Use cases · Security detection

Detection with the whole history behind it.

A detection is only as good as the telemetry it can reach. On Bloo, detection reasons over full-fidelity telemetry retained for years, not a rolling window priced by ingestion. The window that shapes legacy detection is replaced by memory.

Lookback depth

Set the window, watch what comes into view.

Legacy detection sees 30 to 90 days, the depth a priced window can afford. Datafabric holds the whole history hot. Move the scrubber to set the detection window and watch what a detection can catch at each depth.

Now7 years backLegacy SIEM windowDatafabric window30 days90 days1 year3 years7 yearsIOC first seen · out of window

What a detection catches at 30 days

Active sessions and this week of alerts.

A 30 day window sees only the recent surface. Anything that waited longer is already gone.

The full story

Detection on memory, not a window.

Most detection programs are shaped by a constraint nobody chose on purpose: the amount of history the budget can keep hot. This article walks through what changes when that constraint is removed, from the fidelity of a single event to the reach of a retro-hunt, and the architecture that makes it possible.

Why detection windows exist at all

No security team ever asked for a 90-day detection window. The window is a side effect of pricing. When a platform charges by the gigabyte ingested and again for every day the data stays searchable, retention becomes the most expensive line in the security budget, and the window shrinks until the invoice is survivable. We have written about this dynamic in detail in the true cost of SIEM and in our analysis of SIEM pricing models and what breaks at scale.

The consequences compound quietly. Teams sample noisy sources, drop verbose fields, and route the rest to cold archives that are technically retained but practically unreachable. Every one of those decisions is invisible on the day it is made and expensive on the day it matters, because a detection cannot fire on an event that was never kept, and an analyst cannot pivot on a field that was trimmed at capture.

Bloo removes the constraint instead of optimizing inside it. Datafabric captures telemetry at full fidelity and retains it hot for years, with economics that scale with time rather than volume. Once retention stops being the bottleneck, detection stops being a compromise, and the rest of this article is about what that unlocks.

What full fidelity changes for a single detection

Fidelity decides what a detection can see. A rule that looks for credential theft needs the parent process, the command line, and the token context, not a summarized event that says a process started. Our detection engineering work on call stack analysis in Sysmon Event ID 10 is a concrete example: the signal lives in fields that most pipelines drop to save ingestion cost.

On Datafabric, three properties hold by construction:

  • No sampling. Detection runs on every event captured, not a thinned sample chosen to fit an ingestion budget. What fires is grounded in the full record.
  • No dropped fields. Fields are retained at full fidelity rather than trimmed at capture, so the detail a detection needs to disambiguate a signal is still there when it looks. The reasoning behind this is covered in what full-fidelity log retention means.
  • One substrate. Endpoint, cloud, identity, network, and application telemetry share a single substrate, so a detection reasons across domains without stitching exports together.

The practical difference shows up in precision. False positives are usually ambiguity, a signal that could be benign or hostile depending on context the pipeline threw away. Keep the context and the ambiguity collapses. For a primer on why structure and completeness matter this much, see what security telemetry is and why structure matters.

Retro-hunting: a new indicator, hunted across years

When a fresh indicator lands, the first question is whether it was ever in your environment before. On a priced window the honest answer stops at 90 days. On Bloo, a new detection sweeps the whole retained history and finds the first sighting wherever it sits, so a low and slow campaign that predates the indicator still surfaces.

This matters because adversary dwell time routinely outlasts retention. The campaigns our research team documents, from Lumma Stealer to the loaders tracked in our malware research library, show staging and beaconing that begin months before any public indicator exists. A window-bound platform answers the dwell-time question with an apology. A system of record answers it with the first record.

Retro-hunting on Bloo is not a restore job. There is no re-ingestion, no thawing an archive, no standing up a temporary cluster. The history is already hot and searchable, so sweeping a year of telemetry is an ordinary query, not a project. Teams that practice hypothesis-driven threat hunting feel this immediately: a hypothesis is only as testable as the history it can be tested against, and the techniques in our threat hunting guide assume reach that a 90-day window simply does not have.

From research to detection content

What a detection looks for is the encoded output of research. Somebody dissected the malware, mapped the infrastructure, and reduced the behavior to something a machine can watch for. On Bloo that somebody is Specterforce, the research arm that dissects live malware, tracks active campaigns, and turns what it learns into detection releases that ship in Vantage, validated against retained telemetry before they deploy.

Validation against real history is the part legacy pipelines cannot do. A new rule is normally deployed on faith and tuned on complaints. When years of full-fidelity telemetry are hot, a candidate rule is run backward across the record first, so its noise rate and its catch rate are measured before an analyst ever sees an alert from it. Our engineering series on why detection engineering needs to evolve and building detection rules that matter describes this discipline in practice, and the Lumma Stealer detection engineering notes show it applied to one live family end to end.

One substrate, every domain

Modern intrusions do not respect tool boundaries. A phishing payload becomes an endpoint process, the process becomes a credential, the credential becomes a cloud session, and the session becomes an exfiltration path. Detection that lives inside one domain sees one chapter of that story. The industry has spent a decade trying to solve this with correlation layers bolted across products, a history we trace in our XDR versus SIEM guide and in log correlation techniques.

Bloo dissolves the problem instead. Telemetry from every domain lands in the same fabric through native connectors and the wider integration catalog, normalized into one timeline with entities that persist across sources. A detection in Vantage follows the credential from the endpoint into the cloud session because both events are rows in the same substrate, not exports from rival tools. Campaign-level reasoning, grouping related signals into one adversary narrative, builds on the same property, and is the subject of campaign discovery in Vantage.

The architecture: detection over memory, not a second copy

The mechanism is deliberately simple. Vantage does not keep its own store of your telemetry. It detects directly over Datafabric, the substrate that captures and retains full-fidelity telemetry inside your cloud. One copy of the data, one system of record, and every consumer reasoning over the same memory.

Vantage detects directly over Datafabric. One path, no second copy.

This is why a detection reaches the whole history, and why the economics stay predictable as telemetry grows. It is also why Bloo is not a SIEM with better pricing: a SIEM is a consumer of telemetry, while Datafabric is the system of record that consumers, including detection, reason over. The capture pipeline writes once, and detection, investigation, and audit all read from the same record. For the broader architectural argument, see our analysis of what replaces the SIEM.

Running it: your team, a partner, or both

Detection on full history changes what operating a security program looks like. In-house security teams run Vantage over their own Datafabric and spend their analyst hours on judgment rather than data wrangling, the shift we describe in SOC modernization and the data layer.

Service providers invert the same architecture. MSSPs and MDR providers centralize reasoning rather than data, running detection across many customer-owned Datafabrics without ever pooling customer telemetry in their own cloud. And for organizations that want outcomes rather than operations, managed detection and response on Bloo pairs the same substrate with a 24/7 team, an approach whose detection quality bar we argue for in why battle-tested detections matter for MDR. Whichever model fits, the record stays yours, in your cloud, at full fidelity, for as long as you keep it.

Related reading

Articles

From the blog

Research

Detect over everything you have kept.

See a detection sweep a real history, and what it finds beyond the reach of a priced window.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy