ZOOMIE – SOAR / xMDR – Carlos Menezes

Project overview

ZOOMIE is a project focused on SOAR and xMDR, designed to bring visibility, detection, and response closer together in a single defensive workflow. Its core idea is to reduce the gap between a suspicious event and the corresponding defensive action, with special attention to real-time mitigation scenarios.

Rather than acting as passive monitoring only, the project aims to combine telemetry, correlation, and automated response, building a flow that is closer to a modern SecOps environment.

SOAR xMDR Python C# / .NET Splunk Linux Hardening

Main objective

ZOOMIE is intended to create an ecosystem capable of:

receiving events and risk signals from different system layers;
evaluating enough context to separate noise from relevant threats;
triggering automated responses whenever defined criteria are met;
supporting SOC and Blue Team operations with more speed and consistency.

The focus is not only on detection, but on detection with the ability to act.

Key components

Orchestration engine: coordinates defensive decisions and actions.
Dedicated forwarder: component designed to apply real-time containment or blocking.
Continuous telemetry: collection of operational and security signals to feed analysis.
Splunk integration: provides visibility, auditability, and event tracking support.
Hardened Linux base: secure system foundation and operational discipline underneath.

Technical approach

The project combines technologies with complementary roles. The automation and orchestration side relies on Python, while structure and operational logic can be supported by C# / .NET. Visibility and event logging connect with Splunk, creating a bridge between action and auditability.

In practical terms, this makes it possible to build a flow where detection does not end in an alert. It can evolve into containment, logging, validation, and continuous improvement.

Value for SOC / Blue Team

Lower MTTR: faster response to meaningful events.
Greater consistency: less dependence on repetitive manual actions.
Better traceability: events and responses can be tracked and audited.
More active posture: moving from passive monitoring to operational defense.

High-level timeline

Phase 1 – concept definition and Zoomie’s role inside the defensive ecosystem.
Phase 2 – development of core telemetry and orchestration components.
Phase 3 – integration with detection and containment mechanisms.
Phase 4 – connection with Splunk for observability and analytical support.
Phase 5 – continuous evolution toward stronger SecOps automation and resilience.

SOAR SecOps Blue Team Automation

Stack and context

Languages: Python, C#, Bash
Observability: Splunk
System: Linux
Domain: xMDR, SOAR, active containment

This page is intentionally concise. Its purpose is to show the project’s technical direction, impact, and alignment with defensive operations, without exposing deeper implementation details.

Portfolio positioning

Within my portfolio, ZOOMIE represents the side that is more directly aligned with security automation and active response, complementing projects such as:

Splunk-based SIEM
Linux hardening
LDAP / IAM
Integration of defensive controls

In essence, it is the piece that connects observability and action.