Engagements
Three principles, productized.
Trustworthy data for well-connected insights in performant, manageable architecture. Three offerings across two delivery models. The operational tracks (Offerings 1 and 2) run in sequence; the design track (Offering 3) is the architecture work. The Advisory Retainer continues across whichever offerings are active.
Engagements above $25K include a 6-month matrix subscription plus 2 quarterly reports. Fixed price over hourly. Each engagement quotes a fixed fee scoped to deliverables. No body-shop hours, no surprise invoices.
Most engagements start here
Modernization Discovery · $20K · 2 weeks
A paid two-week wedge that sizes the larger assessment before you sign it: a Capability Matrix shortlist scoped to your workload, a half-day reference-architecture workshop, and a Splunk billing-and-license audit. The full $20K credits toward the Migration Assessment if you sign within 90 days, so the first step de-risks the engagement rather than committing you to it.
See the Modernization Discovery wedge →
Data Health Validation
Three layers, in sequence. Source health (uptime, drop rate, time-sync drift, capture volume). Flow health (SRE golden signals per pipeline stage). Data quality (DAMA dimensions plus retention, per source). Failures show up before queries do. Methodology originally shipped at Corelight, and it gates everything downstream.
Read the data-health methodology →
Attack Surface Reporting Enablement
Trustworthy sources feed composite entities (Asset, User, Configuration, Vulnerability) mapped across tools. Entity owners certify what they own; coverage gaps are actively measured rather than papered over. The certification rhythm is what turns connected data into demonstrated coverage. Available after Offering 1 has cleared the data-health gate.
Read the engagement detail →
MOAR Architecture Design
MOAR (Modular Open Architecture) is the design track for greenfield or post-Splunk environments. There are three entry points. Modernization Discovery is a paid two-week shortlist plus reference-architecture workshop plus Splunk billing audit, and it sizes the assessment before you sign it. The Splunk-to-MOAR Migration Assessment is the flagship migration analysis anchored on the re-run benchmark: on a 10M-event Zeek workload, ClickHouse runs the hunting-shaped aggregations 21–62× faster than a schema-on-read SIEM (46.8× on the five-query average; the index actually wins the simple lookups) — answer-equality verified, single-node Tier B. The Architecture Assessment is the full vendor-neutral review against the matrix, covering storage, engine, 3-year TCO, and a phased roadmap. Validated on your workload, not the brochure.
The design track in full — principles, detection strategy, economics, roadmap →
Discovery · 2 weeks · $20K
Modernization Discovery
Paid discovery wedge. Tailored Capability Matrix shortlist plus half-day reference-architecture workshop plus Splunk billing and license audit. 100% credit toward the Migration Assessment within 90 days.
Wedge · 2–3 weeks · $30K–$50K
Splunk-to-MOAR Migration Assessment
The re-run ClickHouse benchmark — 21–62× on hunting-shaped queries (46.8× five-query average, single-node Tier B) — projected against your workload. Quantified TCO, engine recommendation, risk register, phased roadmap, executive deck.
Foundation · 2–4 weeks · $40K–$80K
Architecture Assessment
Vendor-neutral review against the matrix. 5-step audit, 12-scenario decision framework, component selection, 3-year TCO, phased roadmap.
The Architecture Assessment review runs against the matrix; you can see how that scoring works on the worked scorecard.
Implementation Support · Advisory Retainer
Embedded (1–2 days/wk during active migration), advisory (monthly strategy plus async review), or workshop (1–3 days). Continues across whichever of the three offerings are active.
Read the engagement detail →
What customers are seeing
Measured outcomes from production deployments.
These are publicly attributable numbers from teams running the patterns the matrix recommends. Each is sourced; none are SDW marketing. Full pipeline detail and trade-offs live on references; the engagement narratives behind comparable numbers — anonymized — live on case studies.
$70K → $5K /mo
Huntress migrating off Elasticsearch onto ClickHouse Cloud. ~93% cost reduction at the analytics tier; throughput grew to 200K records/sec.
ClickHouse · published
46.8× faster
SDW Zeek benchmark (single host, Tier B), CV-gated re-run, answer-equality verified. ClickHouse native vs. a schema-on-read SIEM foil on an identical 10M-event workload — 46.8× on the five-query average, 21–62× on the hunting-shaped queries (the index wins simple lookups). 8.2× compression.
ClickHouse · reproducible
9 mo → 5 days
Ziggiz.ai Cyber Lakehouse-as-a-Service. Tenant onboarding compressed. 30-50% cost reduction vs. three leading SIEMs (Ziggiz-published).
Databricks · published
80% faster TTD
Standard Chartered replaced a traditional SIEM with a self-managed Databricks lakehouse — 80% faster time-to-detect, 92% faster investigation, ~35% cost reduction (bank-reported, DAIS 2025).
Databricks · published
40% volume cut
Yale New Haven Health across 30K endpoints migrating to Microsoft Sentinel via Cribl Search query-in-place. Fortune 1000 deployment hit 99.99% on the same pattern.
Cribl Search · published
<100ms
Palo Alto Networks (Cortex XSIAM) event-to-rule firing on streaming SQL. Production-validated; eliminates the batch-index five-minute vulnerability window.
RisingWave · published
64% TCO at 1 TB/day
SDW TCO model for the route-reshape-reduce pattern at exchange-scale workload. 35% savings at 100 GB/day for smaller shops.
Cribl pipeline · modeled
Headline numbers travel; the methodology and caveats travel with them. Each outcome is either published by the deploying team, reproducible via the SDW benchmark methodology, or documented in the research surface, with evidence tier and confidence stated.
Pricing philosophy
Fixed price over hourly. Each engagement quotes a fixed fee scoped to deliverables. No body-shop hours, no surprise invoices.