BYODb Architecture: How We Query Your Data Without Moving It
Every traditional SIEM works the same way: ship your data to us, we will index it, and then we tax you to search it. This model assumes that security telemetry must be centralized to be useful. In the era of the "AI Query Explosion," where automated analysts may run 50x more queries than a human, this centralized model is not just inefficient. It is a financial death sentence for your security budget.
BYODb (Bring Your Own Database) is the architecture at the core of Vigilense AI. The principle is simple: move compute to data, not data to compute. Your logs stay in your infrastructure. We bring the detection engine to them.
The Five-Stage Pipeline
When a customer connects Vigilense AI to their existing data infrastructure, the system executes a five-stage pipeline. No data is copied, replicated, or shipped anywhere during this process.
Stage 1: Connection
We establish a read-only connection to your database. Read-only is non-negotiable. The connection uses your existing authentication infrastructure (IAM roles, OAuth, etc.).
Supported backends: Snowflake, BigQuery, OpenSearch, S3 (via Athena), and more.
Stage 2: Schema Discovery
We map your tables and indices and normalize them against our internal detection schema. You do not rewrite your data; we adapt to it. Whether you call a field auth_type or event.action, our normalization layer makes it "Vigilense-ready."
Stage 3: Query Federation
This is where the real engineering lives. Our detection rules are written in an abstract language that translates at runtime into native queries (SQL, DSL, etc.) for your specific database. We optimize for each engine, handling partition pruning and predicate pushdown so the query is as fast as a native search.
Stage 4: In-Memory Processing
Query results are analyzed, enriched, and scored entirely in memory. Nothing is written to disk. The raw data is never persisted on our side, ensuring it cannot be bulk exported or accessed by anyone outside the active processing window. Once the analysis is done, the data is purged from our systems. Period.
Stage 5: Intelligence Delivery
We deliver Intelligence, not Ingestion. Your SOC gets scored alerts and full forensic narratives delivered through your existing tools (Slack, PagerDuty, or our console), without us ever owning your underlying telemetry.
The Security and Trust Model
- Credential Management: All credentials are encrypted using HSM-backed encryption or your own secrets manager (HashiCorp Vault, AWS KMS).
- Network Security: We support VPC peering and PrivateLink; your data never traverses the public internet.
- Minimal Permissions: We only request SELECT access. We cannot modify or delete your data.
Performance Benchmarks: Real Production Numbers
| Database Backend | Data Volume | Latency |
|---|---|---|
| OpenSearch | 10TB+ | < 500ms |
| Snowflake | 100TB+ | < 2 seconds |
| S3 + Athena | Petabyte-scale | < 5 seconds |
Why This Matters in the AI Era
The "Ingestion SIEM" is a relic of a pre-AI world. When an AI SOC Analyst performs a 3-layer blast radius investigation, it might run dozens of queries for a single alert. If you are paying a "Query Tax" to a legacy vendor, your costs will go vertical the moment you turn on AI automation.
BYODb allows you to scale your investigative depth by 50x without increasing your vendor bill. You control retention, you eliminate vendor lock-in, and you finally stop paying an ingestion tax on your own security.
If you want to see BYODb running against your own data, book a demo and we will connect to your environment live.