Skip to content

Architecture Patterns

Six reference architectures that cover the structural decisions teams make when building or modernizing a security program. These are not vendor blueprints; they are the patterns that survive across vendors.

Available Patterns

  • Reference Architecture — Consolidated view of the SOC stack: telemetry, pipeline, SIEM/data lake, detection engineering, SOAR, ticketing.
  • Cloud-Native SOC — SOC stack assuming cloud-first telemetry, managed SIEM, and serverless enrichment.
  • Zero Trust SOC — How identity-on-every-connection and segmentation change SOC monitoring assumptions.
  • Zero Trust Network — Network architecture under ZT: ZTNA, microsegmentation, east-west visibility.
  • Data Pipeline Patterns — Ingest, normalize, enrich, route. The reusable shapes.
  • Integration Patterns — How SIEM, SOAR, ticketing, threat intel, IAM, and EDR talk to each other.

How to Use

Read alongside the chapters they support. Pattern files are structural — they show the boxes and arrows. Chapters explain the operational reality of running each box. Pair architecture reading with the lab and microsim that exercise the same scenario.