Technology deep-dive

The streaming database decision for security data.

I've spent the last year watching four engines crowd into the same architectural slot: the place where a security data pipeline does its stateful streaming work. RisingWave, Apache Fluss, Kafka Streams, and Spark Real-Time Mode (general availability on Databricks in March 2026) are not interchangeable products so much as four different bets on how state, storage, and compute should be arranged, so picking one is a strategic call rather than a feature comparison, and the honest answer for most security teams in early 2026 is still the boring one.

Reading time: about 18 minutes. Evidence tier: B/C overall. Production deployments at Netflix (Kafka plus Iceberg), Alibaba (Fluss), and Atome (RisingWave for fraud detection), plus expert analysis from Jack Vanlightly and Anton Borisov. No engine on this list has a publicly disclosed Fortune 500 security deployment at 10 TB/day. Treat the cost and performance numbers as starting hypotheses to benchmark against your own workload, not as quoted figures.

Anton Borisov (data architect at Fresha) framed this well in a September 2025 piece: the streaming engines that look like competing products are actually competing philosophies of state management. State management means where the engine keeps the partial results it needs to answer "what's happening right now": the join history, the windowed aggregates, the sliding session counters. That decision shapes everything downstream. I'd extend Borisov's three-philosophy frame with a fourth category that Spark Real-Time Mode forces onto the page.

Philosophy 1: separation of concerns (Kafka plus Iceberg)

Kafka handles streaming with the state external to the streaming layer: Kafka itself stays ephemeral (offset-ordered, days of retention, row-based), Iceberg holds persistent state (business- partitioned, years of retention, columnar Parquet). A materialization layer in between (Kafka Connect, Flink, or Spark) does the format conversion and the partition-strategy rewrite.

The trade-off is operational complexity (three systems, three failure modes) versus independent optimization (each system tuned for its job), and it's the architecture Netflix runs at 5 PB/day, the one Jake Thomas at Okta uses for 7.5 trillion records, and the one I've seen roughly fifty production security deployments converge on because it works.

Philosophy 2: hybrid tiered storage (Apache Fluss)

Fluss positions itself as a Kafka alternative with native lakehouse integration. Hot data lives in memory and on local SSD; cold data lives on S3 or ADLS. The client stitches the two together at query time. Operator state stays minimal: the engine leans on an external KV store plus the log itself rather than keeping a large operator state inside the streaming layer.

The trade-off is simplicity (one system instead of three) versus ecosystem loss (no Kafka Connect, no Schema Registry, no ksqlDB, no fifteen years of accreted tooling). Jack Vanlightly classified Fluss in September 2025 as "tiered storage with client-side stitching," which is to say it's neither a zero-copy lakehouse nor a Kafka clone but something specifically new.

Philosophy 3: stateless compute over shared storage (RisingWave)

RisingWave is a streaming database with PostgreSQL-compatible SQL on top and stateless compute actors over a shared storage layer (a log-structured-merge implementation called Hummock, running on S3). Because the state lives in shared storage and the compute is disposable, that arrangement makes materialized views with sub-second freshness, native Iceberg writes, and time-travel queries achievable from the same engine.

The trade-off is operational simplicity (SQL-first, PostgreSQL ecosystem, one system) versus production validation specifically for security workloads (the validated case studies are fraud detection and manufacturing observability, not SIEM-scale telemetry). For an engine-level reference, see the RisingWave streaming component.

Philosophy 4: batch-streaming convergence (Spark Real-Time Mode)

Spark Real-Time Mode reached general availability on Databricks in March 2026. The premise is that the same SQL or DataFrame API that runs your batch jobs can run your streaming jobs, with the micro-batch latency overhead of Structured Streaming removed. Matei Zaharia (Spark co-creator at Databricks) called it the long-term vision for streaming the project has held since Structured Streaming shipped. Josh Bogran's Databricks demos position it as a unified engine and an Apache Flink replacement for many use cases.

The trade-off is zero migration cost (for the estimated 60 to 70% of data teams already running Spark, this is a configuration flag, not a new platform) versus unvalidated streaming performance for security workloads (no independent benchmarks compare Real-Time Mode against Flink, RisingWave, or Fluss for OCSF-shaped event data as of early 2026).

I want to flag the evidence quality here directly, because "amazing performance numbers" is Zaharia's own phrasing, which is an architect promoting his own project, so it's useful Tier B input but not a substitute for a third-party benchmark. Real-Time Mode is also Databricks-first; the open-source Spark community will get there, but if you're running EMR or a self-managed Spark cluster without Databricks, this option may not be on your menu in 2026.

Kafka plus Iceberg

Maturity: production-validated at petabyte scale. Netflix runs 5 PB/day on a ClickHouse-plus-Iceberg architecture with Kafka in front. Jake Thomas at Okta queries 7.5 trillion records against DuckDB plus Iceberg. The Kafka Connect Iceberg Sink GitHub repository has 1,500-plus stars and a conservative estimate of fifty-plus production users; the actual number is almost certainly higher. Jack Vanlightly's October 2025 analysis is the canonical Tier-A piece on this architecture pattern.

Validated security use cases: EDR telemetry at 50 million events per day with custom partitioning by endpoint and event type; network flow logs at 100 million flows per day partitioned by source subnet and destination port; cloud audit logs at 50 million API calls per day with OCSF normalization and schema evolution applied at the Iceberg layer without touching the immutable Kafka archive.

Apache Fluss

Maturity: Apache Incubator, pre-1.0 as of early 2026. The single named production deployment is Alibaba at over 1 PB of data, with a claimed 80% cost reduction versus a Kafka-plus-separate- lakehouse baseline. The cost claim is single-vendor and has not been independently benchmarked.

Security use cases: theoretical. The potential fit is stateful stream processing for behavioral analytics (session tracking, user-activity sequences, primary-key tables for upserts), but no public security deployment of Fluss exists, and the Alibaba case is general-purpose streaming rather than security telemetry. The Flink integration story is the strongest part of the pitch, so if your team already has deep Flink expertise, the surface-area learning curve is smaller than it looks.

RisingWave

Maturity: open-sourced in 2020, $36M Series A in 2022, growing. RisingWave claims 1,000-plus organizations as users; the vendor number is unverified, and I'd discount it heavily for marketing signal. The named, public production references are Atome (buy-now-pay-later financial services, real-time risk management and fraud detection at sub-second latency) and CVTE (manufacturing, materialized views and real-time dashboards). VMware Skyline used Differential Datalog, RisingWave's technological predecessor, at scale for several years.

Security use cases: fraud detection and audit log analysis are validated, but SIEM-scale telemetry at 10 TB/day is not, and as far as the public record goes no Fortune 500 security customer is disclosed and no SIEM-scale benchmark with disclosed methodology is published. Fraud detection patterns are close enough to behavioral security analytics that the directional fit is plausible, but I would not bet a production security operation on the analogy without piloting first.

Spark Real-Time Mode

Maturity: general availability on Databricks in March 2026. No named public production deployments as of early 2026. Zaharia references unnamed customers seeing strong performance numbers; that's the only signal in the public record.

The unique advantage is the install base, since Spark is one of the most widely deployed data-processing engines globally, and for existing Spark users Real-Time Mode is a configuration change rather than a platform adoption. For a security team that already runs Spark for batch ETL, this is the lowest-friction streaming option on the list, with the caveat that no independent benchmark exists yet to validate the streaming latency or throughput against security workloads.

Choose Kafka plus Iceberg if

• You already run Kafka and the migration cost of replacing it dominates any streaming-database benefit.
• Query performance against custom partitioning matters — event_time plus asset_id plus severity is the partition key your analysts actually use.
• Operational clarity matters and you'd rather have three systems with clear boundaries than one system with blurred ownership.
• Multi-year retention with regulatory compliance is in scope (HIPAA, PCI-DSS, SOX) and the immutable Kafka archive plus clean Iceberg schemas is the pattern you want to defend in an audit.

Production validation: Netflix (5 PB/day), Jake Thomas at Okta (7.5T records), fifty-plus organizations on Kafka Connect Iceberg Sink. Risk level: low.

Choose RisingWave if

• You're greenfield — no existing Kafka investment to migrate from.
• Your team is SQL-first. Most of your SOC analysts and detection engineers can write SQL but would struggle with Flink's DataStream API.
• Your highest-value use case is real-time analytics against materialized views — behavioral anomalies, fraud-detection-shaped patterns, audit log monitoring — rather than full SIEM-scale telemetry.
• You can accept the security-validation gap and pilot before committing.

Production validation: Atome (fraud detection at sub-second latency), CVTE (manufacturing). No Fortune 500 security customer publicly disclosed. Risk level: medium. Validation steps before production: pilot on fraud or audit-log analysis at 10% of your event volume; benchmark query performance against ClickHouse for your SIEM-style partitioning; verify the materialized-view freshness under late-event conditions you actually see in production.

Choose Spark Real-Time Mode if

• You're already on Databricks and Spark is the engine your data team operates today.
• The marginal cost of streaming is the difference between batch and streaming on the same cluster, not platform adoption.
• You can tolerate being an early adopter on a March 2026 GA — no named security deployments yet, no third-party benchmarks against Flink or RisingWave for security workloads.

Production validation: unnamed Databricks customers per Zaharia. Risk level: medium for Databricks- committed teams, high for open-source Spark teams (the feature is Databricks-first). The Databricks Lakewatch announcement in late March 2026 is a related signal, since it bundles Real-Time Mode plus Delta plus Unity Catalog into a security-specific product, which deepens both the integration argument and the lock-in argument simultaneously.

Monitor Apache Fluss if

• Your team has deep Flink expertise and can read the source as the documentation matures.
• You're greenfield and the 80% cost-reduction claim, even discounted heavily, would meaningfully change your business case.
• You can wait. Apache graduation and three-plus non-Alibaba production deployments are the signals I'd watch for before recommending Fluss in production.

Production validation: Alibaba (single-vendor, general-purpose streaming, not security). Risk level: high. The right move for most teams is to track adoption signals through 2026 rather than to deploy.

The honest summary of the evidence available in early 2026:

• Kafka plus Iceberg has Tier A/B evidence. Jack Vanlightly's October 2025 validation, Netflix at 5 PB/day, fifty-plus organizations on Kafka Connect Iceberg Sink, public cost modeling that survives scrutiny.
• Apache Fluss has Tier B/C evidence. Vanlightly's classification piece (September 2025) and Borisov's comparative analysis (September 2025) are credible expert signals. The Alibaba production deployment is real. The 80% cost reduction claim is single-vendor and unverified. No multi-organization adoption signal exists yet.
• RisingWave has Tier B/C evidence. Borisov has analyzed it; Vanlightly and Ryan Blue have not published RisingWave deep-dives as of early 2026. Atome and CVTE are public production references. No Fortune 500 security customer, no SIEM-scale benchmark, no Tier-A expert validation.
• Spark Real-Time Mode has Tier C/D evidence. Zaharia's framing and Bogran's demos are credible signals from architects with skin in the game, though there's no independent benchmark, no named public deployment, and no security-specific validation. GA was March 2026, so six months of public deployment maturity simply hasn't accumulated yet.

I track Vanlightly's blog, Blue's blog, and the RisingWave and Fluss community signals monthly. The gap I'd most like to see filled in 2026 is a methodology-disclosed benchmark against OCSF-shaped security event data at 10 TB/day comparing Flink, RisingWave, and Spark Real-Time Mode. The closest anyone has come in public is the Atome fraud-detection case study, which is directionally relevant but not the same workload.

Borisov's framing is the right one, because the streaming engines in this comparison are not interchangeable products with overlapping feature lists but four different bets on how to arrange state, storage, and compute: separation of concerns, hybrid tiered storage, stateless compute over shared storage, and batch-streaming convergence. The right question for a security architect isn't "which is best" so much as "which philosophy fits the team I have, the workload I need to support, and the risk tolerance my organization can defend."

For production security data at scale in early 2026, the answer to that question is still separation of concerns, Kafka plus Iceberg, with the materialization layer paid for and operated as a first-class system. The newer philosophies are worth tracking and worth piloting where the fit is right, and they're worth pressuring vendors on for the missing security-specific benchmarks, but they aren't yet a default to bet a production SOC on.