Defense in depth is no longer an architecture recommendation in 2026 – it's an audit requirement. NIS-2 explicitly demands layered defense; ISO 27001:2022 requires continuous monitoring and secure configuration management. SecTepe.Comm bundles three open-source building blocks that together deliver exactly those layers: Wazuh, OpenBao, and Coraza.
Wazuh: SIEM, EDR, and Compliance Reporting in One
Wazuh is more than a log collector. It combines endpoint detection with log aggregation and compliance reporting:
- Endpoint agents on Linux, Windows, and macOS hosts deliver file integrity monitoring, rootkit detection, vulnerability scans, and configuration assessment.
- Log aggregation from syslog, Windows event logs, container logs (Docker, Kubernetes), and cloud APIs (AWS CloudTrail, Azure Activity Log).
- Decoders + rules: over 4,000 pre-loaded rules cover standard attack patterns; custom rules are YAML-configurable.
- MITRE ATT&CK mapping: every alert is linked to the corresponding technique – important for incident response reports.
- Compliance modules: PCI DSS, HIPAA, GDPR, NIST 800-53 as ready dashboards.
OpenBao: The Secrets Vault as a Mandatory Layer
Secrets in plaintext configs are a deal-breaker for any serious audit in 2026. OpenBao (the free HashiCorp Vault fork) delivers:
- Central secret storage: database passwords, API keys, TLS certificates, SSH CA keys.
- Dynamic secrets: per-session generated database credentials with short lifetime – instead of long-lived static passwords.
- Transit engine: encryption-as-a-service for applications, without the app holding keys itself.
- Audit trail: every secret access is logged with identity, timestamp, and method.
- Identity provider integration: via OIDC to Keycloak – secret access follows personal identity, not a service account.
Coraza: OWASP CRS at Traefik Level
A web application firewall is mandatory for any publicly reachable app in 2026 – not as a frontline defense, but as a filter against the 90 % noise from scanners and automated exploit attempts. Coraza is a pure-Go implementation of the ModSecurity standard with OWASP Core Rule Set:
- No Apache module ballast: runs as a sidecar or Traefik plugin, without a separate WAF server.
- Paranoia levels: PL1 (default) to PL4 (very aggressive) – configurable per application.
- Rule customization: SecRule syntax for own detections; whitelist rules for false-positive tuning.
- Audit log: blocked requests including match details are prepared for Wazuh.
How the Trio Plays Together
Example: an attacker tries an SQL injection against the SecTepe.Comm web UI:
- Coraza recognizes the CRS pattern, blocks the request with 403, and writes an audit entry.
- Wazuh reads the audit entry, correlates with other activity from the same IP, and fires a high-severity alert.
- The alert triggers an OpenBao audit log query: were there secret accesses from this IP/session? If yes, automatic token revocation.
- SOC receives a notification with full context – instead of manually digging through three tools.
Realistic Maintenance Effort
Wazuh + OpenBao + Coraza are not an "install and forget" stack. Realistically:
- Initial setup: 2–3 days for configuration, integration, and tuning.
- Ongoing effort: 2–4 h per week for false positive triage, rule updates, dashboard maintenance.
- Scaling: Wazuh Manager runs comfortably on 8 vCPU + 16 GB RAM for ~500 endpoints; OpenBao + Coraza almost no load.
Conclusion
Anyone in 2026 wanting serious defense in depth without spending €50k/year on Splunk + HashiCorp Vault Enterprise + a WAF SaaS gets a mature, integrated, EU-sovereign stack with Wazuh + OpenBao + Coraza. The license: AGPL/MPL/Apache 2.0. The effort: calculable. The audit value: high.