Beyond Data Routing: Slash SIEM Costs with LimaCharlie's Security Observability Pipeline

Observability pipeline vendors have settled into a comfortable division of labor: they move data, and something downstream decides what the data means. You buy a tool to route logs, then you buy a SIEM to store and search them, then you pay again for the detection and response layer that acts on what the SIEM finds. Ken Westin, a solutions engineer at LimaCharlie, spent this session arguing that the division of labor is itself the problem. Once you accept that the pipeline and the detection engine are separate products, you have already accepted three bills where there could be one, and a handoff seam where there could be none.

The argument lands hardest on the people Westin named as the majority of LimaCharlie's customers: MSSPs. They adopt the platform, he said, because they can lean on its multi-tenancy, because everything in the UI is also available through the API, and because high-volume data sources are precisely where it proves more cost-effective. That last point is the one providers feel in their margins. As Westin put it, most LimaCharlie customers are MSSPs, and "they need to be able to have those margins." His case is that the volume problem and the cost problem are the same problem, and that the fix is not a cheaper place to dump logs but a pipeline that decides what is worth keeping before anyone pays to keep it.

Filtering is the cost lever, not storage

Westin framed the history plainly. SIEM is old enough to drink, he joked; one of the first products on the market is over 22 years old, built for on-premises environments with small data sets and strong correlation engines. It was never asked to search terabytes of data drawn from SaaS applications and cloud infrastructure. Today the volume of logs grows exponentially, and the old assumption that you ingest everything and retain it for whatever the compliance window demands has become the thing driving the bill.

So the leverage moves upstream. In LimaCharlie the processing stage is where the real work happens: you parse logs that arrive in dozens of schemas, enrich them with GeoIP or threat intelligence, mask sensitive fields during ingest, and filter so you store only what carries operational value. Filtering, he stressed, is becoming increasingly important precisely because it is where the savings live. You stop storing everything and keep only the logs that matter to you. What survives the filter can then be transformed and routed wherever it belongs: a data lake, a legacy Splunk or Elastic that corporate security insists on keeping, an alert into Slack or GitHub, a dashboard or a BI tool. The pipeline does not replace those destinations. It decides, in flight, how much of your data deserves to reach them.

The seam is where the second bill hides

The point Westin returned to is that LimaCharlie does not hand the stream off to something else to make sense of it. Inside the same platform you write detections alongside the transforms, run the enrichment, and analyze, filter, and mask the data you are already moving. There is no moment where a routing tool finishes its job and a detection tool starts charging for its own. That seam is exactly where the conventional architecture spends money twice, and closing it is the difference between a pipeline that reshapes data and one that acts on it.

This is also why Westin resists calling LimaCharlie a SIEM, an EDR, or a cloud security tool, even though it covers most of those use cases without being a point solution. He described it instead as a box of Legos: not a black box you accept as shipped, but a platform you configure to your operations, replacing point solutions or augmenting them as you see fit. Providers do not adopt it to swap one point solution for another. They adopt it because it was built multi-tenant and scalable rather than retooled from an on-premises product that, in his words, was designed on prem and then rearchitected for the cloud, never quite able to handle the multi-tenancy or scale a service business needs. The included year of telemetry retention belongs to the same logic. When storage is efficient enough to give a full year away, whether the telemetry arrives from endpoint agents, adapters, or any other source, retention stops being a separate procurement and the efficiency passes through as savings to the customer.

Pushing the configuration to where the logs are

The live demo made the abstraction concrete through external adapters, a newer way to pull in logs from a server where you are not deploying an endpoint agent. The older pattern relied on a configuration file sitting next to the adapter on the host. The new one moves that configuration into the web UI itself: an admin sets four permissions, no extension required, then deploys the adapter with a configuration identifier and an organization ID. The adapter calls home to LimaCharlie, finds its configuration, downloads it, and follows the rules. The reason that matters is fleet management. Westin ran the demo against a set of honeypots and controlled the configuration of all of them through a single rule, which is precisely the shape multi-tenant operations need: change the policy once, and every system inheriting it follows.

From there the rest of the pipeline was visible in a few clicks. Live events streamed into the timeline from the honeypots, including the steady noise of strangers trying to log in, and from any sample event he could write a detection and response rule on the spot. He then walked through outputs. From an incoming event he could forward to an S3 bucket, and he opened an existing custom transform feeding a Slack webhook, the kind of transform that trims a payload to only the fields a destination needs before sending it on to a bucket or a database. The detail that ties the argument together is that the data also stays retained in LimaCharlie. You forward a filtered copy wherever you want it and still keep the full record as a system of record, which is the opposite of the usual tradeoff where sending data somewhere cheaper means losing it where you can search it.

For an MSSP or MDR weighing this, the question Westin posed is not whether LimaCharlie routes data better than a dedicated pipeline tool. It is whether routing should ever have been a standalone purchase. A pipeline that filters before you pay, detects on the stream it moves, and retains a year of what it sees collapses a stack of products into one cost you can actually reason about per tenant. Anyone curious can test the claim through the free community edition at free.limacharlie.io, which carries two organizations, two sensors, and every feature shown, alongside the guide Westin built for standing up the external adapter.