

status · operationalrelease · devlicense · source-available
falak · topology
L1
Endpoint
minion · rust
linuxwindowsmacos
L2
Relay
relay · go
enrollmenttelemetryactions
L3
Control plane
15 services · go / python / ts
ingestnormalizedetectcorrelateincidentplaybookaction-dispatchsearchui
mTLS · agent ↔ relay
JetStream · relay → control plane
Temporal · response workflows
Architecture

Three layers. No surprises.

Falak runs across three runtime layers, each with its own trust boundary. What leaves one layer is signed before it enters the next.

L1 · endpoint

Minions.

Rust agents for Linux, Windows, and macOS. Deterministic enrollment, signed policy bundles, a disk-backed spool that survives reboots, and hardened collectors that never trust what they cannot verify.

  • Signed policy verification on every apply
  • Mutually authenticated transport to relay
  • Offline-safe spool with backpressure
L2 · edge

Relays.

Go services that aggregate telemetry from fleets and forward upstream. Relays hold the trust boundary between customer networks and the control plane — every signed action is verified before it reaches an endpoint.

  • gRPC ingress with mTLS
  • Signed-action verification before dispatch
  • Backpressure-aware forwarding to JetStream
L3 · core

Control plane.

Twelve purpose-built Go services, a Python AI reasoning service, and a Next.js analyst console. Ingest, normalize, detect, correlate, orchestrate response, and present incidents — each boundary observable, each hop auditable.

  • Protobuf contracts across every edge
  • Temporal-backed response workflows
  • Immutable audit trail expectations
Pipeline

Ingest. Detect. Respond.

One pipeline, four stages, every hop observable. No magic, no hidden state.

  1. 01

    Ingest

    Agent telemetry lands at the ingest service through gRPC, is validated, and is published to JetStream. Backpressure and duplicate windows are enforced per stream, not per caller.

    apps/ingest-service
  2. 02

    Normalize

    Raw events are normalized to a common schema and indexed into OpenSearch with tenant qualification at the index-write boundary.

    apps/normalize-service
  3. 03

    Detect · Correlate

    Rule packs evaluate the normalized stream. Correlation joins detections into incident-shaped groups and opens cases in the incident service.

    apps/detection-service · correlation-service
  4. 04

    Respond

    Playbooks run as Temporal workflows. Signed actions flow from the dispatcher through relays to endpoints. Nothing runs without a signature.

    apps/playbook-service · action-dispatcher
Security posture

Security-first. And honest about it.

A SIEM that hides its weaknesses is useless. Here is what holds today, and what we are hardening next. No asterisks.

What is real today

production-shaped controls
  • Signed policy bundles; signed action envelopes end to end.
  • API-gateway JWT/OIDC + tenant claim enforcement + role checks.
  • Strict tenant isolation at control-plane boundaries.
  • External Secrets Operator + backend SecretStore pattern for Kubernetes.
  • Compose and k8s both reject insecure defaults on boot.
  • Mandatory CI security gates: govulncheck, pip-audit, pnpm audit, Trivy fs + image.

What we are hardening next

tracked, gated, not hidden
  • Cryptographic service identity on every internal gRPC edge (Ed25519 + per-service keys).
  • Per-tenant rate limiting at the public ingress.
  • Postgres row-level security as defense in depth beneath service-layer enforcement.
  • Real-backend browser E2E against the compose apps profile.
  • Mandatory high-scale soak as a release gate.
Stack

Boring tools, assembled carefully.

Every layer is a technology an on-call engineer already knows how to debug at 3am.

Runtimes
  • Go 1.26control-plane services
  • Rust 1.86endpoint agent
  • Python 3.12AI reasoning
  • Node 22analyst console
Data plane
  • NATS + JetStreamevent streaming
  • OpenSearchhot search / events
  • PostgreSQLmetadata
  • Rediscache + locks
Orchestration
  • Temporalresponse workflows
  • Buf / gRPCtyped contracts
  • Next.js 16analyst UI
  • OpenTelemetrytraces / metrics
Delivery
  • Docker Composelocal integration
  • Kubernetesstaging / prod
  • External SecretsVault / ASM / GSM
  • GitLab CIcontracts + security gates
Deploy model

Runs on your cluster. Or ours.

Docker Compose for local integration. Kustomize overlays for staging and prod. Secrets come from your platform’s secret manager. No vendored control plane.

terminal · falak localbash
$ make bootstrap
$ make dev-up

# infra: postgres · redis · nats · opensearch · temporal · otel

$ docker compose --profile apps up -d

# 15 apps built from the monorepo. one command.
# open http://localhost:3000 → analyst console
Get started

Clone it. Run it. Break it. Tell us how.

Falak is source-available and built in public. The fastest path to understanding is a local run.