Vendor blueprints
The blueprint, with what’s unproven stated.
The weakest evidence class, and labeled as such: a vendor-proposed pattern with no named production validator yet. Each is read in four threads — what ships today, what doesn’t ship yet, what it changes for architects, and the honest critique — so the gap between the announcement and the deployment stays visible. A blueprint graduates toward a teardown the day a named production validator exists; not before.
Vendor blueprint · prerelease
Vendor blueprint · 4 threads
Splunk Machine Data Lake
Announced September 8, 2025 at .conf25; alpha confirmed February 2026; no GA date public. Splunk's response to lakehouse-native security: a schema-less…
Read the breakdown →
Vendor blueprint · prerelease
Vendor blueprint · 4 threads
Databricks Lakewatch — open, agentic SIEM
Announced March 24, 2026, Private Preview. Databricks publicly positions Lakewatch on Unity Catalog, Delta Lake, and Apache Iceberg — open table formats…
Read the breakdown →
Vendor blueprint · ELT pattern
Vendor blueprint · 4 threads
Fivetran + dbt — ELT for the security data lake
Managed extraction (Fivetran) plus in-warehouse transformation (dbt) as the ELT spine of a security data lake: Fivetran lands cloud, identity, and SaaS logs…
Read the breakdown →
Vendor blueprint · SDPP category
Vendor blueprint · 4 threads
Security data pipeline platforms — the in-flight tier
The pipeline tier has two shapes. Warehouse ELT (Fivetran + dbt) extracts, loads, then transforms in the warehouse. SDPP route, reduce, reshape, and normalize…
Read the breakdown →
Vendor blueprint · partnership
Vendor blueprint · 4 threads
Dremio + VAST Data — Zero Trust cyber lakehouse
Announced May 2, 2024. A jointly-marketed "Zero Trust" cyber lakehouse: Dremio's SQL engine and semantic layer over VAST Data's all-flash DataBase, with OCSF…
Read the breakdown →
See how the pattern lands on your workload.
The matrix scoring that justified each reference architecture's tool choices is the paid deliverable. The benchmark behind it is public — reproduce it on your own workload, then book a call to scope the work.