18 May 2026

Federated Security Analytics

Blogs

Why UK Enterprises Are Looking Beyond Centralised SIEM

Security teams are caught in a familiar trap. The volume of telemetry worth analysing (cloud audit logs, identity events, EDR signals, SaaS application logs, network flow) keeps growing. The licence and storage budget for centralised SIEM does not. Something has to give, and increasingly it is the long-held assumption that all security data should live in one platform.

That assumption made sense when on-premises infrastructure produced predictable telemetry volumes and a single SIEM could realistically house it all. It makes much less sense when daily ingest growth outpaces budget growth and when significant categories of data (DNS, NetFlow, full EDR) are excluded from analysis simply because nobody can afford to ingest them.

Centralised vs Federated

In a centralised model, every event is shipped, parsed, indexed and stored in one analytics platform. Detections, hunts and investigations all run against that single store. The model is operationally simple, but it pushes every cost decision back to the ingestion question — what can we afford to keep?

Federated security analytics inverts the relationship. Rather than moving the data to the compute, the compute moves to the data. A federated query engine, such as Vega’s Security Analytics Mesh (SAM), reaches into your existing SIEMs, data lakes, object storage and XDR platforms, runs the query where the data already lives and returns the result — not the petabytes.

But Don’t Pipelines Already Solve This?

Telemetry pipelines such as Cribl Stream do meaningful work: routing, reducing and shaping data before it reaches the SIEM. Used well, they are the single biggest lever for SIEM cost control we see in client environments, and Apto deploys them constantly. What pipelines do not do is remove the underlying assumption that analytics happens in one place. They make the centralisation cheaper; they do not eliminate it. Federation tackles the architectural question that pipelines optimise around.

Why This Matters for AI in the SOC

Every analyst-augmenting AI system (investigation copilots, automated triage, hunt generation) depends on access to the underlying data. If half of your relevant telemetry is sitting in cold object storage because it was too expensive to index, the AI cannot reason about it. Federation makes the full data estate addressable, which turns out to be a precondition for AI to deliver in a SOC rather than just generate plausible-looking summaries of partial data.

How It Plays Out in Practice

Consider an investigation into a suspected credential compromise. The questions are not exotic: where did this account authenticate from, what cloud resources did it touch, what did the endpoint do, were there matching identities elsewhere. In a centralised model the answer depends entirely on what was ingested. In a federated model the same query reaches identity logs in Sentinel, cloud audit logs in a data lake, EDR data in a separate platform and historical archives in object storage — and returns one answer.

About Vega

For readers meeting Vega here for the first time: Vega is the security analytics company behind the Security Analytics Mesh (SAM). It was built on a simple bet — that the future of SIEM is fewer SIEMs, and that analytics should reach the data rather than the other way around.

SAM connects to Splunk, Microsoft Sentinel, CrowdStrike, Snowflake, Databricks, object storage and a growing list of identity, EDR and cloud sources. Detections, hunts and investigations run across all of them in place. Nothing is migrated. Nothing is re-indexed.

Vega has raised $185M from Accel, Cyberstarts, Redpoint and CRV, and is used today by Fortune 200 organisations, global banks and healthcare providers.

Vega calls this the Post-SIEM Era. For UK enterprises that have spent a decade negotiating ingest budgets line by line, the economics speak for themselves.

How Apto Fits

Federation is not a replacement for the operator gap; it changes the shape of it. Connectors need engineering. Detection content still needs writing, peer-reviewing and continuously validating. MITRE coverage still needs measuring. Egress and federated query costs need monitoring. None of this happens by accident.

This is where Apto fits. We already operate the platforms a federated mesh sits on top of — Splunk, Grafana, Microsoft Sentinel, Cribl, Databricks. Adding Vega as a federation layer means the operator already understands the underlying data, the licence economics, the schemas and the existing detection content. Our Operate Core service monitors SAM performance, source connector health and MITRE coverage daily; Operate Attach delivers the engineering work — detection-as-code pipelines, connector onboarding, KQL library development — in prioritised sprints.

For UK enterprises facing the same data-growth and budget-compression dynamics that drove this architectural shift, federation is becoming hard to ignore. The technology is ready. The harder question is who operates it day to day. We think we have a useful answer to that.

Book a free federated analytics assessment

 

    Stay updated with the latest from Apto

    Subscribe now to receive monthly updates on all things SIEM.

    We'll never send spam or sell your data, see our privacy policy

    Read more

    See how we can build your digital capability,
    call us on +44(0)845 226 3351 or send us an email…