The Case for Unified Security Operations

1. The Tool Sprawl Problem

Running a credible security program in 2026 requires an unreasonable number of tools. A mid-sized engineering team — say, 30 to 75 engineers — that wants to take security seriously will typically need some combination of the following:

• Log management — Datadog, Splunk, Elastic, or Grafana Loki for collecting, indexing, and searching infrastructure logs.
• SIEM — Often a second tool, or an expensive add-on tier from the log management vendor, for detection rules and correlation.
• Case management — Jira, ServiceNow, or a SOAR platform for tracking incidents from detection to resolution.
• BAS / pentest — Pentera, SafeBreach, AttackIQ, or Cymulate for testing whether detection rules actually fire. Typically $100K+ per year.
• Compliance — Drata, Vanta, or Secureframe for generating evidence that satisfies auditors. Another $15K–$50K per year.
• Threat intelligence — Recorded Future, Mandiant, or a patchwork of free feeds with manual integration.

The result is a stack of five to seven vendors, each with its own pricing model, its own data silo, its own learning curve, and its own integration headaches. The total cost easily exceeds $250,000 per year — before counting the engineering time to stitch them together and keep them running.

For companies under 100 engineers, this math doesn't work. So they make compromises. They run a log aggregator but skip the SIEM. They buy compliance tooling but never test their detections. They write detection rules but have no way to validate whether they actually catch anything. Each compromise is individually reasonable and collectively dangerous.

The integration tax

Even when organizations do assemble the full stack, they face the integration problem: data collected by the log management platform isn't automatically available to the SIEM. Detections from the SIEM don't automatically create cases. Cases don't automatically reference the detection rules or the investigation context. Compliance reporting pulls evidence from a separate system that may or may not reflect your actual security posture. And nobody is testing whether the detections you built actually catch the attacks you're worried about.

The fundamental issue is architectural. These tools were designed as independent products. Making them work together is your problem, and the cost of that integration — in engineering hours, in missed alerts, in audit evidence that doesn't quite match reality — is invisible but real.

2. The Threat Landscape Has Changed

In early 2025, Anthropic's Mythos model autonomously discovered tens of thousands of previously unknown zero-day vulnerabilities in real-world software. Not by following a playbook. Not by scanning against a CVE database. By reasoning about code the way a skilled security researcher would — except faster, and at a scale no human team could match.

This is not a theoretical concern. Mythos demonstrated that frontier AI can find and exploit vulnerabilities autonomously. And while Anthropic disclosed responsibly and used the findings for defensive purposes, the capability itself is the signal. Comparable models — from other labs, from open-source projects, from state-sponsored programs — will be available to threat actors within 6 to 18 months. Some already are.

What autonomous offense looks like

AI-powered attacks are not simply faster versions of existing attacks. They are qualitatively different:

• Zero-day discovery at scale. Models like Mythos can analyze codebases and find novel vulnerabilities without relying on known CVE signatures. Signature-based detection becomes necessary but insufficient.
• Adaptive reconnaissance. AI agents can probe environments, learn from responses, and adapt their approach in real time — not just run a static scan.
• Compound attack chains. AI can chain multiple low-severity vulnerabilities into high-impact attack paths that no individual detection rule would catch.
• Speed. The entire kill chain — from reconnaissance to exploitation to lateral movement — can execute in minutes rather than weeks.

Against this class of threat, the traditional security operations model — detect, alert, triage, investigate, respond, document — breaks at the "triage" step. There is not enough time and there are not enough analysts. The investigation and initial response must happen autonomously, with humans providing oversight and strategic direction rather than serving as the bottleneck.

3. What Arca Is

Arca is a self-hosted security operations platform that consolidates log management, SIEM, autonomous investigation, case management, breach and attack simulation, autonomous penetration testing, threat intelligence, compliance reporting, and analytics into a single application. It is built on Flask and PostgreSQL, deployable on a single node, and designed to be operable by any engineer — not just security specialists.

The core thesis: every capability in the security operations lifecycle should share the same data, the same context, and the same AI. When your log management, your detection rules, your investigation engine, your case management, and your compliance reporting all operate on the same data model, the integration tax disappears — and capabilities that are impossible in a multi-vendor stack become natural.

Log management & full-text search

Arca collects structured data through 18 pre-built agents covering Linux system metrics, authentication logs, syslog, kernel logs, firewall events, web server logs, database logs, systemd journal, fail2ban, login history, active connections, auditd, macOS unified log, Docker, Kubernetes, AWS CloudTrail, and MySQL. Each agent ships with curated schemas and recommended detection rules.

Data is indexed with up to 55 fields per document. Full-text search is built in — case-insensitive substring matching across all indexed fields, composable with partition filters and time range queries. Schema inference lets you send sample documents and have Arca discover the fields automatically. This is the entry point for engineering teams: use Arca as your log management platform, and the security capabilities are already there.

SIEM detection engine

Six event rule types cover the detection patterns that matter most:

• Frequency — More than N events within M minutes. Brute-force, scans, error bursts.
• Absence — No data from a known source within M minutes. Heartbeat and host-down detection.
• New Value — A previously unseen value appeared. New source IPs, unexpected processes, unknown users.
• Spike — Metric average changed more than N% between time windows. Rate-of-change detection.
• Baseline — Value deviates from rolling mean by more than N standard deviations. Statistical outlier detection.
• Compound — Multiple conditions combined with AND/OR logic within a time window. Correlated multi-signal detection.

Rules evaluate every 60 seconds. Each rule can be tagged with a MITRE ATT&CK technique ID from a 64-technique taxonomy. Notifications route to Email, Slack, or PagerDuty, individually configurable per rule.

Autonomous AI investigations

This is where Arca diverges from every other platform in its category. When a SIEM rule fires, Arca doesn't just send a notification. It launches an autonomous AI investigation powered by Claude.

The investigation agent has access to 6 read-only tools: it can query any collection in the namespace, retrieve active anomalies and events, pivot on entities (IP addresses, usernames, processes), build timelines of activity, assess severity against threat models, and cross-reference entities against threat intelligence feeds. It uses these tools autonomously — deciding which to call, in what order, based on what it discovers.

The output is a structured report: severity assessment, confidence score, identified entities, MITRE ATT&CK technique mapping, detailed findings narrative, specific response recommendations, and alternative hypotheses. Investigations complete in 60 to 120 seconds.

This is the autonomous defense loop that the Mythos-era threat landscape demands. Every alert is investigated. Every investigation produces actionable findings. No alert fatigue. No triage backlog. No "we'll get to it on Monday."

Autonomous response agents

Five response adapters can execute containment actions automatically or with human approval:

• Block IP — via iptables or UFW
• Disable user account
• Kill process
• Restart service
• Revoke AWS IAM session

Each adapter is configurable per namespace and per action type. Approval-gated by default — a human confirms before execution. Fully autonomous mode is available for organizations that need machine-speed response. All actions are audited with full trail linked to the triggering investigation.

Case management

Investigations automatically create cases with a full SOC workflow: new, triaged, in_progress, resolved. Cases track assignee, severity, resolution type (true positive, false positive, benign, duplicate), markdown comments, and an immutable audit log suitable for SOC 2 evidence. Print-to-PDF export produces auditor-ready artifacts directly from the browser.

Nemesis — breach & attack simulation

Nemesis is Arca's built-in BAS engine. It runs 28 attack scenarios across 14 MITRE ATT&CK techniques, covering all 6 SIEM rule types. What makes Nemesis different from standalone BAS products is the grading: Nemesis doesn't just check if a rule fires. It validates the entire detection chain — rule trigger, investigation launch, attacker identification, and technique classification. Grading happens at the investigation level.

This is a capability that standalone BAS vendors cannot replicate. AttackIQ or SafeBreach can tell you "a rule fired." Nemesis can tell you "the investigation correctly identified the attacker IP, mapped the activity to T1110 (Brute Force), and recommended blocking the source." That's the difference between testing your rules and testing your security operations.

Nemesis v2 — autonomous penetration testing

Beyond simulation, Nemesis v2 provides autonomous penetration testing against real infrastructure:

• Stage 1: Safe reconnaissance — Port scanning, banner grabbing, TLS inspection, DNS enumeration, WHOIS lookups. Non-invasive discovery.
• Stage 2: Active testing — Credential stuffing, CVE-based checks, configuration audits. Blast-radius limits and auto-abort ensure safety.
• Stage 3: Purple team loop — Chains offensive actions with detection and response verification. Attacks launch, detections validate, response agents trigger. A closed loop that proves the entire security posture.

Threat intelligence

Four curated feeds integrate out of the box — all free, no subscriptions required:

• CISA KEV — Known Exploited Vulnerabilities catalog
• URLhaus — Malware distribution URLs (abuse.ch)
• ThreatFox — Mixed IOCs: IPs, domains, hashes (abuse.ch)
• AlienVault OTX — Community threat pulses

Feeds sync automatically every 6 hours. Indicators are cross-referenced during AI investigations — known threats surface as badges on investigation reports with severity, source, and description.

Compliance reporting

Built-in compliance reporting evaluates your actual platform configuration — detection rules, investigation coverage, response actions, logging completeness, access controls, audit trails — against the specific controls required by four major frameworks:

• SOC 2 Type II — 15 Trust Services Criteria controls (CC1–CC8, A1)
• HIPAA Security Rule — 13 implementation specifications (sections 164.308–312)
• PCI DSS v4.0 — 15 requirements, including Nemesis BAS results as penetration testing evidence (Req 11.3)
• NIST CSF — 13 categories across all 5 core functions with maturity scoring (1–5 scale)

Each control is evaluated as pass, partial, fail, or not applicable, with specific evidence items and identified gaps. Reports are print-optimized and formatted for auditor review. The evidence comes from your live platform — not from a separate compliance tool that may or may not reflect reality.

Analytics & visualization

Four dedicated dashboards provide visibility at different organizational levels:

• Operational — Storage utilization, ingest rates, agent performance, detection rule health
• Threat Intel — Feed status, indicator trends, entity match rates, severity distribution
• Executive — KPI cards, mean resolution time, investigation-to-case conversion rate, platform value metrics
• Security — MITRE ATT&CK heatmap, kill-chain depth, entity analysis, namespace risk ranking

An Attack Map provides Leaflet-based geographic visualization of threat sources — attackers as pulsing red dots, targets as blue, with severity-coded bezier attack vectors and investigation-linked hover popups.

RBAC

Five roles ensure the right people see the right surfaces:

• Admin — Full access to everything
• Analyst — SOC + log management, can write to both
• Read-only — Can see everything, can't modify
• Engineer — Log management only, no SOC surfaces
• IT — Log management only, no SOC surfaces

Engineers and IT roles never see investigations, cases, or compliance — those surfaces are restricted to security-aware roles. This makes Arca usable as a general-purpose log management tool for engineering teams while keeping security operations surfaces clean.

4. Competitive Comparison

The following table compares Arca's capabilities against the tools organizations typically assemble to achieve equivalent coverage. No single competitor covers the same surface area — which is the point.

Capability	Arca	Datadog	Splunk	Wazuh	Pentera / SafeBreach	Drata / Vanta
Log management
Full-text search
SIEM detection rules	6 types	Add-on
Autonomous AI investigations
Case management		Limited	SOAR add-on
Autonomous response	5 adapters		SOAR add-on	Basic
MITRE ATT&CK mapping	64 techniques
Breach & attack simulation	28 scenarios
Autonomous pentest	3-stage
Investigation-level BAS grading
Threat intelligence feeds	4 free	Paid	Paid
Compliance reporting	4 frameworks		Add-on	Basic
AI chat assistant		Bits AI	AI Assistant
Self-hosted			On-prem option
Per-GB pricing	$0	$0.10–$0.30/GB	$15+/GB/day (cloud)	$0	N/A	N/A
Typical annual cost	Platform fee only	$50K–$500K+	$100K–$1M+	Free (OSS)	$100K–$300K	$15K–$50K

What the comparison reveals

No single competitor covers Arca's surface area. To replicate what Arca does, you would need to combine Datadog or Splunk (logs + SIEM) with Pentera or SafeBreach (BAS) with Drata or Vanta (compliance) with a SOAR platform (case management + response) — and then build custom integrations between all of them. And you still wouldn't have autonomous AI investigations.

Wazuh comes closest in philosophy — open-source, self-hosted, security-focused — but lacks AI investigations, BAS, case management, and compliance reporting. Wazuh is a capable SIEM. Arca is a security operations platform.

5. Architecture & Deployment

Technology stack

• Application layer — Python 3.13, Flask 3.1+, SQLAlchemy 2.0+
• Database — PostgreSQL (metadata, users, rules, investigations, cases, audit logs)
• Document storage — Filesystem-based JSON documents in configurable storage slices with per-collection expiration and zlib compression
• AI — Claude Sonnet (investigations, chat, health digest) via Anthropic API. Your API key, your data, your control.
• Frontend — CoreUI v5.3.0, Chart.js, Leaflet (Attack Map)
• Testing — 686 automated tests (pytest), covering all controllers, models, evaluators, and Nemesis scenarios

Deployment model

Arca runs on a single node. There is no Elasticsearch cluster to manage, no Kafka to tune, no Kubernetes to orchestrate. Install Python dependencies, configure PostgreSQL, set your Anthropic API key, and start the application. The agent package is a single downloadable ZIP — drop it on any host and agents begin streaming data immediately.

This simplicity is deliberate. The target deployment — 10 to 200 monitored hosts — does not require distributed architecture. A single well-provisioned node handles the log ingestion, detection engine, AI investigation pipeline, and web interface for this scale. This is not a limitation; it's a design choice that eliminates an entire category of operational complexity.

Data sovereignty

Arca is self-hosted. Your log data never leaves your infrastructure. The only external API call is to the Anthropic API for AI-powered features (investigations, chat, health digest), and you control the API key and can configure cost caps, concurrency limits, and model selection per namespace. If you want to run Arca without any external API calls, the detection engine, case management, compliance reporting, and all non-AI features work independently.

6. Who Arca Is For

Arca is designed for a specific buyer: the 20 to 75 engineer team that has compliance pressure, handles sensitive data, and does not have a dedicated Security Operations Center.

This is the team where:

• The CTO or VP of Engineering is also the de facto security lead.
• There might be one security-focused engineer, but no SOC analysts.
• Compliance requirements (SOC 2, HIPAA, PCI DSS) are real and growing — driven by enterprise customers, board pressure, or regulatory mandates.
• The logging budget is either too small for Datadog or dominated by log volume that makes per-GB pricing painful.
• Detection rules exist, but nobody tests whether they actually catch anything.
• Incident response is ad hoc — there's no formal case management, no audit trail, no compliance-grade evidence.

For this team, Arca replaces the need to assemble a multi-vendor stack. Log management, SIEM, investigations, case management, BAS, and compliance reporting are one platform, one deployment, one interface. The AI handles the investigation workload that would otherwise require dedicated SOC analysts. The compliance reporting generates evidence that would otherwise require manual spreadsheet assembly.

Use cases beyond security

Because Arca is also a capable log management platform with full-text search, auto-generated dashboards, and an AI chat assistant, it serves double duty for engineering teams. Developers use it to debug production issues, search application logs, monitor service health, and investigate performance problems. The RBAC system ensures engineers see log management surfaces without being exposed to SOC workflows they don't need.

This dual use is strategically important: it means Arca gets installed and used daily by the engineering team, not shelved as a security tool that nobody opens until audit season.

7. About the Founder

Matthew Hogan is the founder and CTO of Twin Tech Labs. He is a technologist and engineering leader with over 20 years of experience spanning space systems, IoT, machine learning, big data, and cybersecurity.

Matt holds a registered patent on AGI model training and intelligent agent architectures — foundational research that directly informs Arca's autonomous investigation and response capabilities. The patent covers methods for training general-purpose AI models that can operate as independent agents within constrained operational environments.

Most recently, Matt served as CTO of LifeRaft, an OSINT threat intelligence platform, where he led a team of 31 engineers, grew the company from $10M to $16M ARR, and oversaw a full modernization of the data and search architecture. LifeRaft was acquired by Securitas in March 2026 — a successful exit that underscores the quality of the platform and team he built.

Prior to LifeRaft, Matt served as Assistant Vice President of Architecture and Engineering for Cybersecurity at John Hancock/Manulife, where he built and managed a global cybersecurity engineering organization responsible for vulnerability scanning, penetration testing, and security platform adoption across the US, Canada, and Asia — within a $20M annual budget.

Matt also spent seven years at MathWorks, where he founded and led the Internet of Things organization, drove the acquisition and integration of ioBridge (ThingSpeak), and built a platform capable of processing 6,000 requests per second at 99.99% uptime. Earlier in his career, he led ground control software development for experimental DoD satellites at General Dynamics — four missions valued at over $520M — and built electronic medical record data exchange systems at Scientific Technologies Corporation.

Matt holds a Master's in Informatics from Northeastern University, with executive education in Cybersecurity (Oxford), AI Leadership (MIT Sloan), and Platform Strategy (Section4).

---

---