SOC Integration for Security Robots: CDR for KRITIS
SOC integration for security robots: MQTT, SIEM, alarm verification, NIS-2 evidence. Technical reference for KRITIS operators.
SOC Integration for Security Robots: Why the Interface Decides the Operational Value
A patrol robot without SOC integration produces telemetry that nobody correlates. Its detection value drops to the level of a fixed camera, only more expensive and on wheels. Only the structured handover of events to a Security Operations Center turns the platform into a detection instrument.
Cyber-Physical Defense Response (CDR) links physical events with IT logs in a single case. A perimeter breach at the fence, a thermal anomaly at the transformer house and a failed badge read at the north gate belong in the same ticket. Without SOC, each event stays isolated. With SOC, an incident emerges.
The draft KRITIS Umbrella Act (KRITIS-Dachgesetz) requires evidence for detection and response. Isolated robotics alerts do not fulfil this duty. Auditors review the full chain: sensor, classification, SIEM ticket, escalation, deployment order.
QR-2 and QR-3 with LiDAR and drone detection deliver structured events as JSON over MQTT or HTTPS, not raw video streams. The control room receives metadata and a signed link to the forensic material, not a 1080p full-frame feed over a narrow uplink.
Rule of thumb from the field: every robot alert must appear in the SOC analyst's SIEM ticket within 30 seconds. Anything longer is an interface that auditors will question.
Data Model: What a Security Robot Must Deliver to the SOC
The event schema stands or falls with mandatory fields. Timestamps in UTC per ISO 8601, geo position in WGS84, sensor source, confidence value from 0.0 to 1.0, classification from a closed vocabulary (person, vehicle, drone, animal, unknown) and a reference to the raw data.
A concrete event looks like this in production:
{
"event_id": "qr2-evt-2026-02-12T03:14:22Z-7f3a",
"ts": "2026-02-12T03:14:22Z",
"site": "umspannwerk-nord",
"robot_id": "qr2-014",
"geo": {"lat": 51.2812, "lon": 7.1934},
"sensor": "thermal",
"classification": "person",
"confidence": 0.87,
"evidence_url": "https://cdr.quarerorobotics.com/e/7f3a?sig=..."
}
A heartbeat every 10 seconds monitors availability. An outage longer than 60 seconds automatically opens an SOC ticket, because a silent robot is a blind Posten.
The forensic payload is deliberately small. A 640x480 JPEG snippet is enough for first verification. Full video is loaded only on demand via a signed URL. That keeps backbone load predictable.
Audit trail: every patrol route and every sensor trigger is written immutably into WORM storage, retention 90 days by default, 180 or 365 days for KRITIS sectors with higher evidence duties.
GDPR compliance is not an add-on. Frames containing persons are automatically discarded after 72 hours unless an incident has been opened in that window. The deletion routine runs as a cron job and is itself logged.
Protocols and Interfaces: MQTT, Syslog, REST
MQTT over TLS 1.3 is the standard for event streaming. The topic structure follows a flat, predictable pattern:
quarero/<site>/<robot-id>/event
quarero/<site>/<robot-id>/heartbeat
quarero/<site>/<robot-id>/telemetry
quarero/<site>/<robot-id>/command
Subscribe rights are granted per topic via ACLs. The SOC operator sees event and heartbeat. The maintenance technician also gets telemetry. Write rights on command go only to authorised shift leads.
For Splunk, QRadar and Microsoft Sentinel we deliver Syslog per RFC 5424 in Common Event Format (CEF) in parallel. Existing parsers work without custom development. Anyone already maintaining Sigma rules extends them with robotics-specific fields.
The REST API is bidirectional. The SOC can pause a patrol, add waypoints, reduce speed or request a live stream. Every command carries an operator ID and is recorded in the audit log.
Webhooks go to ticketing systems like ServiceNow or Jira with signed HMAC headers. The receiver verifies the signature before processing. Replay protection via nonce and timestamp is mandatory.
Mutual TLS between robot and SOC gateway secures the channel. Certificate rotation runs automatically every 90 days via an internal ACME endpoint. Manual rotation does not scale past 20 robots.
Alarm Verification: From Sensor Event to Deployment Order
Stage 1 runs at the edge. The robot classifies locally in under 200 milliseconds and sends the event with its confidence value. Pure wildlife alerts with confidence below 0.6 are discarded locally, not forwarded to the SOC. Otherwise the control room drowns in rabbit reports.
Stage 2 is human. The SOC analyst sees the event in the SIEM, opens the live stream via the signed URL and verifies within 90 seconds. Playbook-driven: identify, classify, escalate or close.
Stage 3 is escalation. A confirmed alarm goes to the contracted intervention service or directly to the state police, depending on the incident. The false-positive rate on QR-2, by our field data, sits at 4 percent. Over 95 percent of escalated incidents are real events, not shadows or deer.
Double verification is a strong card. After the first event, the robot autonomously moves to a second observation position for an independent angle. That reduces false alarms further but costs around 40 seconds of reaction time. For high-security perimeters the trade-off is worth it, for logistics yards often not.
The escalation matrix is documented in the security concept and coordinated with the responsible state police. Anyone skipping this before go-live ends up with debate instead of patrol cars when it matters.
In-House SOC versus External SOC Provider
An in-house SOC becomes realistic from around EUR 4 million in annual budget. Three shifts, four analysts per shift, tools, rooms, training. Anyone calculating smaller is not building 24/7 operations but a 9-to-17 hotline.
External SOC service starts around EUR 8,000 per month for SME KRITIS operators. We integrate into existing contracts with Securitas, G4S, Prosegur and regional providers. The robot feed runs in the same tenant as the other client sites.
The hybrid model is popular with plant managers. Day shift in-house, because the site shift lead knows the plant. Night shift external, because three internal night analysts are more expensive and harder to staff than a provider contract.
The BDSW documents the labour shortage in the guarding industry. SOC personnel is the scarcest resource within that shortage. Anyone building a new SOC from scratch in 2026 should budget for headhunting.
Contract clauses on response time are negotiable, but market standard is 90 seconds to visual contact via live stream and 5 minutes to intervention dispatch. Longer times belong in the penalty section.
NIS-2 and KRITIS-Dachgesetz: Compliance Evidence from the Integration
NIS-2 Article 21 mandates measures for handling security incidents. Detection, response, recovery. The SOC integration delivers technical proof for detection and response in one step.
The 24 and 72 hour reporting duty cannot be reliably met manually. Automated SOC tickets with timestamp and audit trail fulfil the duty; handwritten emails to the BSI fail against the six-day reality of the working week.
The KRITIS-Dachgesetz requires physical protection measures AND evidence of their effectiveness. Event logs are that evidence. A KRITIS-Dachgesetz checklist for 2026 walks through the individual evidence duties.
Board liability bites when a documented response chain is absent. A documented SOC integration is exculpatory evidence. Anyone deploying robotics without SOC integration creates apparent compliance. In a damage case that is read against the operator. Details on NIS-2 board liability show the personal dimension.
Since 2025, auditors have stepped up review of the end-to-end chain from sensor to deployment order. Presenting only the hardware fails the audit. Presenting event logs, SIEM tickets and escalation protocols passes. The BSI-Kritisverordnung defines thresholds and sectors by which audit depth is calibrated.
Implementation Plan: 6 Weeks from Pilot to Production
Week 1 is planning. Identify SOC tooling (Splunk, QRadar, Sentinel, Elastic), define network paths, set VLAN segmentation. The robot belongs neither in the office VLAN nor in the OT network, but in its own security VLAN with clear egress rules.
Week 2 builds the platform. Set up MQTT broker and SIEM connector, run test events. We supply sample JSON, configurations for the common brokers (HiveMQ, EMQX, Mosquitto) and CEF mappings for the three large SIEMs.
Week 3 is hardware. Physical delivery of robots (48-hour delivery in the rental model), calibrate patrol routes, generate LiDAR map. At a mid-sized site of 30,000 square metres, calibration is complete within two days.
Week 4 is people. Train alarm verification playbooks with SOC analysts, rehearse the escalation matrix. Every analyst runs through at least five simulated incidents before go-live.
Week 5 is the tabletop. Exercise with simulated incidents: perimeter breach at night, drone approach in wind, fire in the technical building. Observers are plant security, IT security, external auditor. Minutes go to management.
Week 6 is production. Go-live, first weekly review, fine-tuning of confidence thresholds. Experience shows that thresholds are adjusted twice in the first 14 days before stable operation sets in.
Economics: SOC-Capable Robotics versus Classic Guard Service
A 24/7 guard Posten costs between EUR 15,000 and EUR 25,000 per month depending on Bundesland and Manteltarifvertrag. A QR-2 plus SOC share comes to EUR 4,500 to EUR 5,500 per month in the rental model. The range reflects site size, uplink bandwidth and SOC service level.
Robotics does not replace the human, it shifts human work into verification. The analyst used to watch 32 cameras on one screen. Now they verify pre-filtered events with a clear action prompt. That is the work they were trained for.
Scaling effect: one SOC analyst handles 8 to 12 robots across multiple sites simultaneously. Precondition: false-positive rate below 5 percent and event density below 20 per hour. Beyond that, verification becomes the bottleneck.
The Robotics-as-a-Service model avoids CapEx. Software updates, integrations, SOC connector maintenance are included in the monthly price. With outright purchase, hidden costs appear in interface maintenance and are usually underestimated in the business case.
ROI lands at 7 to 11 months versus conventional guard service. The exact range depends on site size and existing SOC infrastructure. Operators already running a SIEM reach ROI faster. The detailed TCO comparison against classic guard service breaks down the individual cost lines.
A closing economic note: EN ISO 13482 governs safety requirements for service robots. Suppliers without this conformity have been disqualified from KRITIS tenders as a rule since 2025. The standard should be referenced explicitly in the specification.
For concrete integration planning into your SIEM landscape, Marcus Köhnlein is the technical contact: Pilot enquiry to Marcus Köhnlein. To review platform details and next-generation sensors first, the specifications are available under QR-3. The overview page on NIS-2 compliance provides the regulatory framing for the integration.