Budget-Grade Asset Protection: Self-Storage Surveillance & GPS Stack

Overview

The Problem with Standard Storage Security

If you have a motorcycle, tools, gear, or inventory in a storage unit, your current security is a padlock and a gate code. The commercial security industry has nothing between that and a $2,000 installation plus $80/month monitoring contract. This stack is what goes in that gap — four independent layers, under $300 in hardware, sourced same-day from retail, deployed in under 24 hours.

This case study documents a complete physical asset security stack designed, sourced, and deployed in under 24 hours using same-day retail. That timeline applies to the base tier. The architecture runs on four independent layers with no single point of failure — each layer operates autonomously. Defeating one does not defeat the stack.

The advanced tier — Raspberry Pi 5, Debian 12, Frigate NVR, Wazuh SIEM, WireGuard backhaul — is a separate engagement with a longer build timeline. See the Advanced Tier section below.

“Most people put a padlock on a storage unit and walk away. The cost difference between that and GPS tracking, two auto-tracking cameras with chained UPS backup, and a dedicated cellular hotspot is a dinner out.”

Threat Model

Controls Matched to Actual Likelihood

Overspending on low-probability vectors wastes budget and creates false confidence. Controls are matched to threat likelihood — not worst-case theater.

Threat Vector	Likelihood	Primary Mitigation
High-value vehicle theft	HIGH	GPS tracker on independent LTE + motion-alert camera
Opportunistic unit break-in	MEDIUM	Door-facing camera + cloud-stored motion event clips
Power interruption to facility	LOW	Dual chained UPS — 7-hour sustained runtime
Hotspot or WiFi failure	LOW	GPS operates on own LTE — fully independent
Camera tampering or destruction	LOW	GPS continues tracking independently of camera stack
Insurance claim with no evidence	MEDIUM	24/7 cloud-backed video + continuous GPS location history
RF-based GPS defeat	VERY LOW	Requires active scanning equipment outside opportunistic profile — see Known Limitations

Bill of Materials — Base Tier

Hardware List — Same-Day Retail

Component	Model	Source	Cost	Role
GPS Tracker	LandAirSea 54	Walmart delivery	$35	Vehicle location on independent LTE
Cellular Hotspot	AT&T GoLink 5G	Walmart delivery	$59	Dedicated WiFi for cameras — no facility network
Prepaid SIM	AT&T Prepaid SIM Kit	Walmart delivery	$5	Hotspot data
Security Camera ×2	Arlo Essential Pan/Tilt 1080p	Walmart delivery	$40 ea.	360° auto-tracking, cloud storage, motion alerts
UPS Backup ×2	APC Back-UPS 450VA BN450M	Walmart curbside	$56 ea.	Power resilience — chained for 7hr runtime

One-Time Hardware Total$280.44

Monthly Operating Cost~$60 / mo

GPS subscription ~$25 + AT&T prepaid data ~$35no long-term contracts

Architecture — Defense in Depth

Four Independent Layers — No Single Point of Failure

The key design principle: the GPS tracker operates on its own LTE SIM, completely independent of the WiFi hotspot and cameras. Destroying the cameras does not defeat tracking. Cutting facility power does not defeat cameras. Disabling the hotspot does not defeat GPS. There is no single action that defeats the full stack.

LAYER 01

GPS Tracking

LandAirSea 54

Real-time vehicle location via LTE. Magnetic, concealed on frame. Continuous location history with timestamped breadcrumb trail.

Own LTE SIM — fully independent

LAYER 02

Surveillance

2× Arlo Essential Pan/Tilt

360° auto-tracking, 1080p color night vision, motion alerts, live view, cloud-stored clips. No facility network dependency.

WiFi via dedicated hotspot

LAYER 03

Network

AT&T GoLink 5G Hotspot

Dedicated cellular WiFi exclusively for cameras. No reliance on facility network infrastructure at any point. Corrugated steel attenuates but rarely kills LTE at typical signal levels — if signal is marginal, a $15 external magnetic-mount antenna fixes it before reaching for anything more complex.

AT&T LTE — independent of GPS SIM

LAYER 04

Power Resilience

2× APC UPS BN450M chained

Sustains cameras and hotspot for 7 hours if facility power is cut. Self-contained battery — no dependency on facility power.

Self-contained — 7hr runtime

Advanced Tier — Local NVR + SIEM

Raspberry Pi 5 · Debian 12 · Frigate · Wazuh

The base stack relies on cloud-hosted video storage — creating dependency on camera manufacturer infrastructure and subscription status. For higher-assurance deployments, a local NVR layer eliminates both dependencies and adds SIEM-style alerting and compound event correlation.

Hardware Platform

Raspberry Pi 5 (16GB RAM) running Debian 12 Bookworm arm64 — minimal server install, no desktop environment, no Raspberry Pi OS. Debian was chosen deliberately: clean apt ecosystem, full systemd service management, no Pi-specific cruft. Production-grade base for a headless security appliance. NVMe HAT for OS partition, USB 3.0 SSD for Frigate recording storage on a separate partition — recording I/O cannot affect OS stability.

OS & System Architecture

Base OS — Debian 12 Bookworm (arm64)

Minimal server install. No GUI. No Raspberry Pi OS overlay. Flashed via rpi-imager with official Debian arm64 image. Docker CE (official arm64 build) manages application containers. systemd manages Docker. No snap, no flatpak, no Pi-specific package overlays.

Hardening Baseline

ufw default-deny inbound. SSH key-only authentication, password login disabled. fail2ban on SSH. Unnecessary services disabled at boot. auditd for system call logging. Management access only over WireGuard tunnel — no open inbound ports from public internet.

Application Stack

Frigate NVR — Docker (arm64)

Ingests RTSP streams from any ONVIF-compatible camera. Records H.264 to local SSD. Object detection via YOLOv8 — person, vehicle, and animal discrimination reduces false positive alert fatigue. Publishes detection events to MQTT. Web UI bound to localhost only — not exposed externally. Google Coral USB Accelerator offloads YOLO inference from CPU entirely via USB 3.0. Without Coral, Pi 5 CPU handles 2-camera deployments adequately — Coral recommended for 24/7 sustained operation.

Mosquitto MQTT Broker — systemd (native, not containerized)

Lightweight publish/subscribe broker. Frigate publishes detection events per camera per object class. Python event collector subscribes. Runs as a native systemd service for lower overhead than containerized alternatives. Decoupled, reliable, minimal footprint.

Python Event Collector — systemd service with auto-restart

Custom Python service. Subscribes to Mosquitto MQTT feed. Normalizes Frigate event payloads into structured JSON log entries: camera ID, object class, confidence score, clip path, UTC timestamp, GPS correlation query against LandAirSea API. Forwards enriched events to Wazuh agent via local socket. systemd unit ensures automatic restart on failure.

Wazuh Agent — arm64, systemd

Ships normalized detection events and local system logs (auditd, auth.log, syslog) to Wazuh manager on the backhaul server. Official arm64 packages supported. Provides the bridge between the Pi sensor layer and the centralized SIEM.

WireGuard VPN — kernel-native, wg-quick

Kernel-native on Debian 12 — no DKMS, no module compilation. wg-quick manages the interface as a systemd service. All Pi-to-backhaul traffic routes through the encrypted tunnel. No open inbound ports on the Pi from the public internet at any point. Camera traffic and SIEM data never traverse the public internet unencrypted.

Backhaul Server — SIEM

ZimaBoard 832 or equivalent x86 low-power always-on machine at a trusted fixed address — home lab or VPS. Runs: Wazuh Manager + Elasticsearch + Kibana (Wazuh stack), WireGuard peer endpoint, optional Frigate clip archive mount via rsync. Wazuh correlation rules fire on compound events — person detection combined with GPS position change within the same 60-second window elevates alert severity above either event alone. All events timestamped, retained, and exportable to support a claim.

What the advanced tier adds: Local footage retention independent of cloud status. Object-level detection with confidence scoring. Compound event correlation across camera and GPS data streams. Full forensic event chain from camera detection through MQTT through Wazuh to export — forensic-quality timestamp integrity that supports a claim. Encrypted backhaul means monitoring infrastructure is not visible or accessible from the facility network.

Advanced Tier Hardware Cost

Raspberry Pi 5 16GB + NVMe HAT + SSD~$185

Google Coral USB Accelerator~$65

Backhaul server (ZimaBoard 832)~$200

Debian 12 + Docker + Wazuh + WireGuard (OSS)$0

Advanced Tier Add-On (one-time)~$450

Total combined deployment — base + advanced: ~$730 one-time + ~$60/month. Less than a single month of a commercial monitored security system with more control, more visibility, and more evidence-grade output.

Insurance Reference — Evidence Value

Evidence Generation Built In from Day One

Without this stack, an insurance claim is your word against the adjuster's lowball. With it, the claim arrives pre-documented: GPS breadcrumb showing the asset leaving the property, timestamped camera clip of unit entry, hardware receipts proving the stack was deployed before the loss. The adjuster has nothing to push back on. That's what this section documents.

Evidence Type	Source	Insurance Value
Real-time GPS location history	LandAirSea 54 via LTE	Proves asset location at exact time of loss
Timestamped entry/exit video	Arlo cloud + local NVR (advanced)	Documents who accessed unit and when
Motion event clips + alert log	Arlo app + SIEM export (advanced)	Establishes exact incident timeline
Hardware purchase receipts	Retail order history	Proves security measures were in place at time of loss
SIEM forensic event log	Wazuh / Graylog (advanced tier)	Forensic-grade timestamped record of all events

Note: This stack is not a substitute for renters or vehicle insurance — it is a deterrence and evidence layer that materially strengthens any claim. Deploy the stack regardless of coverage status. Then get the insurance.

Known Limitations

What This Stack Does Not Defend Against

This architecture is designed for the opportunistic threat profile. It is not designed to defeat a technically sophisticated, targeted adversary with unlimited preparation time.

Limitation	Detail	Mitigation
RF Countermeasures	Active RF scanning equipment can detect GPS LTE transmission. Requires specialized hardware outside the opportunistic profile.	Concealed magnetic mount in location requiring disassembly to access. Deployment location not documented publicly.
Faraday Shielding	Faraday shielding defeats a tracker only after it's been located. On a concealed mount inside a vehicle or large asset, location requires RF scanning equipment or destructive disassembly — neither of which opportunistic thieves carry. By the time anyone is sweeping a stolen asset, the breadcrumb data has already established its path off the property.	Concealed mount is the mitigation. Finding the tracker is the hard part.
Camera Blind Spots	Two cameras provide wide coverage but not guaranteed full-unit coverage depending on layout.	Pan/tilt auto-tracking compensates. Unit layout assessed at deployment.
Cloud Dependency (Base Tier)	Arlo cloud storage requires active subscription and connectivity for retrieval.	Advanced tier local NVR eliminates this dependency entirely.

Implementation Services

Barr Cyber Can Deploy This for You

Barr Cyber LLC — Physical Asset Security

From the Budget Build to a Full SIEM Stack — Scoped, Deployed, Documented

Barr Cyber LLC designs, sources, and deploys physical asset security stacks as a contracted service. Every component in this case study — and every tier above it — can be implemented for you, verified end-to-end, and handed over with full documentation and app access. No proprietary ecosystem lock-in. No ongoing dependency on Barr Cyber unless you want it.

→Budget Build Deployment — Hardware sourced, GPS mounted and activated, cameras installed and paired to hotspot, UPS units chained and verified, all apps configured on your device. Live feed and GPS ping confirmed before handoff.

→Advanced Tier Deployment — Full base tier plus Raspberry Pi 5 NVR appliance on Debian 12, Frigate with object detection tuned to your camera layout, Mosquitto and Python event collector operational, WireGuard tunnel to backhaul server, Wazuh SIEM live with compound alert rules configured.

→Custom & Scaled Deployments — Construction sites, remote properties, marine assets, agricultural equipment, multi-unit facilities, small business after-hours. If the asset has value and sits unattended, the framework fits. Barr Cyber scopes and deploys to your specific threat model.

→Threat Model Assessment — Controls matched to actual likelihood before hardware selection. No checkbox security, no oversold gear.

→Full Deployment Documentation — Every configuration, every credential, every dependency recorded and handed over. Any future technician can pick it up.

Hardware is passed through at cost — no markup. You pay exactly what Barr Cyber paid for the components, receipts on file. What you are paying for is the logic: the threat model assessment, the architecture design, the deployment, the configuration, the verification, and the documentation. Call or email for a quote on system setup for either the budget build or the advanced tier. Scope and location determine the labor figure. Hardware cost is fixed and transparent.

713-882-0902 · warren@barr-cyber.com · barr-cyber.com

Full Case Study

Download Complete Documentation

The full case study includes the complete threat model, bill of materials, defense-in-depth architecture, advanced tier stack specification, insurance evidence framework, and known limitations — print-ready.

Download Full Case Study — PDF →

Storing Something Worth Protecting?

Self-storage, construction equipment, remote property, marine assets — the framework scales. Barr Cyber scopes, designs, and deploys to your threat model. Hardware at cost. You pay for the logic.

Get in Touch 713-882-0902 Download PDF More Case Studies