Security Data Works

Independent practice

The benchmarks vendors won't run.

An independent security-data-engineering practice. I benchmark the platforms vendors won't, publish the method and code, and use the evidence to move teams off Splunk-era SIEMs onto open architecture they own.

The real question was never which single product replaces Splunk; it's how you compose open data-engineering tools around each workload, with evidence for which engine does which job well.

Trustworthy

Measured, not asserted.

Well-connected

Context resolved cleanly.

Performant

Detection + hunting at scale.
See the engagement portfolio → Read the matrix

The lab · proof on this page

Every benchmark is yours to re-run.

Zeek analytical workload · 10M events · single-node Docker

145× faster

ClickHouse vs. schema-on-read SIEM on identical workload. Methodology and caveats published; reference implementation under NDA.

ClickHouse Native 0.19 s
Dremio + Reflections 1.00 s
Schema-on-read SIEM 27.52 s

Reproducible Docker lab · methodology and code shared during engagement scoping · public repository queued for launch

Who this is for · start here

Find the path that fits the problem you have.

  • An architect evaluating life off Splunk: start with the Capability Matrix and the head-to-head evidence in the Lab.
  • A security leader facing a SIEM renewal: the Migration Assessment scopes what moving would actually take.
  • A team drowning in detection maintenance: read DetectFlow, where the detection-engineering load moves off the analyst.

Why now

Why the SIEM model is breaking.

01

Attackers are faster than your detection cadence.

Mandiant's M-Trends 2026 shows exploitation landing, on average, 7 days before patch release. CrowdStrike's 2026 Global Threat Report clocks the fastest recorded attacker breakout at 27 seconds. The AI tooling making this possible is now open-weight.

02

Query performance has flipped.

On a 10M-event Zeek workload, ClickHouse runs 145× faster than the dominant schema-on-read SIEM (the Splunk-style model that indexes every field at search time, which is what makes large historical queries slow). Same data, same hardware, same queries; methodology in the lab, deeper walkthrough in ClickHouse at petabyte scale. The architecture schema-on-read indexing was sized for is gone.

03

Storage cost has flipped too.

Object storage plus columnar formats (which store each field down a column instead of row by row, so a query reads only the fields it needs) compress 8.2× in our benchmark. Netflix, Huntress, and Insider run multi-petabyte security data lakes on costs SIEM customers can't access. The tradeoff: data freshness.

04

Stream processing closes the freshness gap.

Modern stream engines handle thousands of near-real-time detections in the same time SIEMs handle dozens. The next move, federated query over source-retained data, is closer than vendors will admit.

The wire protocol

Engine portability is only real if the driver is too.

An aside for architects; if you're scoping the business case rather than the plumbing, you can skip to the proof below.

ADBC replaces JDBC and ODBC, the database drivers from 1992 and 1997, with a columnar-native one. DuckDB reports a >90% query-time reduction on analytical workloads (Tier B; the gain concentrates on wide tables and large result sets where row-by-row serialization dominates, not on every query). It's the layer that lets you swap query engines without rewriting the analyst's tool stack.

Arrow and ADBC: the columnar wire protocol →

>90%

less query time, ADBC vs JDBC/ODBC on analytical workloads (DuckDB, Tier B)

The product

The Capability Matrix.

A scoring matrix for security data tools, weighted to your workload. Public methodology and candidate catalog; the engagement-internal weighted scoring is the paid asset.

Its hard evidence is the Lab. Reproducible head-to-head benchmarks, methodology and code in the open, re-runnable on your own data. The score is measured, not asserted.

Refreshed quarterly · benchmarks re-runnable from public methodology.

The reasoning behind the scores lives in the long-form writing, and the open questions still being worked sit in the research notes.

See the matrix →

The operating frame

Disclosure-forward.

No reseller margins. No vendor-paid placements. Active partnerships disclosed in SOW Appendix B before any engagement begins.

The Matrix evaluates against the disclosure, not around it. An active partnership with one vendor doesn't move the score of a competitor. Compensation, placement, method, and review are spelled out as four operating commitments.

Annual external review of published results · first review Q4 2026.

Read the four commitments →

Ready to put the numbers to the test?

Every benchmark ships with public methodology and code, ready to reproduce on your own workload. A 30-minute call scopes which engagement fits.

Book a 30-min discovery call → Or browse the engagement portfolio

Not ready to talk yet? Subscribe for new benchmarks and writing as they publish.