Security Data Works

Public production architecture teardown

Comcast — Security data fabric on Snowflake

Cybersecurity-at-Comcast moved off siloed, single-tool analytics onto a unified Snowflake-backed security data fabric. Schema normalization across endpoint, identity, cloud, and network telemetry; elastic compute for IOC sweeps, threat-hunting deep dives, and continuous controls assurance from the same store. Later commercialized as Comcast Technology Solutions' DataBee.

10+ PB

Security telemetry under hot retention longer than one year. Automated sweeps of 50,000+ indicators of compromise across the full 10 PB complete in under 30 minutes — a query envelope that's structurally out of reach on indexed SIEM hot tiers at the same retention cost.

The pipeline

  1. Sources

    Endpoint · identity · cloud · network

    Enterprise-wide telemetry across business units

  2. Normalize

    Unified schema

    Single semantic layer across previously siloed tools

  3. Store

    Snowflake (separated storage + compute)

    10+ PB; >1-year hot retention; elastic warehouse sizing

  4. Detect

    ML models + IOC sweeps

    50K IOCs across 10 PB in <30 min; timeseries analytics for threat detection

  5. Serve

    SOC + compliance + executive

    Self-service dashboards; continuous controls assurance; risk-posture views

What composes, what’s brittle

  • 50K IOCs / <30 min. Sweep across the full 10 PB envelope — the elastic-compute claim made concrete.
  • Why Snowflake. Separated storage and compute lets IOC sweeps, ML training, and ad-hoc hunts run without contending for one fixed cluster.
  • Schema-on-write. Unified semantic layer normalizes at ingest — queries don't repay the parsing tax that schema-on-read SIEMs charge per dashboard.
  • Productized. Now Comcast Technology Solutions' DataBee — security/risk/compliance data fabric for large enterprises.
  • What's distinctive. Same store serves SOC analysts, compliance, threat hunters, and executives without copy-out.
  • What's brittle. Snowflake credit consumption at high-frequency dashboard queries; warehouse-sizing discipline matters; the 2024 Snowflake-tenant credential incidents underline customer-side MFA hygiene as a control, not a vendor flaw.

Sources: Snowflake customer case study, "Cybersecurity at Comcast Integrates Snowflake Into Its Security Data Fabric" · Comcast Technology Solutions DataBee press release · SDxCentral coverage ("Comcast's security data fabric taps Snowflake Data Cloud for scalability").

See how the pattern lands on your workload.

The matrix scoring that justified each reference architecture's tool choices is the paid deliverable. The benchmark behind it is public — reproduce it on your own workload, then book a call to scope the work.

Read the matrix → See engagements