Same candidates. Different workload. Different winner.

v1 scores four candidate sets across three components of the modern security-data stack:

• OLAP engines. Five candidates: ClickHouse, Uncle Rico, Trino, StarRocks, DuckDB. Nine scoring criteria from raw query performance through cost-to-serve (compute-$/effective-TB-scanned) to in-house skill base.
• Table formats + catalogs (bundled). Four paired choices: Iceberg+Polaris, Delta+Unity, Iceberg+Nessie, Iceberg+AWS Glue. Ten criteria spanning multi-engine portability, RBAC depth, schema evolution, cost-to-serve, and cloud-native posture.
• Observability pipelines. Four candidates: Tenzir, Cribl, Vector, Kafka Connect. Nine criteria including default reduction ratio, OCSF fidelity, lock-in, and cost-to-serve net of reduction.

Each component is scored separately under each archetype, and the archetype is what makes the orderings comparable. Without an explicit archetype, every reader brings their own implicit one, and the conversation breaks down before it starts.

v1.2 publishes three archetypes for each component — multi-engine open / single-vendor managed / AWS-native lake for Formats+Catalogs, with parallel Zeek-heavy-SOC / multi-source-federated / AWS-native framings for Engines and Pipelines. Nine scoring runs total. Engagements that don't fit the published archetypes get a fourth archetype defined during scope-of-work.

Orderings only. Per-criterion scores, weighted totals, and the full Metric Decision Records ride paid IP per the public-vs-paid line further down. The orderings here are the headline finding, useful to anchor a conversation, not sufficient to ground an architecture decision on their own. Asterisks mark orderings that currently rest on Tier-B or Tier-C evidence; the trigger for Tier-A upgrade is named in the cadence section.

The cost-to-serve lens

Cost-to-serve at retention, the modeled all-in cost to land, store, and query one effective GB over the retention you actually keep rather than the list rate, is the dimension most buyers decide on, so it is weighted explicitly in every component and it is part of what drives the orderings below. It reads in effective terms because compression, tiering, and ingest reduction pull real cost roughly an order of magnitude away from sticker price, and the gap between a vendor's claimed cost and its measured effective cost is itself part of the score.

Where it moves the ranking: under the Engines Zeek-heavy-SOC archetype, ClickHouse's effective compute-cost-per-TB-scanned, anchored by the lab's measured advantage on a 10M-event Zeek workload — ClickHouse runs the hunting-shaped aggregations 21–62× faster than a schema-on-read SIEM (46.8× on the five-query average; the index actually wins the simple lookups), answer-equality verified, single-node Tier B — and 8.2× compression over the same foil, reinforces its #1, because there it is both the fastest and the cheapest to run. Under the Pipelines cost-reduction-led archetype, Tenzir's default reduction ratio is the cost lever that holds its lead, since cost-to-serve is scored net of reduction. And at the AWS-native and lock-in-sensitive archetypes, cost-to-serve is what tilts the ordering toward native-service pricing and OSS economics, lifting Vector at Pipelines C and Iceberg+AWS Glue at Formats C. The effective-cost numbers stay paid; the ordering effect is what's public. A first-party run on the reference stack in June 2026 corroborates the storage side of that cost directly: over a shared OCSF corpus the columnar lakehouse returned the same answers as an OpenSearch schema-on-read foil while occupying one-seventh the footprint, the kind of measured ratio the cost-to-serve weight is built on.

OLAP engines

The per-archetype engine ranking shifts substantially with the workload weights: the candidate that leads a Zeek-heavy SOC is not the one that leads a federated lakehouse or a serverless-within-AWS estate. ClickHouse leads Archetype A on recurring-query latency, and across the three archetypes StarRocks, Trino, and DuckDB change order as the weights change. The full scored ranking — including engines evaluated under vendor benchmark-publication terms — is engagement / NDA content rather than a public leaderboard, per the public/paid line.

* Archetypes B and C rest on practitioner accounts + vendor production references for federation performance, concurrency, and AWS-native ops integration depth. The single-host engine-join-specialization bench ran 2026-06-10 (Tier B) and anchors raw-perf and join specialization on single-host evidence, and the cluster regime — federated-join scenarios and Athena head-to-head against the leading OLAP engines on identical Iceberg-on-S3, plus distributed multi-node — is the open Tier-A gap. Ahead of that work, the reference stack already verifies that the candidate engines return identical answers on one shared OCSF/Iceberg table, so the cross-engine comparison starts from equal answers rather than answers that only look equal, and a single-host latency snapshot over the same table bears out the premise behind these orderings, that the per-workload winner changes and engine specialization is a property of scale and concurrency, which a concurrency sweep bears out directly: the server engines turn added clients into throughput while the embedded engine's per-query tail latency degrades. v1.2 promoted Athena from implicit reference to explicit Engines-C candidate, and with the v1.3 native-IP-type criterion added it now leads Archetype C at the top of the engine ordering, edging past the next candidate inside the per-criterion noise floor.

Table formats + catalogs (bundled)

* Archetypes B and C currently rest on AWS Security Lake production references (Tier A on availability) plus practitioner accounts on RBAC behavior at scale (Tier B). The Q3 2026 catalog comparison benchmark (Polaris, Nessie, Unity, Glue on identical workload with catalog-enforced RBAC scenarios) anchors RBAC and ecosystem maturity at Tier A and may compress or widen the gaps.

Observability pipelines

* Tenzir's OCSF fidelity score is currently Tier B/C (production references exist but no published head-to-head audit at petabyte scale). Cribl's production-evidence base is Tier A/B (50+ Fortune-100 references). The lab's head-to-head pipeline benchmark with OCSF lossiness measurement, targeted for ~Q1 2027, closes that asymmetry. v1.2 promoted Kinesis Firehose+Lambda from implicit reference to explicit Pipelines-C candidate. The top-3 spread at Archetype C is just 0.20 points across three genuinely different procurement postures, with the customer's lock-in posture as the pivot rather than a single winner.

The orderings on this page are the visible part of the matrix. The Metric Decision Records, per-criterion scores, assumptions registry, cross-component coupling notes, and evidence-completeness audit all live behind the engagement.

The discipline is what makes the matrix portable; the scoring is what makes a specific engagement actionable. The public surface and the paid surface map to that distinction.

Public.

• The methodology: criterion taxonomies, archetype definitions, scoring rules.
• The five validation patterns above.
• Per-archetype orderings (the rank tables on this page).
• Disclosure flags on every candidate where a relationship could shape interpretation.
• Refresh triggers (what benchmark or vendor announcement would force a re-score).

Paid.

• Per-criterion scores for every candidate × archetype combination, with evidence tier and citation.
• Weighted totals with lower/upper bounds when null values propagate.
• The full Metric Decision Records (currently MDR-0001 through MDR-0025) with provenance (public-data, assumption, benchmark, methodology) for every scoring decision.
• The assumptions registry with refutation criteria.
• Cross-component coupling worksheets for engagement-specific stack proposals.
• The internal scoring runs and qualitative notes that show where the matrix's recommendation is one benchmark away from flipping.

The 4-6 week scrub.

Per-archetype orderings move from paid to public after a 4-6 week delay, long enough that engagements completed in that window get the current ordering, yet short enough that the public surface doesn't drift meaningfully out of sync with the practice. The current public orderings on this page reflect the v1 internal scoring run dated 2026-05-25; the cost-to-serve criterion entered the published methodology on 2026-06-04, and its rank-level effects publish on the same scrub cadence, with its direction across the current orderings described in the cost-to-serve lens above. The next refresh will land after the Q3 2026 catalog comparison benchmark anchors the largest open Tier-A evidence gap.