Project 1 · MOAR
Modular Open Architecture for security data.
A traditional SIEM bundles everything (collection, storage, search, detection, dashboards) into one vendor's stack. MOAR un-bundles it. Each layer is a deliberate choice from open formats and purpose-fit tools, connected by open standards (Iceberg, OCSF, and an open catalog contract). You can swap any single component without re-platforming the others. Costs drop because the data platform stops paying SIEM-grade prices for storage and historical search. Performance rises because each layer is purpose-built. Vendor lock-in becomes a deliberate trade-off, not a default.
The components
Seven components: Component 0 frames the six the data moves through.
MOAR is the same vocabulary the capability matrix scores, with no separate acronym to learn. Above all of it sits one framing decision, Platform Pattern (Component 0 on the matrix): whether you compose these yourself or buy a managed bundle that pre-integrates several of them (Databricks, AWS Security Lake, Snowflake). The other six are where the source data flows through three stages (Ingest, Store, then Analysis) ending in the security tasks the data serves. The matrix scores a tool at each layer; the component numbers are that scoring identity, so they read out of sequence here. The order below is the data flow, not the matrix index. Each layer has clean interfaces, so any one can be swapped without re-platforming the rest.
Ingestion / Route.
Component 4 · scored on the matrix · pipelines essays
The ingestion and routing tier. Pull from sources, normalize to OCSF, land in the lake. Tenzir, Vector, Cribl Stream, Kafka Connect, native shippers. The choice tracks source count and operational complexity tolerance. At 100+ sources, the routing tier stops being optional. At 500+ it dominates the operational work. The DSPM infrastructure analysis covers why the routing layer is the prerequisite for everything the policy-layer marketing claims.
Lakehouse / Storage Format.
Component 1 · scored on the matrix · lakehouse essays
The open table format that is the source of truth for all retained telemetry. Apache Iceberg, Delta Lake, or Hudi. Snapshot-based ACID semantics, time-travel for audit, schema evolution that doesn't break downstream consumers. This is the component that makes every other one portable: replace the engine without touching the data, replace the catalog without re-ingesting.
Catalog / Metadata.
Component 2 · scored on the matrix · catalogs essays
The catalog and metadata service. What makes the lake queryable from many engines simultaneously. Hive Metastore at the legacy end, Polaris (Iceberg-native, Snowflake-led OSS) and Nessie (Git-style table versioning) at the modern end, Unity Catalog when fine-grained governance is the binding requirement. The catalog choice is where the lock-in lives; the Databricks/Iceberg analysis walks through why. One honest caveat on where this layer earns its place: at single-node SOC scale it pulls its weight less from query performance, because the engines answer sub-second whether or not a separate catalog is brokering metadata, and more from governance, lineage, and letting several engines read the same tables without stepping on each other, so its weight in the decision rises with scale and with the number of engines sharing the lake, which makes the catalog a scale-and-governance bet rather than a layer every deployment needs on day one.
Storage Tier.
Component 6 · scored on the matrix · economics essays
The physical object store underneath the table format. S3 (Standard, Infrequent-Access, Glacier), MinIO, Wasabi, NetApp, or Dell ECS. Distinct from the format because the tiering shape is its own decision; it's the retention-cost lever, and the cold-tier choice is where the five-year-retention math is won or lost. The table format makes the data portable; the storage tier decides what keeping it costs.
Query Engine.
Component 3 · scored on the matrix · engines essays
Query execution against the lake. ClickHouse for dashboard-driving and scan-everything workloads (sub-second P95 on the published Zeek benchmark; 46.8× faster than the dominant schema-on-read SIEM on the five-query average and 21–62× on the hunting-shaped queries, where the index wins the simple lookups, answer-equality verified, single-node, Tier B). Dremio for the semantic layer plus Reflections-driven acceleration on shared datasets. StarRocks for Iceberg-native columnar analytics. Trino for federation breadth across heterogeneous sources. DuckDB for embedded or serverless analyst-laptop workloads. Most production deployments use two engines split by use case, occasionally three; the framework documents this on the decision-framework page.
Graph / Visualization / Analyst UX.
Component 5 · scored on the matrix · detection essays
This layer is usually a passthrough rather than a build decision. The shop almost always already has somewhere its analysts work — Grafana, Superset, a custom hunt UI, or the incumbent SOC consoles (Splunk, Elastic, Sentinel) kept for federated read during a transition — and you can go many directions from here, including the AI tooling that increasingly sits above or beside the analytics. I don't try to be exhaustive about that overlying layer, because it isn't where the trust problem lives and it changes faster than anything underneath it. The intent runs the other way, to be exhaustive about the optional infrastructures underneath the analytic (storage, table format, catalog, engine, routing) that decide whether the analytic they feed is trustworthy, well-connected, and performant in the first place. Whatever interface you put on top inherits those properties; it doesn't create them.
Proof — MOAR, running
The stack runs, and the answers agree.
The composition below isn't a default to adopt; it's what one set of constraints (single-node SOC scale, open formats, a small team) resolves to, and at other scales and shapes the layers move. With that said, an open architecture is only worth arguing for if it actually runs, and the reference implementation of this one does — one particular composition of those seven layers, which proves the architecture is tractable without proving it's the right composition for every shop: the reference stack writes one OCSF table to object storage and reads it back through five independent query engines (DuckDB, Trino, ClickHouse, StarRocks, and Dremio), across three catalog implementations (the Iceberg REST catalog, Nessie, and Lakekeeper) and two table formats (Iceberg and DuckLake), and a one-command check confirms every one of them returns the identical answer: 1,000 rows written in, 125 RDP connections found, the same count from every engine and every catalog. That agreement is worth verifying rather than assuming, because it doesn't come for free.
Nothing guarantees that agreement. Running the same correctness probe across thirteen Parquet readers on one 10-million-row file, two of them returned a wrong count with no error or warning while the other eleven read it correctly (chDB's newer reader and fastparquet), a fast and confident wrong number that for a security query is a missed detection or a bad compliance figure. That's more than one isolated engine and well short of most, so a wrong answer here is concentrated rather than universal, and the verification is what catches it cheaply. That's why answer-equality runs as a standing check in the stack instead of a one-time test, and why the verification is the part that earns its cost.
Run the same OCSF data into the open lakehouse and into an OpenSearch SIEM and the answers come back identical, but the lakehouse holds them in roughly a seventh of the space, 1.6 MB of columnar Parquet against the SIEM's 11.5 MB index at 200,000 events, the difference being the inverted index and the retained copy of the source the SIEM keeps. This is a single-host measurement, so read it as a footprint ratio rather than a cluster-scale promise, but the ratio is a property of the storage model and it holds at smaller scale too.
Normalization carries a cost too, and the stack measures it instead of assuming it doesn't. On a synthetic but controlled testbed, a coarse, schema-on-read normalization answers the routine SOC questions (counts, top-N, egress rollups) exactly as a fidelity-preserving store does, scoring a degradation of +0.000 on that routine set, on a scale where 0 means the coarse store answers it exactly and 1 means it can't answer at all. But on the adversary-relevant tail (beacon cadence, exact command lines, late-arriving events, identity closure across sources) the coarse store degrades by +0.188 on the de-gamed measurement — real MITRE APT29 telemetry with unmodified SigmaHQ rules, where the adversary tail's recall-loss runs roughly twice that of routine queries (0.35 against 0.16) — and by a larger +0.719 on the gameable synthetic testbed, because it physically discarded the evidence those queries need. The split is the finding: the questions that crater are the ones whose evidence the normalization dropped, and that falls out of the architecture, not the data volume.
Two more properties fall out of the open table format. Three writes produce three immutable Iceberg snapshots in an unbroken parent-to-child chain, and time-travel returns the exact state as of each one, the chain of custody a mutable SIEM index can't provide, at roughly the grade Reg SCI and SEC Rule 17a-4(f) ask for. And on a single host the engines answer the gated workloads in 4 to 14 milliseconds at a million rows, which says the architecture isn't paying for its openness in latency at this scale, though the cluster-scale crossover is a separate measurement the lab carries.
The product this serves is the Capability Matrix; everything above is the evidence behind its scores, run in the open on a stack you can stand up yourself. The lab carries the measured detail and the methodology, the evidence method explains how each claim is graded, and the generic four-phase roadmap is the reference sequence engagements build on. Every number here is single-host and first-party, and it's there to be re-run on your own hardware rather than taken on faith.
Why this works for security data specifically
Five properties that change the economics, not the marketing.
Retention economics flip.
Security data needs long retention for incident investigation and threat hunting. SIEM pricing punishes long retention; the per-GB-ingested model multiplies storage cost across the retention horizon. Lakehouse storage on object storage is cheap (S3 Standard at $0.023/GB-month, Glacier at a fraction of that), and query happens on demand against compressed columnar data. The per-query cost replaces the per-byte-stored cost. For a 5-year retention requirement, the economics aren't competitive; they're a different category.
OCSF-shaped data is portable across engines.
Once telemetry is normalized to OCSF (Open Cybersecurity Schema Framework, the multi-vendor schema standard for security data) and stored in Iceberg, multiple engines can query the same table simultaneously with no copy-out. The published benchmark validates this with four engines reading one Iceberg table on the same workload. The portability isn't theoretical; it's a property the lab verifies on every engine update.
Detection content survives engine changes.
Detection logic written in standard SQL ports cleanly between Trino, ClickHouse, StarRocks, and Dremio. SPL (Splunk's query language) and KQL (Microsoft Sentinel's) don't. The choice of detection-content language is a multi-year commitment that survives most other architecture decisions; standard SQL is the one that travels.
The SIEM doesn't have to die in the migration.
A common transition pattern: keep Splunk Search Head plus Enterprise Security for the SOC analyst experience; move historical retention and ad-hoc analytical workloads to Iceberg plus the chosen engine; federate. Splunk DB Connect is one bridge; native Iceberg integrations are emerging. Skill transition runs 6–18 months in parallel-run rather than a flag-day cutover. The Standard Chartered self-managed-SIEM teardown walks through one shape this transition takes.
Vendor swap-out is real, not a slogan.
Because each layer is bound by open formats (Parquet on disk, OCSF in schema, Iceberg in table format, OIDC in identity), replacing the query engine doesn't touch the data. Replacing the catalog doesn't touch the engine. This is the structural difference between modular and integrated. It's not free; the operational discipline (infrastructure-as-code, monitoring, runbooks) becomes mandatory rather than optional. But the optionality it produces is what justifies the operational work.
Common objections, honestly
The trade-offs are real. Here are the ones that come up most.
"Five components is more operational complexity than one SIEM."
True. The trade is cost, performance, and portability against operational complexity. Operational discipline (infrastructure-as-code, monitoring, runbooks) becomes mandatory rather than optional. For teams that already operate at this discipline level, the complexity is a known cost; for teams that don't, the framework's organizational-constraints phase flags this as a precondition rather than a graceful learning curve.
"Our SOC analysts are trained on Splunk SPL."
Federated approaches preserve the SPL UX during migration. Splunk Search Head over Iceberg via DB Connect or native connectors keeps the analyst-facing UI intact. The skill transition runs 6–18 months as a parallel run, not as a flag-day. Detection content migration is the harder problem; it gets scoped explicitly in the engagement.
"We don't have data engineering capacity."
Then the migration assessment is the first step, sized to surface the gap. If the engineering capacity gap is too large to bridge inside the available budget and timeline, the assessment will say so. The framework's organizational-constraints phase is designed to fail prospects out at this question rather than under-scope the engagement.
"What about compliance, RBAC, and audit?"
Iceberg plus a real catalog (Polaris, Nessie, Unity) provides table-level RBAC, time-travel for audit, and column-level masking. The patterns are documented; the operational work to set them up is real. For regulated environments (financial services, healthcare, multi-region with sovereignty requirements), the catalog choice is the central decision. Unity Catalog's fine-grained governance is mandatory for the shared-corporate isolation pattern; Polaris is sufficient for the isolated-dedicated pattern. The component-criteria page covers the catalog scoring in detail.
When MOAR is not the right answer
Three environments where the operational overhead doesn't pay back.
The migration assessment is designed to surface "no-go" answers before money is spent on implementation. Three patterns where the answer is reliably "stay where you are":
- Sub-1 TB total environments. The operational overhead of a six-component stack doesn't pay back at small scale. The SIEM economics that punish 50 TB/day workloads are still favorable at 200 GB/day.
- Pure compliance-checkbox shops. If no one queries the data after retention (the data sits to satisfy a regulator and never gets touched), dump to S3 cheap-tier and archive. MOAR's value comes from query performance and analytical workloads; for write-only retention, simpler is better.
- Teams without data-engineering capacity and no budget to acquire it. MOAR rewards operational discipline. Without it, the trade is one cost spiral for another, with the SIEM bill replaced by ops cost on a stack the team can't run.
The migration assessment surfaces these answers directly. A "no-go" finding is a successful engagement; under-scoping a deployment that lands the team in operational debt is the failure mode the framework is designed to avoid.
The engagement shape
Two entry points, scoped to risk tolerance.
Splunk-to-MOAR Migration Assessment ($30K–$50K, 2–3 weeks).
The flagship engagement. Quantified TCO comparison (current Splunk spend versus modeled MOAR stack); workload classification (which queries port cleanly, which need redesign, which should stay on Splunk); engine recommendation matrix (ClickHouse for raw speed, Dremio for semantic layer ergonomics, StarRocks for Iceberg-native, Trino for federation breadth, with the specific trade-offs called out); migration risk register; 6–18 month phased roadmap with named decision gates; executive deck for CISO and CFO. Pricing scales for environments above 2 PB ingest or 50+ detection use cases.
Security Data Architecture Assessment ($40K–$80K, 2–4 weeks).
The clean-sheet design engagement when the prospect isn't Splunk-bound or wants vendor-neutral architecture from the start. Covers a 5-step audit (sources → ingest → storage → catalog → query), a 12-scenario storage decision framework matching to regulatory profile (HIPAA, SOX, PCI-DSS, GDPR residency, multi-region SOC), MOAR component selection, 3-year TCO with cost-optimization roadmap, and the migration roadmap. Higher-end pricing applies to multi-region, regulated, or DoD/IC-adjacent environments. Implementation support is available as a follow-on retainer once the architecture lands.
The data platform that survives every other choice.
The benchmark is the cost-and-performance receipts. The matrix is the working-detail decision math. DetectFlow and MLOps-hunting both sit on top of MOAR.