Scale detection and investigation across every customer.
Higher margin, more customers per analyst, and deals you no longer have to skip. Bloo gives each customer their own telemetry system of record and your analysts one console to reason across all of them, without ever moving a customer’s data out of their cloud.
The products behind this
Three products, one fabric.
Your practice touches three Bloo products, and none of them keep a second copy of a customer's data. Each reasons over the telemetry captured once, inside the customer's own cloud.
A telemetry system of record inside each customer’s own cloud.
Explore Datafabric →Detections managed as fleet content over full-fidelity telemetry.
Explore Vantage →Autonomous first-pass investigation on every alert you manage.
Explore SynthAI →Tenancy
Your tenant, or theirs.
Multi-tenancy works in both directions. Host a book of customers on your own tenant, service the ones who keep the fabric in their environment, and run both from the same desk with the same detections and the same workflows.
Partner-hosted · multi-tenant
Your tenant, many customers
Run Bloo as your own tenant and host multiple customers on it. Small and medium customers get the full fabric without operating anything, and your practice keeps one operational surface for onboarding, detection content, and investigations, with every customer’s telemetry isolated inside the tenant.
Best for · Small and medium customers
Customer self-hosted
Their environment, your service
Customers that host Datafabric inside their own environment stay fully serviceable. Your analysts reason into each deployment remotely, with the access the customer grants and nothing in the way: detections deploy, investigations run, tuning lands, and the data never leaves their perimeter.
Best for · Enterprises and sovereignty requirements
One console · every tenant
Review any customer without changing seats
Your analysts work every customer from the same console. Moving from your tenant to a self-hosted deployment is a context switch, not a logout: no separate console to open, no different credentials, no re-learning the screen. The workflows and detections you standardize apply everywhere.
- No console switching between customers
- No second login for self-hosted deployments
- Access scoped per analyst and per engagement
- Your tenant
- Self-hosted A
- Self-hosted B
One console
your analysts · one login
Role-based access · per tenant
The right role in every tenant
With Vantage you create organizations, put users inside them, and give every user a different level of access per tenant. The same person can hold analyst access in one customer, security engineer in another, and no access at all to the rest. It is defined in minutes from the single console, and it stays granular as the book grows.
- Organizations and users, defined once
- A different role per user, per tenant
- Granular, and easy to change
One organization · roles per tenant
| User | T1 | T2 | T3 | T4 |
|---|---|---|---|---|
| A. Rahman | Analyst | Sec engineer | None | None |
| J. Okafor | Sec engineer | None | Analyst | Analyst |
| P. Narang | None | Analyst | None | Sec engineer |
Defined per user, per tenant, in the single console
Specterforce Special Services
Hard to hire, easy to partner.
Finding, employing, and retaining a truly talented detection engineering team is one of the hardest problems a partner practice faces. The people are rare, the market is unforgiving, and every departure sets your coverage back. Specterforce Special Services exists so you do not solve it alone: partner with the Specterforce group and put a research-led detection engineering team behind your practice.
Content
High-quality detections, continuously
Specterforce researchers and detection engineers produce research-led detection content for your customers month after month, validated against retained telemetry before it ships. Your coverage keeps compounding regardless of who you can hire this quarter.
Profiles
A detection profile per customer
Every customer gets a customized detection profile built around their industry, infrastructure, software stack, telemetry sources, and the campaigns most likely to reach them, tuned as the environment changes.
Partnership
Their research, your service
The Specterforce group works behind your practice. The customer relationship, the reporting, and the service layer stay yours, now backed by a research bench you did not have to build.
Pricing
A price model you can resell.
Datafabric is not priced on ingest. Each deployment is sized to its telemetry once, and the price follows a gradual, predictable path from there. For a partner practice that changes everything: instead of passing a vendor's ingest meter through to your customers as transfer pricing, you control the price model, the packaging, and the margin of the service you sell.
On ingest-based platforms
- You resell a meter you do not control, so your pricing is mostly transfer pricing.
- A noisy quarter at one customer reprices the whole engagement under you.
- Margin shrinks as a customer grows, precisely when the service gets stickier.
With Datafabric
- Sized once per deployment, with a gradual, predictable path from there.
- You design the packaging, the tiers, and the margin of your own service.
- A customer's telemetry growth changes their value, not your costs.
> Retention economics scale with time, not volume, so the price you quote a customer holds as their telemetry grows.
Datafabric pricing →Business outcomes
What the business gets back.
The products matter because of what they return: hours, budget certainty, and risk taken off the table. These are the outcomes your leadership will notice.
01
Margin you design, not inherit
With no ingest meter to pass through, your pricing stops being transfer pricing. You own the packaging, the tiers, and the margin of the service you sell.
Driven by · Datafabric
02
More customers per analyst
SynthAI takes the first pass on every alert across the book, so the desk scales with software instead of headcount and growth stops eroding service quality.
Driven by · SynthAI
03
A bigger addressable market
Host small and medium customers on your tenant and service sovereignty-bound enterprises in theirs, from one console. Deals you had to skip become winnable.
Driven by · Datafabric · Vantage
04
Differentiation without R&D payroll
Specterforce research and per-customer detection profiles run behind your brand, giving the practice a research story without building the team.
Driven by · Specterforce · Vantage
Feature map
What delivers what.
Each capability on this page comes from a specific product. Follow a row straight to the section that covers it in depth.
| Feature | Delivered by | Read more |
|---|---|---|
Fleet detection content Research-encoded detections authored once and deployed across the book. | Vantage | Specterforce in Vantage → |
First-pass investigation on every alert SynthAI returns evidence-attached conclusions for analysts to review. | SynthAI | How SynthAI investigates → |
Deployment models per customer Your tenant or theirs: the fabric deploys wherever the customer needs. | Datafabric | Deployment → |
No-ingest pricing Sized once per deployment, so your price model stays yours to design. | Datafabric | Pricing → |
Detection engineering services Research Advisory, Stealthpack, and Stealthpack Pro behind your practice. | Specterforce | Engagement tiers → |
From the blog
Research your analysts can use.
Threat research, campaigns, and detection engineering from the Specterforce desk.
EPOINT-AES: Detection Engineering Notes for North Korean APT DLL Loader
Introduction This Detection engineering brief is based on the analysis of an advanced North Korean APT multi-stage malware framework (EPOINT-AES) documented in my previous blog. The malware represents
Blog
EPOINT-AES: North Korean APT Multi-Stage DLL Loader Framework
Introduction This analysis documents a sophisticated multi-stage malware framework discovered during an investigation into North Korean Advanced Persistent Threat (APT) activities. The framework was i
Blog
Inside the Shellcode: Dissecting North Korean APT43’s Advanced PowerShell Loader
The PowerShell script analyzed in this document (shell.ps1) was recovered from an unprecedented takedown operation of North Korean APT infrastructure, security researchers gained access to actual malw
Blog
Tracking the Trackers: Lessons from the APT43/Kimsuky Takedown
Introduction This technical analysis is derived from the groundbreaking “APT Down, The North Korea Files” published in Phrack Magazine Issue 72. Our security team gained unprecedented access to the ac
Blog
In depth
Four longer reads for the practice.
SOC Modernization and the Data Layer: What Actually Changes
SOC modernization starts in the data layer, how telemetry is retained, structured, and accessible to analysts and agents.
9 min read
SIEM Pricing Models Compared: What Breaks at Scale
From Splunk to Sentinel to Google SecOps, SIEM pricing models all have tradeoffs. Learn which punishes growth and what works.
6 min read
SIEM Alternative: Full-Fidelity Telemetry at Scale
Tired of SIEM ingestion penalties? Bloo retains all your telemetry inside your cloud and scales without punishing visibility.
6 min read
AI-Native Incident Response Needs Full-Fidelity History
AI-native IR depends on looking back across years of telemetry in seconds. Learn why sampled storage breaks, and what replaces it.
13 min read
Go deeper on the capability
Build your practice on the customer’s own memory.
Give every customer a telemetry system of record they own, and give your analysts one place to reason across the whole book.