The vendor demo handles a single environment, one ingest tier, one retention setting, one clean dataset. The POC handles two environments. The platform that survives year three is not the one that won the POC. It is the one whose operational substrate didn’t compound debt faster than the platform team could pay it down.
The thesis: security platforms almost never fail at the threat model. They fail at the substrate that runs the threat model. The places they break are the same places, in the same order. Telemetry cardinality outruns the ingest budget. Retention obligations outrun the storage strategy. The indexer accumulates shard debt that no one is paid to clean up. The Kubernetes layer becomes a second control plane to operate alongside the platform’s own. The SIEM pricing model punishes coverage at exactly the moment coverage matters most. Customer support absorbs the bespoke shape of every environment until support becomes the bottleneck. Each of these is a structural cost. Most architectures don’t price them in.
This is the architecture-operations gap from a different angle: the gap is where complexity accumulates, and complexity is the thing that takes platforms down.
Telemetry: cardinality, not volume, is what kills you
Vendors price ingest by the gigabyte, which makes the conversation feel like a volume problem. It is not. Volume is linear and predictable. Cardinality compounds.
Every new field, every new label, every new tag added to log events multiplies the number of unique time series the indexer has to maintain. A well-meaning request to “add the user agent string to every authentication event” can take a 200,000-series index to 20 million overnight. Storage cost goes up linearly. Query cost goes up worse. Memory pressure on the indexer goes up worse than that.
xychart-beta
title "One schema change, one auth event field"
x-axis ["Before", "After 'add user-agent'"]
y-axis "Unique time series (millions)" 0 --> 25
bar [0.2, 20]The operational symptom is the query that used to return in 500ms now timing out at 30s, three months after a “minor” schema change that no one tracked as a capacity event. The architectural symptom is that the security team cannot answer questions about its own data at incident velocity. (See the false-positive economics post for a related shape: the data is technically there, but the people who need it can’t reach it in time.)
The root cause is that telemetry is treated as a domain decision (the security team picks what to log) when it is actually a capacity decision (the indexer determines what is sustainable). When those two roles are not in conversation, cardinality grows monotonically and the platform team learns about it during the incident that needs the data.
Retention: the silent kill
Compliance owners ask for thirteen months, or seven years, because the regulation said so. Most security platforms accept that number without asking what it costs to query at depth.
Storage is the cheap part. Cold data on object storage costs almost nothing per GB. Querying that cold data when you actually need it (during an incident, during a breach investigation, during a regulator request) is where the plan falls apart. The hot tier holds thirty days. The warm tier holds ninety. The cold tier holds the rest, and the cold tier is the one you rehydrate during the worst week of your year, while the indexer is melting under load.
| Tier | Retention | Query latency | Cost / GB | Reachable mid-incident? |
|---|---|---|---|---|
| Hot | ~30 days | sub-second | $$$ | Yes |
| Warm | ~90 days | seconds | $$ | Yes, with patience |
| Cold | 13 mo – 7 yr | minutes to hours, if rehydrate works | ¢ | Only if you built replay |
The architectures that survive treat retention as a query-latency problem from day one, not a storage-cost problem. They build tier transitions that are continuous rather than batched. They build replay infrastructure that does not share a control plane with live ingest. They define “we can answer X-class question over the last Y months in Z minutes” SLAs for the security team, and they staff for those SLAs.
Most teams find out about this distinction at the worst possible time. The retention number on the slide and the retention number that actually returns answers in an investigation are not the same number, and the difference between them is invisible until it is the only thing that matters.
Shard explosions: the indexer is a fragile beast
This is the most concrete of the failure modes. Most SIEMs and observability platforms are built on Elasticsearch, OpenSearch, or a similar shard-based document store. Shards are not free. Each shard carries a fixed memory footprint regardless of how much data it holds. A cluster with 20,000 small shards will OOM long before its disks fill.
The classic anti-pattern is “one index per customer per day.” It looks tidy on a whiteboard. In production, after eighteen months of customer growth, it produces a cluster that spends most of its memory on shard metadata and the rest on actual query work. Query latency degrades nonlinearly. The on-call engineer watching the dashboards sees “memory pressure”; the architect sees a system that punishes growth.
Mapping explosions are the related sibling. A field called metadata.tags that accepts arbitrary keys turns into 30,000 distinct field mappings six months later because some integration is shipping per-event identifiers as map keys. Cluster metadata grows until rolling restarts take eight hours and upgrade weekends turn into upgrade fortnights. (I have written about one specific version of this with Wazuh 4.8 and the RBAC regression that came with it; the underlying shape is universal across indexer-backed platforms.)
Both of these are operational debt. They are visible to the platform team if the platform team is looking. Most platform teams are not staffed to look, they are staffed to ship features, and the features that get rewarded are the ones that show up in customer demos. Cluster hygiene does not show up in customer demos. It shows up in the postmortem.
Kubernetes: the second platform you have to operate
Kubernetes was sold to security platform teams as the abstraction that would flatten ops. In practice, it is a control plane that requires its own operations team, alongside the security platform’s own control plane.
The math is brutal. A multi-tenant security platform running on Kubernetes is operating four layers simultaneously. The cluster: control plane, etcd, networking, ingress, certificate rotation, node lifecycle. The data layer: the indexer, the queue, the object store, the tier transitions. The application layer: the parsers, the rules engine, the alert pipeline. The customer-facing layer: the UI, the API, the auth, the tenancy boundary. Each layer has its own failure modes, its own observability surface, its own upgrade cadence, and its own on-call rotation if you do it correctly.
flowchart TB
subgraph L4["Customer-facing layer"]
L4a["UI · API · auth · tenancy boundary"]
end
subgraph L3["Application layer"]
L3a["Parsers · rules engine · alert pipeline"]
end
subgraph L2["Data layer"]
L2a["Indexer · queue · object store · tier transitions"]
end
subgraph L1["Cluster layer"]
L1a["Control plane · etcd · CNI · ingress · cert rotation · nodes"]
end
L4 --> L3 --> L2 --> L1
note["Each layer: own failure modes,<br/>own upgrade cadence,<br/>own 2am page"]
L1 -.- noteThe promise was “we’ll abstract the infrastructure away.” The reality is that the abstraction leaks during exactly the events you cannot afford a leak: ingest spikes, customer migrations, certificate rotation, control-plane upgrades, etcd bloat, CNI version mismatches. Every one of those is a 2am page that has nothing to do with the security domain and everything to do with the substrate. (The Kubernetes-services troubleshooting post is the easy version of this; the hard version is doing it under tenant load with a regulator’s clock running.)
This is not an argument against Kubernetes. It is an argument against pretending Kubernetes is a free abstraction. The teams that survive staff Kubernetes operations as a first-class engineering function, not as a side responsibility of the platform team. The teams that do not staff for it learn about it when their cluster’s etcd hits its memory ceiling at 3am.
SIEM scaling: the pricing model is the threat model
This is a structural problem, not a vendor problem. SIEM vendors price by ingest volume because that is the metric they can meter. The customer’s incentive, given that pricing model, is to log less. The security team’s incentive, given the threat model, is to log more.
The result is a chronic gap between the data the security team needs and the data the security team has, mediated by a budget conversation that runs once a year. Coverage gaps are where breaches hide. Breaches hide in coverage gaps because the threat actor implicitly knows about the budget conversation, even if they don’t know they know about it. Any control where “we don’t log that because it’s too expensive” is part of the architecture is a control with a known dead zone.
This is a specific instance of the compliance-driven vs threat-driven security split. The compliance frame justifies the retention number. The threat frame requires the coverage. Neither pays the other’s bill.
The architectures that survive split ingest from retention. They put the volume tier on a cheap object store with structured access, route only the high-signal subset into the indexer, and build replay infrastructure that lets them re-index on demand when an investigation requires depth. This is not free, but it is dramatically cheaper than per-GB SIEM pricing, and it is the only way to keep coverage from being a line-item budget decision that loses to whoever is making the louder feature ask that quarter.
Insight
Coverage is the metric the budget conversation hides
The number on the SIEM invoice is the volume you ingested. The number that matters is the volume you didn’t. Every “we don’t log that, it’s too expensive” decision is a known dead zone in the threat model, and dead zones do not appear on the dashboard. The platforms that survive measure coverage as a first-class metric and treat budget pressure as a coverage problem, not a cost problem.
Customer support: the bespoke tax
Every security platform has a “supported integrations” page that lists forty sources. Every security platform that has been in market for three years has a customer set whose actual integration list looks like forty official sources plus two hundred bespoke variants that almost match the official ones.
The bespoke variants exist because every customer has the same vendors as everyone else and configures them slightly differently. A Cisco firewall in customer A’s environment emits one log shape; the same firewall in customer B’s environment emits a slightly different shape because of a different feature pack, a different log forwarder, a different timezone configuration, a different upstream parser in the chain. The supported integration handles 80% of the data; the remaining 20% becomes a support ticket the parser team has to absorb.
Multiply that by two hundred customers and the parser team is no longer a parser team. It is a customer-environment-debugging team that occasionally writes parsers between escalations. Tier-1 support escalates to tier-2 because the runbooks don’t cover the customer’s specific log shape. Tier-2 escalates to engineering because tier-2 doesn’t have access to the customer’s environment. Engineering debugs an environment they have never seen, with logs they can’t reproduce, on a timeline that matches the customer’s incident.
This is the operational reality of every multi-tenant security platform. The integrations page is the easy part. The variance is the product. Pricing the variance into the engineering plan is the difference between a platform that scales and a platform that becomes a managed-services business in disguise.
Operational debt: the bill that compounds
All of the above compounds into operational debt. Operational debt looks like technical debt, both are deferred work, but it behaves differently. Technical debt slows down feature work. Operational debt generates incidents.
The defining property of operational debt is that it is invisible until it triggers. The team running a cluster with too many small shards has no visible problem until the day query latency crosses a threshold and customers cannot search their own logs. The team running a SIEM with a thirteen-month retention policy and no replay infrastructure has no visible problem until the day a regulator asks for nine-month-old data and the cold tier cannot be queried in time. The team running a Kubernetes substrate without dedicated staffing has no visible problem until the day etcd bloats during a control plane upgrade and the cluster goes read-only across every tenant simultaneously.
Each of these is a ticking clock. The clocks are not synchronized. The platform team typically hears them only when they go off, and they go off in the middle of an unrelated incident, which is how operational debt converts into reputational debt. The hidden cost of “just one more exception” is the same compounding mechanism inside policy; this is the same mechanism inside infrastructure. (Stretch goals on a vuln backlog is the management-side of the same problem: invisible debt does not get prioritized until it becomes the only thing on the board.)
The pattern that survives: substrate is the product
The platforms that make it to year five share a common property. They treat the operational substrate as a first-class product surface, with the same investment, ownership, and metric discipline as the customer-facing surface.
This is the productizing infrastructure thesis applied to the multi-tenant security platform case. The substrate has explicit customers (the platform’s own engineers, the SRE team, the support team, the parser team). It has explicit contracts (capacity SLOs, query-latency SLAs, on-call expectations, deprecation timelines). It has measurable health (shard count per node, query p99 by tier, bespoke-integration count, support escalation rate, coverage as a percentage of the in-scope production surface). And it has named owners who are not also responsible for shipping customer features.
| Substrate as overhead | Substrate as product | |
|---|---|---|
| Owners | ”Whoever is on-call” | Named team, not on the feature roadmap |
| Contracts | Implicit | Capacity SLOs, query-latency SLAs, deprecation timelines |
| Metrics | Adoption of newest feature | Shard count, query p99 by tier, bespoke-integration count, coverage |
| How debt surfaces | During the incident that needed the data | On a schedule, with a budget |
| What customers feel | Outages they can’t predict | Capacity decisions they were warned about |
When the substrate is treated as a product, debt becomes legible. When debt is legible, it can be paid down on a schedule, which is the only way debt of any kind ever gets paid down. Architecture review meetings begin to include capacity events, not just feature decisions. Capacity events get budgets. Budgets get owners. Owners get measured. The loop closes.
When the substrate is treated as overhead, debt is invisible until it triggers. And when it triggers, the platform team is doing incident response on infrastructure they did not budget time to operate, while customer escalations stack up, while the parser backlog grows, while the cluster melts. (Mental models for incident commanders is the in-the-moment companion to this; the framing here is what determines whether the incident commander has a fightable problem or an unfightable one.)
Insight
Operational complexity is the bill that comes due after the architecture review
Architecture decisions look free at design time because the operational cost shows up months or years later, in a different team’s budget, during incidents the original architect may not even attend. The collapse is not random. It is the predictable arrival of a bill nobody priced in. The architectures that survive are the ones written by people who have paid that bill at least once.
The short version
Security platforms do not fail at the threat model. They fail at the substrate that runs the threat model.
Telemetry compounds by cardinality, not volume. Retention is a query-latency problem, not a storage problem. Shards multiply faster than the team that has to clean them up. Kubernetes is a second platform you have to operate, not a free abstraction. SIEM pricing punishes coverage at exactly the moment coverage matters. Customer support is the variance, not the integration list. And operational debt is the bill that comes due, eventually, all at once, on a schedule the platform team did not set.
The architectures that survive treat the substrate as the product. They give it customers, contracts, owners, and metrics. They measure coverage, not adoption. They staff Kubernetes as a first-class function. They split ingest from retention. They price the bespoke tax into the engineering plan from the first customer.
Everything else is a slide deck.