Security teams at big companies have expensive SIEM tools that cost thousands of dollars a year. I decided to build my own — a lightweight Security Operations Center (SOC) dashboard using Python and Flask. The project handles the core things a SOC analyst actually needs: ingesting and normalizing logs, running detection rules against them, managing alerts, and getting notified via email or Slack when something suspicious happens. I also added threat intelligence enrichment using AbuseIPDB, which lets you check whether an IP address has been flagged for malicious activity anywhere on the internet. The whole thing runs locally on port 5050 — no cloud required, no subscriptions. You drop in your logs, the detection engine evaluates them against rules you define, and alerts get fired with full context. You can also plug in a local threat feed (a simple JSON or CSV file of known-bad IPs) if you want to go beyond the public API. What I learned building this is that the hardest part isn't the detection logic — it's the normalization step. Logs come in wildly different formats depending on the source, and getting them into a consistent schema is where most of the real work lives. If you're studying for a cybersecurity cert or just want to understand how SIEMs actually work under the hood, building something like this yourself is 100x more valuable than reading about it. The full code is on my machine — planning to push it to GitHub soon.