This roadmap outlines the vision for SOC Lab Docker's evolution, describing planned capabilities and integrations that will enhance the platform while maintaining its core mission: an accessible, educational detection engineering lab for the security community.
The features described here represent the direction of development and community priorities. Check GitHub issues and discussions for the latest updates on specific features.
- Single-command deployment via Docker Compose
- Elasticsearch-backed search and analytics
- Kibana web UI for interactive querying and dashboards
- Configurable via environment variables
- Works offline, no cloud dependencies
- Mock log generator with multiple event types:
- Authentication events (success, failure, privilege escalation)
- Web traffic events (requests, responses, security events)
- Process execution events (parent/child relationships, command lines)
- Network events (connections, DNS queries)
- Security tool alerts (antivirus, IDS/IPS, EDR)
- Configurable event rates and distributions
- Realistic field values, timestamps, and correlations
- Extensible template system for custom event types
- Pre-built attack scenario scripts (bash/python):
- Brute force authentication attacks
- Lateral movement (PsExec, SMB, etc.)
- Data exfiltration scenarios
- Privilege escalation patterns
- Coordinated event chains matching real attack progressions
- Educational documentation explaining attack mechanics
- Integration with detection queries for immediate feedback
- Multi-format query templates:
- SPL (Splunk Query Language)
- KQL (Azure Sentinel / Kusto Query Language)
- PromQL (Prometheus / time-series)
- Comprehensive documentation:
- Detection logic and purpose
- Field requirements and assumptions
- Baseline methodology and tuning guidance
- MITRE ATT&CK technique mappings
- Focused on teaching detection principles, not just copy/paste
- Pre-built dashboard templates:
- Event overview (volume, types, sources)
- Authentication analytics (login trends, anomalies)
- Alerts and detection metrics
- Interactive visualizations with drill-down capability
- Exportable JSON format for sharing and customization
- Integration guides for multiple visualization platforms
- SETUP.md: Installation, configuration, and troubleshooting
- ARCHITECTURE.md: System design, component descriptions, data flow
- Query guides: Detection methodology and baseline-setting tutorials
- Learning paths: Structured curriculum for detection engineering
- Contribution guidelines: Clear standards for community additions
Description: Expanded library of production-ready detection queries covering more attack techniques and platforms.
Planned additions:
- 20+ additional detection queries across threat categories
- Multi-platform support (Windows, Linux, cloud, network)
- Advanced correlation and anomaly detection templates
- Integration with threat intelligence feeds
- Sigma rule format support for community standardization
Why it matters: Broader attack surface coverage, production methodology learning, standardized rule authoring
Description: Native alert rule definitions and execution with notification integrations.
Planned features:
- Alert rule definition language (JSON/YAML)
- Multi-condition triggering logic
- Alert aggregation and deduplication
- Notification backends:
- Webhook integrations
- Email notifications
- Slack/Teams integration
- Custom handlers
- Alert suppression and escalation logic
- Incident tracking integration
Why it matters: Complete SOC workflow simulation, response automation learning, alert tuning methodology
Description: Reference Terraform templates and ARM playbook examples for deploying the lab's detection logic to Azure Sentinel — the leading enterprise cloud SIEM.
Delivered (terraform/sentinel/):
- Terraform IaC: Log Analytics Workspace and Sentinel onboarding, fully parameterized — deploy with
terraform applyagainst your own subscription - 8 analytics rules: All lab detections converted to
azurerm_sentinel_alert_rule_scheduledresources with MITRE tactics, entity mappings, and tunable frequency/lookback settings - 3 SOAR playbook templates: ARM Logic App templates for Slack notification, ticket creation (ServiceNow/JIRA pattern), and host isolation — parameterized and deployable via
az deployment group create - Data connector guide: How to forward lab events (Filebeat → Azure Monitor) for an end-to-end pipeline experience (
data_connector/) - Full documentation:
docs/SENTINEL_INTEGRATION.md— prerequisites, deployment walkthrough, Sentinel UI navigation, cost guidance, and cleanup
Why it matters: Azure Sentinel dominates enterprise cloud SIEM deployments. Writing detection-as-code in Terraform, structuring KQL analytics rules with entity mappings and MITRE techniques, and automating response with Logic Apps are high-signal skills for SOC and detection engineering roles. All templates are reference implementations — no live Azure subscription required to study or customize them.
Description: Complex, multi-step attack campaigns reflecting real APT tradecraft.
Planned scenarios:
- Full APT-style campaigns (reconnaissance → persistence → exfiltration)
- Living-off-the-land attacks (legitimate tool abuse)
- Lateral movement with privilege escalation
- Data destruction (ransomware patterns)
- Supply chain attack simulation
- C2 callback simulation with persistence
Why it matters: Realistic incident response training, complex detection engineering, end-to-end threat knowledge
Description: Multi-tenant lab environment for security team exercises and competitions.
Planned features:
- Lab isolation per team
- User management and role-based access
- Shared competition scenarios
- Scoring and leaderboards
- Instructor dashboards for monitoring
- Snapshot/reset for repeated exercises
Why it matters: Scalable educational tool for universities and corporate training, competitive learning
Description: Long-term data retention and time-series analysis capabilities.
Planned features:
- Configurable long-term data retention (30+ days)
- Baseline deviation detection
- Seasonal pattern recognition
- Anomaly scoring and visualization
- Trend correlation across time windows
- Report generation for historical analysis
Why it matters: Detecting slow attacks, false-positive reduction, baseline methodology mastery
Description: Full support for the community Sigma rule format.
Planned features:
- Convert all detection queries to Sigma YAML
- Rule validation and testing pipeline
- Integration with SigmaHQ public rule set
- Sigma rule authoring tutorials
- Conversion from other formats (Yara, Snort, etc.)
Why it matters: Industry-standard rule authoring, knowledge portability, community collaboration
Description: Alignment of detections with security controls frameworks.
Delivered (docs/COMPLIANCE_MAPPING.md):
- CIS Controls v8 — detection-level and platform-level mapping
- NIST Cybersecurity Framework 2.0 — per-detection subcategory mapping
- MITRE ATT&CK — full technique coverage table
Why it matters: Framework-aligned security thinking, control implementation learning, audit readiness
Features are prioritized based on:
- Educational value – How much learning the feature enables
- Implementation complexity – Effort required vs. impact
- Ecosystem alignment – Integration with industry tools and standards
- Maintainability – Long-term support and documentation burden
Last Updated: February 27, 2026 Next Review: Quarterly (community feedback incorporated)