SOAR Security Platform
Real-time SSH brute force detection and automated incident response powered by AWS serverless architecture. Monitors servers 24/7 and alerts security teams in under 30 seconds.
Security teams face an impossible challenge: 10,000+ automated SSH login attempts per server per day. This SOAR platform automates the entire detection and response pipeline using AWS serverless services.
A cron job on Ubuntu servers tails /var/log/auth.log and sends failed attempts to API Gateway. Four Lambda functions handle validation, storage, threat analysis, and email alerting in sequence via SQS queues. Severity is calculated automatically: 3 attempts is Low, 15+ is Critical.
All Lambda functions run in private VPC subnets with no public access. Deployed in 15 minutes via Terraform and GitHub Actions CI/CD.