MIXEL SOC
Sign in

Security Operations Center · as a Service

Swiss-managed detection
for the SMEs the big MSSPs ignore.

Open-source core. Compliance-first positioning (nDSG, FINMA-light, ISO 27001). Bundled with the same fractional IT leadership your team already has on retainer.

Schedule a call Open the app
Wazuh + Suricata + Zeek TheHive 5 + Cortex MISP threat intel n8n SOAR M365 Defender add-on
3
tiers
Starter → Premium MDR
CHF 800–4,500
per month
Per client, recurring
15min
P1 SLA
Premium MDR tier
24/7
monitoring
Premium MDR tier

Architecture

Hybrid: thin sensor on-site, heavy lift in our cloud.

A hardened sensor VM sits on the client's network and tunnels back to MIXEL over WireGuard. All detection, correlation, and case work runs centrally so the client carries minimal infrastructure.

Client site
MIXEL Sensor VM
  • Suricata IDS
  • Zeek NSM
  • Wazuh agent collector
  • WireGuard auto-enroll
Endpoints

Wazuh agents (+ optional MS Defender for Business)

Encrypted
WireGuard · TLS 1.3
No client-managed firewall changes
MIXEL cloud SOC · soc.mixel.ch
Wazuh manager + indexer
TheHive 5
Cortex 3
MISP
n8n SOAR
Consumers
  • → MIXEL analyst portal
  • → Client admin portal (multi-tenant)
  • → Branded PDF reports (DE / FR / EN)

Hosted on mixel-vps-01 (Hetzner CCX33 · 32 GB · co-located with Supabase migration target)

Open-source stack

No black boxes, no per-endpoint licenses, no vendor lock.

Every component is industry-standard open source we can audit, tune, and migrate. The only commercial lines we add are ones the client probably already pays for (Microsoft Defender) or pay-as-you-go cheap (VirusTotal API).

SIEM · HIDS · indexer

Wazuh 4.9

Endpoint security monitoring, log ingest, file integrity, FIM, vulnerability scoring. Indexer doubles as our central log store.

RAM: 4G manager + 6G indexer
Network detection

Suricata + Zeek

Runs on the on-site sensor. Suricata for signature-based IDS, Zeek for protocol-aware metadata and anomaly hunting. ET Open + custom Sigma rules.

Sensor-side · 2G typical
Case management

TheHive 5

Tickets, observables, tasks, attachments, MITRE ATT&CK tagging. Auto-creates a case when n8n promotes a Wazuh alert.

RAM: 2G + 1.5G Cassandra + 1G ES
Observable analyzers

Cortex 3

Auto-enriches IPs, hashes, URLs against VirusTotal, AbuseIPDB, MISP, Shodan, etc. Plugged into TheHive so analysts don't context-switch.

RAM: 1G
Threat intelligence

MISP

CTI sharing platform. Pulls AlienVault OTX, abuse.ch, ENISA feeds. Feeds IoCs to Wazuh and Cortex automatically.

RAM: 1.5G core + 1G db
SOAR · automation

n8n

Visual playbooks: enrichment, case creation, Slack/Teams notify, SLA timers, customer portal updates. Already in our stack — same instance pattern.

RAM: 0.5G
Commercial add-ons (selective)
  • · Microsoft Defender for Business — most M365 SMEs already have it (~CHF 3 / user / month)
  • · VirusTotal API — pay-as-you-go file/URL reputation
  • · Qualys VMDR (Premium tier only) — enterprise-grade vulnerability scanning
What we don't sell
  • · Per-endpoint pricing — we sell tiers, not licenses
  • · Black-box detection rates — every Sigma rule is auditable
  • · "Best in class" benchmarks against Sophos/Arctic Wolf — we don't compete on price

Pricing

Three tiers. One contract. Stacks on existing fractional IT.

Pricing aligns with our existing CHF 2,500–7,500/mo fractional IT leadership tiers. SOC bolts on as a single recurring add-on with one shared MSA.

Starter

For under-25 endpoint shops

CHF 800 /mo
  • ✓ Network IDS sensor
  • ✓ Up to 25 Wazuh endpoint agents
  • ✓ 30-day log retention
  • ✓ Email + portal alerts
  • ✓ 8×5 alert review
  • ✓ Quarterly compliance report
  • ✓ Quarterly vulnerability scan
  • — No hunting, no IR, no after-hours

Business

For 25–100 endpoint orgs

CHF 2,000 /mo
  • ✓ Everything in Starter
  • ✓ Up to 100 endpoint agents
  • ✓ 90-day log retention
  • ✓ + Slack / Teams alerts
  • ✓ 12×5 alert review · 4 h SLA
  • ✓ Monthly threat hunt
  • ✓ Co-managed incident response
  • ✓ Monthly compliance report
  • ✓ nDSG / ISO 27001 templates

Premium MDR

Regulated / 24×7-required clients

CHF 4,500 /mo
  • ✓ Everything in Business
  • ✓ Unlimited endpoint agents
  • ✓ 1-year log retention
  • ✓ + Phone escalation tree
  • 24×7 monitoring
  • 15 min P1 / 1 h P2 SLA
  • ✓ Weekly threat hunt
  • ✓ Full IR + forensics
  • ✓ Weekly vulnerability scan
  • ✓ Phishing simulation included
  • ✓ Audit-ready compliance docs
Gated on cyber/E&O insurance + 24×7 staffing decision (Phase 6)

Why MIXEL

Built for the Swiss SMEs the big MSSPs ignore.

Specialist security for organizations under 250 employees — the same open-source stack enterprise SOCs use, sized and priced for the businesses Sophos and Arctic Wolf won't quote.

Local · DE / FR / EN

Swiss-based, Swiss-fluent

Headquartered in Buchs ZH. Reports and case work in German, French, or English. nDSG-aligned by default — your auditors don't need to translate.

No black box

Open detections, no lock-in

Every alert is an auditable Sigma rule. Every log lives in your tenant. Walk away anytime — your data goes with you.

One contract

Bundled with fractional IT

Already on retainer with us? SOC bolts on as a single MSA, single invoice, single accountable contact. No new vendor to onboard.

Audit-ready

Compliance-grade reporting

Monthly PDFs in your language. ISO 27001-friendly evidence trail. FINMA-light controls mapped to your environment. Hand the package to your auditor as-is.

Human first

Named accountability

Your contact is a named person you can call. Not a ticket queue, not a Tier-1 chatbot. P1 incidents reach the founder within 15 minutes on Premium MDR.

Enterprise tools

Same stack as the giants

Wazuh, TheHive, Cortex, MISP, n8n — the same OSS components running inside Fortune 500 SOCs. Maintained, tuned, and made boringly understandable.

Ready to move?

30-minute call · no slide deck · just a frank look at your current stack and what we'd change.

Schedule a call Open the app