LOCAL OPEN-SOURCE PLATFORM FOR CYBER INCIDENT MONITORING AND RESPONSE WITH AI SUPPORT AS AN ALTERNATIVE TO EDR/XDR SOLUTIONS

Abstract

The paper presents an approach to designing a local cybersecurity monitoring and incident response platform based on open-source technologies with integrated artificial intelligence support. The relevance of the study is driven by the growing complexity of cyber threats, the increasing number of endpoints in modern infrastructures, and the need for continuous monitoring and rapid response within Security Operations Centers. Traditional EDR and XDR solutions provide high levels of automation and detection capabilities but rely on subscription-based models that introduce long-term operational constraints and limit flexibility in infrastructure management. The study examines the functional roles of EDR, XDR, SIEM, and SOC within enterprise environments and identifies key challenges related to scalability, data ownership, and dependency on proprietary platforms. Particular attention is given to the limitations of centralized commercial solutions when applied to distributed infrastructures with hundreds of managed endpoints. The paper proposes a model of a local cybersecurity platform that integrates endpoint monitoring, event correlation, and log management within a unified architecture. The proposed solution is based on Wazuh for endpoint detection and SIEM functions, OpenSearch-compatible indexing for event storage and analytics, and on-premises storage systems for secure and scalable log retention. A dedicated local AI analysis layer is introduced to support SOC processes by automating alert summarization, correlating related events, generating hypotheses about incident origins, and assisting analysts in decision-making without exposing sensitive data to external services. The results include a description of the system architecture, hardware configuration, data processing workflows, and storage strategies. The proposed approach emphasizes transparency, flexibility, and adaptability to specific organizational requirements. Additionally, the model incorporates a structured proof-of-concept methodology to evaluate detection coverage, system performance, and the effectiveness of AI-assisted workflows. The study demonstrates that the integration of open-source tools with local AI capabilities can enhance the efficiency of cybersecurity operations while maintaining control over data and infrastructure. The proposed platform provides a viable alternative to traditional EDR/XDR solutions in scenarios where customization, cost predictability, and data sovereignty are critical factors.