Phoenix Re-Architecture
Engineering · Internal · Confidential
scroll · F fullscreen · next
00 Engineering plan

Revamping Phoenix.
The build plan.

Where we are, where we're going, and the actual sequence of work to get there — the PRDs, what each unblocks, and what we start this week.

01 Where we are

A system that works — carrying the debt of moving fast.

In production3 batch scripts + a Django portal, glued by an Elastic queue — running a real SOC for real customers.Live · delivering
ReliabilityThe XDR↔Jira engine has no retries / timeouts / idempotency — a crash can duplicate work.Harden
SecuritySecrets & config to shore up before we build on top.Urgent
ArchitectureAn 8,896-line view layer, no service boundary — hard to extend safely.Refactor
Data & tenancyJira is the system of record; tenant data isn't fully isolated yet.Re-found
02 Where we're going

Phoenix becomes the system of record.

Pluggable ingestion in. A clean canonical model Phoenix owns. Analysts work out of Phoenix — Jira and the rest become sinks, not the source of truth.

Sources →

  • Cisco XDR
  • AI-activity feeds
  • + future detections
pluggable connectors

★ Phoenix core

  • Canonical data model
  • Cases & workbench
  • SLAs · enrichment
the source of truth

Sinks →

  • Jira (optional)
  • Salesforce
  • Platform API
projections / sync
03 The approach

Harden in place. Don't rewrite.

Decision 01
Phoenix owns the record

Canonical model, cases, state, SLAs — ingestion stays federated & pluggable.

Decision 02
Build vs buy, per component

Build the data model & workbench; buy the queue, pipeline, IdP.

Decision 03
Controller: strangler

Harden the live engine, then extract a clean service. No big-bang.

Decision 04
Wrap the shared DB

Versioned API replaces Platform's raw reads — with Maya.

The SOC keeps running the entire time. “Multi-quarter” is a direction, not a deadline.

04 The sequence

What unblocks what.

Start now
Next
Then
Foundations
PRD-A1 NOW
Security & hygiene
phoenix-eng · independent
Data core
PRD-B1 NOW
Canonical data model
phoenix-eng · Kyle
Platform
PRD-C1
Decompose + queue
phoenix-eng
Engine
PRD-D1 parallel
Controller → service
phoenix-eng
Data core
PRD-B2
Connector framework
phoenix-eng
Engine / seams
PRD-D2
Contracts + wrap DB
phoenix-eng · Maya
Product
PRD-E1
Analyst workbench
phoenix-eng · Eric
Platform
PRD-C2
Multi-tenancy & authz
phoenix-eng
Product / vision
PRD-E2
SOC-for-AI foundation
phoenix-eng · Kyle
PRD-A2Observability · SRE · IaC · CI
cross-cutting — runs through every track →
B1 keystone unblocks depends on keystone PRD left → right = unblock order, not dates
05 The backlog

The PRDs, in detail.

Foundations
A1Security & hygieneRotate secrets, kill DEBUG, fix config & deps, lock the stale branch.NowBuy
A2Observability & deliveryStructured logs, metrics, alerting, containers, IaC, CI — cross-cutting.Buy+build
Data core
B1 ★Canonical data modelOCSF-aligned Alert / Case / Asset — the source of truth everything hangs off.NowBuild
B2Connector frameworkPluggable sources & sinks; XDR first, AI-feeds & others drop in.Build
Platform
C1Decompose + queueBreak the monolith into domains + service layer; real task queue.Build+queue
C2Multi-tenancy & authzEnforced tenant scoping, RBAC, scoped keys, audit log.Build
Engine / seams
D1Controller → serviceClient lib (timeouts/retries/idempotency), durable queue, Cisco v2.Build
D2Contracts + wrap DBVersioned API over us_soc_reporting; contract tests both sides.+ MayaBuild
Product / vision
E1 ★Analyst workbenchCases, queues, SLAs, enrichment, escalation — Jira on a strangler path.+ EricBuild
E2SOC-for-AI foundationTelemetry fabric, detection-as-code, guarded action surface.Build+engine
06 Right now

Two things, this week.

01 · HARDEN

Security pass

Secrets, config, the urgent items. Quick, shared, real — we owe our customers this, and it clears the ground for everything else.

PRD-A1 · independent · start immediately
02 · DESIGN

Canonical data model

The keystone. We design the OCSF-aligned model together — connectors, the API-wrapped DB, the workbench, and the AI layer all build on this shape.

PRD-B1 · unblocks B2 · D2 · E1 · E2

Lock the data model early → the most expensive rework never happens.

07 How we work

Built together, in the open.

PRDs

You co-author

Every PRD is drafted and reviewed with you in Linear — your names on the architecture.

Cadence

Ship in slices

Near-term wins each cycle; the dependency graph keeps us honest about order.

Guardrail

SOC never stops

Delivery is protected throughout — we harden the live system, we don't gamble it.

Next: PRD-A1 kicks off now · PRD-B1 we design this week.