Skip to main content
Álvaro García

Threat Detection

vSOC with real-time detection pipeline processing 100M+ daily events via ELK stack and Airflow, plus automated and immediate response and seamless onboarding.

Streaming security pipeline with ELK (Elasticsearch, Logstash, Kibana) and Airflow; real-time detection, automated onboarding, role-based alerts, and resilient, dockerized deployments.

CybersecurityData EngineeringData ArchitectureDevOpsReal-Time Systems
100M+ events/dayDetection & response < 1 min100+ data sources50+ active DAGs99.99% pipeline uptime
AirflowELKSiemplifyPythonDockerAWS

Duration

Introduction

Built a vSOC pipeline to process high-volume security events in real time, surface threats proactively, and cut noisy incidents with role-specific alerting. The architecture combines ELK for ingestion/search/visualization with Airflow for scheduled processing, plus automated onboarding and dockerized services for reliable operations.

The Challenge

The team faced an overwhelming volume: over 100 million events daily. We needed infrastructure capable of ingesting massive data, automating repetitive analysis, and executing automated responses while maintaining audit traceability and compliance.

Solution & Approach

I architected and operated a fully automated security pipeline:

Orchestration with Apache Airflow

  • Designed and operated 50+ DAGs coordinating the end-to-end security workflow.
  • Automated pipelines for ingestion, transformation, and alerting.
  • Custom operators integrating key security tools.
  • Error handling, alerting, and retry logic for critical flows.

Data Infrastructure with the ELK Stack

  • Deployed Beats agents collecting logs from 100+ data sources.
  • Elasticsearch cluster managing 2 PB+ with 90-day retention.
  • Kibana dashboards providing real-time visibility into events.
  • Indexing optimizations improving query performance by 60%.

Automated Response with Siemplify

  • 50+ playbooks automating incident response.
  • Integration with firewalls, EDR, and SIEM for automated containment.
  • 40% fewer manual interventions through intelligent automation.
  • Full audit trace for every automated action.

Data Pipeline Engineering

  • Real-time streaming of 150K events per second.
  • Custom parsers normalizing 100+ log formats.
  • Data quality checks ensuring reliable detection.
  • Scalable architecture handling peak loads without degradation.

Results & Impact

Teams moved from reactive triage to proactive detection: incidents dropped materially, MTTR improved with contextual alerts and dashboards, and the onboarding workflow scaled coverage without adding operational toil.

Operational Metrics

  • 100M+ events processed daily with consistent performance.
  • 10 customers using the service when I left the company.
  • Sub-minute detection and response times.
  • 40% reduction in manual tasks through automation.
  • 99.99% pipeline uptime over 12 months.

Business Impact

  • Reduced team workload by 60% on this project.
  • Compliance with audit requirements.
  • Zero security breaches during the operating period.

The system demonstrates that a well-designed pipeline and the right automation can manage enterprise-grade security at scale.