Writing
Essays from a practitioner.
Essays where the analysis is more prescriptive than the research surface, or where the topic doesn't yet have enough evidence to anchor as a tracked hypothesis. The voice is the same; the framing is essayistic. Updated as the work warrants — not on a schedule.
-
Independent measurement
Why vendor benchmarks are the only benchmarks.
Most enterprise security data platforms restrict their customers from running competitive performance tests. The implication: every published 'X% faster than your SIEM' benchmark is vendor-funded by structural design, not by accident. The fix isn't more open-source benchmarks; it's a different distribution model for independent measurement.
Read →
-
Table format
Iceberg V3 changes the thesis.
Earlier essays argued for Iceberg over Delta on vendor-neutrality and multi-engine flexibility. V3 (Puffin deletion vectors, Variant type, row-level lineage, default values) plus V4 proposals materially change the trade-off space. Some prior recommendations need revision; others are reinforced.
Read →
-
Schema economics
Schema-on-read vs schema-on-write. The $2.7M question.
Splunk runs $31K/month at 1 TB/day. Elasticsearch with ECS runs $8–12K. A hybrid lakehouse (raw on cheap object storage, OCSF on warm) runs $7.5K with parity on detection-engineer workflows. The schema-on-read tax compounds at retention scale.
Read →
-
Table format
Iceberg vs Delta Lake for security data.
Choosing a lakehouse table format governs query-engine portability, vendor neutrality, operational complexity, and migration cost. Production evidence from Netflix (5 PB/day Iceberg), Insider (90% cost reduction), Adobe (5,000+ Delta tables), and InMobi (GDPR/CCPA on Delta) anchors the decision.
Read →
-
Query engine
ClickHouse at petabyte scale.
Netflix's 5 PB/day ClickHouse optimization journey — fingerprinting (216 µs → 23 µs), native protocol serialization, tag sharding (3 s → 700 ms) — translated for security analytics. Plus Huntress's 93% cost reduction migrating from Elastic, and where Hydrolix's log-specific architecture wins.
Read →
-
Anti-pattern
Flattening away your detection logic.
Migrating from SIEM to lakehouse isn't schema conversion — it's semantic translation. Flattening CloudTrail's nested JSON silently broke a privilege-escalation detection for six weeks at a financial services firm. Five patterns that break, and the Iceberg V3 Variant type that fixes them.
Read →
-
Implementation
Migration: hidden costs and timeline reality.
The $300K project that became $1.2M. 67% of security data platform migrations require external consulting; actual costs run 40–100% above technology-only estimates. What gets missed: migration labor, parallel operation, detection rule conversion, training. With a phased funding playbook your CFO will approve.
Read →
-
MCP
MCP beyond chat. If it works.
Two infrastructure vendors — Tenzir and Databricks — announced MCP servers in late 2025 that aren't chat enhancements. They're positioning the Model Context Protocol as the orchestration layer for AI-generated data pipelines. The claims are big. The validation isn't there yet.
Read →
Notifications
Get a note when a new essay or benchmark publishes.
Low-volume. Essays as they ship; quarterly benchmark reports; nothing else. No drip campaigns.
The hypothesis-grounded work — eight anchor hypotheses with evidence tiers, twenty-two contradictions tracked over time, and the method-in-practice essay — lives on the research page. The program POV that connects them is on thesis.