Security research is an unusual hobby. The tooling is powerful, the learning curve is steep, and the infrastructure requirements are substantial enough that most people doing it at home are either running underpowered setups or spinning up cloud instances they forget to turn off between sessions.

The Mosburn Lab takes a different approach: infrastructure-as-code deployment of professional security tooling, torn down and rebuilt when needed, with reproducible state managed entirely by Ansible.

What a home SOC actually means

A Security Operations Center, in enterprise terms, is a team with a toolchain for detecting, investigating, and responding to incidents. The core stack typically includes:

  • SIEM — aggregating and correlating logs across the environment
  • Case management — structured workflows for tracking investigations
  • Threat intelligence — enriching indicators with external data
  • Orchestration — automating the mechanical parts of analysis

Running a home SOC isn’t running an enterprise program. It’s having access to the same class of tooling for learning how these systems work before you need them professionally, practicing incident response against known-bad samples in a controlled environment, conducting vulnerability research with proper case tracking, and analyzing malware without touching anything near actual production data.

TheHive: case management that takes investigation seriously

TheHive is an open-source incident response platform built around cases — structured investigations that can hold observables, tasks, timeline entries, and links to related cases.

The workflow is familiar to anyone who’s done professional incident response:

  1. Alert comes in (manually or via integration)
  2. Case opens with relevant observables — IP addresses, domains, file hashes, email headers
  3. Tasks assigned and tracked within the case
  4. Observables sent to Cortex for automated enrichment
  5. Timeline builds as the investigation progresses
  6. Case closes with documented findings

In practice, I use this for malware analysis sessions. Each sample gets a case. Associated infrastructure — C2 servers, distribution domains, related hashes — tracked as observables. Come back to a sample three weeks later and the context is still there.

Cortex: the enrichment engine

Cortex is TheHive’s companion platform. It runs analyzers — integrations with threat intelligence services, OSINT tools, and analysis platforms — against observables submitted from TheHive.

Out of the box:

  • VirusTotal, MalwareBazaar, abuse.ch
  • Shodan, Censys
  • WHOIS, DNS, BGP lookups
  • URLScan, URLhaus
  • Hybrid Analysis, Any.run (API key required)
  • Local analysis tools (YARA, strings, capa)

From TheHive it’s one click: submit an observable to Cortex, pick the analyzers, get enriched results back in the case timeline. What used to be a sequence of manual lookups across a dozen browser tabs becomes a parallelized automated enrichment run.

The infrastructure reality

TheHive and Cortex have real infrastructure requirements. TheHive needs Elasticsearch or OpenSearch for storage. Cortex needs Docker for its analyzer workers. The combination runs best with 8GB dedicated to the stack.

The hive.yml playbook deploys both services using roles targeting a dedicated host. Current deployment is CentOS-based, reflecting the original role architecture. Native Fedora and Ubuntu support is on the roadmap.

The mosburn.elk role provides the Elasticsearch backend TheHive depends on. The mosburn.filebeat role ships logs from other lab hosts into the ELK stack, giving TheHive’s integrated search a view across the entire lab environment.

The controlled research environment

The most important thing about running security tooling at home is isolation. Analyzing malware or testing exploits on a machine that shares a network with family devices and personal data is not responsible research practice.

The Mosburn Lab handles this through network segmentation and VirtualBox-based isolation. Packer builds clean Fedora and Ubuntu images. Ansible provisions research environments from those images. Session ends, the VM is snapshotted or destroyed. The base image stays clean.

The mosburn.vbox role manages VirtualBox installation across supported platforms. Research happens inside VMs. The VMs are disposable. The methodology for creating them isn’t.

What makes this sustainable

Security research infrastructure is only useful if it’s there when you need it. The common failure mode for home security labs: setup is painful enough that you avoid rebuilding after a problem, and eventually the environment is too stale to trust.

The Ansible approach makes rebuild cost low. Full TheHive + Cortex + ELK stack deploys in a single playbook run. The time between “I need a clean research environment” and “I have one” is measured in minutes, not hours.

That’s the dividend from investing upfront in Ansible roles and Molecule tests. The lab doesn’t accumulate debt. When you need it, it works.

And when it doesn’t, you run the playbook again.