Automated cyber defense can outperform costly commercial SIEMs

A new academic study warns that organisations can no longer rely exclusively on heavyweight commercial security platforms to guard against modern cyberthreats. The research asserts that growing attack sophistication and soaring licensing costs demand a different model, one that is open-source, capability-driven, adaptive and built to automate response at scale. The findings suggest a major shift underway in the cybersecurity landscape, where flexible, modular systems may soon outcompete traditional security information and event management platforms.

The analysis comes from the paper “A capability-driven automated cybersecurity monitoring and response system,” published in Frontiers in Computer Science, that lays out a comprehensive, operational framework for an automated security management system designed to detect threats, analyse risk and execute response actions without the delays and manual bottlenecks typical of existing tools.

The authors use a methodology known as Capability-Driven Development (CDD) to define what an effective cybersecurity monitoring and response system should look like. The approach starts from organisational goals and requirements, not from vendor products. By analysing 14 years of cybersecurity research alongside industry-standard attack frameworks, the authors build a platform capable of real-time threat detection, machine-learning-based analytics, user engagement, automated blocking, and continuous adaptation to new risks.

The resulting system directly challenges the assumptions that only expensive, proprietary SIEM solutions can deliver high-performance monitoring and automated incident response.

A capability-driven shift that reverses traditional cybersecurity logic

Most organisations today adopt security systems by purchasing commercial SIEM tools and then attempting to adapt internal processes around them. The authors invert this logic. Instead of aligning people to tools, they align tools to organisational needs. The study identifies key decision points, threat categories, detection contexts and adaptive strategies required for modern incident response.

Their capability-driven framework integrates organisational goals, operational constraints, performance indicators and contextual factors into a single system. This includes hardware limitations, staff availability, regulatory requirements, accuracy thresholds, risk priorities and expected attack behaviours. The platform then uses these inputs to collect data, monitor threats, classify risks and automatically initiate protective actions.

The authors emphasise that cybersecurity systems cannot be static. Detection accuracy, response actions and user involvement must adjust dynamically based on the evolving threat environment. The CDD-based model enables a system to do exactly that, tailoring its defences continuously rather than relying on rigid rules or manual oversight.

A three-layer architecture built for real-time threat intelligence

The system consists of three fully integrated layers: data sources, threat detection, and automated operations. Each layer uses open-source technologies to minimise cost and maximise adaptability.

The data layer ingests logs and telemetry from diverse systems, including firewalls, intrusion detection systems, authentication logs, DNS requests, server logs, NetFlow data and honeypot interactions. Using tools such as Suricata, Apache Kafka and Apache Spark, the system converts raw information into structured data streams suitable for advanced analytics.

The threat detection layer processes this data using a combination of machine learning, rule-based logic and context-aware adjustments. The system calculates device-level and user-level threat scores, correlates events, and identifies suspicious behaviours indicative of malware activity, compromised devices or insider threats.

The operations layer automates responses. Depending on severity and context, the system can block IP addresses, disable compromised devices, alert users, or escalate incidents to staff. The framework allows organisations to pre-define conditions in which the system acts autonomously and when human intervention is required.

This layered structure provides enterprise-grade functionality without the constraints or costs of commercial tools, giving organisations a way to deploy tailored cyber-defence mechanisms at scale.

Machine learning drives precision with a powerful DNS DGA detection module

A major technical achievement highlighted in the study is a machine-learning-driven mechanism for detecting domain generation algorithm (DGA)–based attacks. DGAs automatically generate large numbers of domain names to evade filtering systems. Identifying them is notoriously difficult. The authors train multiple machine learning models and compare their performance using balanced datasets containing both malicious and legitimate domain names.

The Random Forest classifier emerges as the top performer, outperforming neural networks, support vector machines and decision trees in accuracy, precision and recall. More importantly, the module is tested in live deployment where it successfully detects malicious domains that bypass the protections of a leading commercial firewall system.

This finding suggests that the capability-driven system not only matches but can surpass some of the detection abilities of proprietary vendors, especially for emerging or fast-mutating threats.

NetFlow analytics, vulnerability detection and end-of-life monitoring strengthen defence layers

The model incorporates a range of analytical tools designed to provide full-spectrum visibility. The system analyses NetFlow data to identify unusual traffic patterns that may indicate compromised hosts, lateral movement or data exfiltration. Unlike DNS analysis, NetFlow-based detection models require local training, signalling that certain machine learning components need organisation-specific calibration.

Another module identifies end-of-life devices, flagging machines that no longer receive security updates. This allows organisations to remove vulnerable hardware before attackers exploit it.

The platform also uses honeypots to detect network intrusions. Activity in a honeypot is automatically correlated with device-level threat scores, enabling rapid isolation of infected machines.

Together, these capabilities extend protection beyond conventional log analysis, providing layers of defence consistent with best-practice attack frameworks such as MITRE ATT&CK, which the authors use as a mapping reference.

User involvement becomes a crucial element of automated response

What makes the platform unique is the integration of end-user involvement into automated response strategies. Unlike traditional SIEMs that rely solely on security teams, this system notifies users directly when their devices exhibit suspicious behaviour.

The study compares response times between email alerts and SMS messages. SMS leads to dramatically faster responses, especially in critical incidents. However, the research warns that frequent SMS alerts risk causing fatigue, reducing their effectiveness. Organisations must therefore calibrate alert frequency and escalation rules to maintain a balance between speed and usability.

User surveys included in the evaluation show that the platform prevented multiple real-world incidents, including data leakage and attempted financial fraud. The system autonomously disconnected more than one hundred compromised devices during deployment periods, highlighting the real-world efficacy of integrating user action with system automation.

Cost savings and flexibility give open-source systems a competitive edge over SIEM giants

The study includes a direct comparison between the capability-driven system and leading commercial SIEM platforms IBM QRadar and Splunk. While the commercial systems offer robust feature sets, the open-source system demonstrates comparable monitoring and threat detection performance at a fraction of the cost.

The open-source model provides several advantages:

• It is fully customisable at the module level.
• New analytical functions can be developed without vendor constraints.
• It supports multi-deployment configurations including cloud, standalone and client-based setups.
• It requires no licensing fees, reducing total cost of ownership.

Case deployments at Riga Technical University and two Latvian state agencies show that the system replaced commercial SIEM licences for some clients, delivering significant financial savings. For organisations processing logs from large numbers of external systems, the ability to tailor ingestion pipelines proved especially valuable.

The findings demonstrate the viability of open-source cybersecurity platforms in enterprise environments, a trend that could disrupt an industry currently dominated by proprietary vendors.

Towards an adaptive, future-proof cybersecurity model

Cybersecurity can no longer rely on static, rule-based systems. Instead, organisations need adaptive, data-driven, machine-learning-enabled monitoring platforms that evolve alongside threats. They also highlight the importance of modularity, transparency and organisational alignment, areas where commercial tools often fall short.

The research also underscores the difference between transferable and non-transferable machine learning modules. DNS-based DGA detection can be shared across organisations without retraining, while NetFlow-based models need local calibration. This distinction will shape how future cybersecurity platforms deploy AI-based tools across distributed infrastructures.

The authors position their capability-driven system as a blueprint for next-generation cybersecurity architecture: scalable, intelligent and organisationally aligned rather than vendor-locked. Their results show that automation, when guided by clear capability models, can strengthen real-time defence, reduce manual overhead, and democratise access to high-quality cybersecurity.