Unifying SecOps and Observability: How to Slash SIEM Costs at the Edge

Drowning in firewall logs? IDC reports that up to 68% of enterprise data goes completely unused—yet security teams still pay a fortune to store it. As telemetry explodes, organizations are forced into a lose-lose scenario: blow up the IT budget to save everything, or drop data and create massive compliance and security blind spots.

Our customer — a massive, global design-as-a-service provider — recently faced this exact crisis. By partnering with MyDecisive, they didn't just filter their data; they fundamentally transformed their architecture to shift threat detection to wire-speed, bridging the gap between SecOps and Observability. Here is exactly how they eliminated millions in legacy pipeline spend while making their platform more secure than ever.

The Challenge: Drowning in Noise at 10 TB a Day

Facing a $4M annual Splunk bill to process 10 TB of data a day, the SecOps team was forced to discard the majority of their 1 million+ yearly Palo Alto firewall events. This massive data drop created immediate compliance red flags and guaranteed real threats were slipping through the cracks.

To solve this, the team deployed a legacy pipeline solution (Cribl Stream), hoping to filter incoming event volume by 90% and eliminate over $1 million per year in Splunk costs.

The plan hit a wall at scale. Processing 10 TB/day through their new pipeline cost the company approximately $1.2 million per year, completely offsetting the expected SIEM savings. Worse, their event volume only dropped by 66%, netting a meager reduction in their actual Splunk bill.

The Black Box: When Tooling Creates Engineering Silos

Beyond the financial mismatch, the legacy pipeline created severe operational friction. The solution relied heavily on JavaScript, creating an immediate skills gap. The SecOps teams were fluent in SplunkQL, not JavaScript.

Consequently, the Observability teams (who managed the company's Dynatrace deployment) were forced to step in to build and maintain the security pipelines for SecOps. This cross-team dependency turned the pipelines into a "black box," slowing down iteration cycles and stripping SecOps of autonomy over their own tooling. Furthermore, the legacy pipeline could not process Dynatrace metrics and traces, leading to a fragmented architecture.

The Breakthrough: Unifying SecOps and Observability

The turning point arrived when the organization transitioned to MyDecisive, introducing an open, flexible architecture built entirely around the workflows their engineers were already using.

With MyDecisive, both teams could finally work in shared instances without stepping on each other's toes:

• Autonomy Restored: SecOps could now filter and route data using familiar tools like regex, SplunkQL, and PromQL.

• Native Observability: Observability pipelines were built using standard OpenTelemetry (YAML, Go).

• Complete Visibility: SecOps logic could see the full, unredacted dataset and telemetry events before any data was dropped or redacted, drastically improving threat detection.

By running these operations on a single pass through the telemetry and logs, SecOps could now join firewall context with application context. This allowed them to strongly identify real user activity and block malicious traffic right at the perimeter using Palo Alto rules.

Shifting to Wire-Speed Detection

The team shifted threat detection out of the SIEM and directly into the live data stream. Using wire-speed stateful detection, raw events were folded into highly contextualized incidents before hitting Splunk, slashing their reliance on expensive correlation.

Using ArgoCD built into the MyDecisive SmartHub, the teams ran two separate workflows side-by-side as their own "apps"—one for filtering firewall noise and detecting threats, and another for managing observability data.

Simultaneously, PII redaction was built directly into the MyDecisive pipelines, routing massive volumes of raw compliance data seamlessly to S3 (Iceberg) for cheap, long-term retention.

The Impact: $2.4M Saved and 97% Less Noise

By breaking the constraints of legacy SaaS monopolies and heavy scripting requirements, the design-as-a-service provider completely overhauled their data economics.

The final results:

• Wire-Speed Efficiency: Reduced 1 million raw security events to just 30,000 highly actionable incidents per year.
• Legacy Spend Eliminated: Removed ~$1.2M in legacy pipeline (Cribl) spend.
• SIEM Optimization: Successfully reduced Splunk dependency by an additional ~$1.2M.
• Observability Harmony: Seamlessly and natively processed full Dynatrace telemetry (logs, metrics, and traces), successfully reducing Dynatrace volumes by 50%.
• Compliance Secured: Offloaded critical compliance data to S3 without losing analytical access.

With a unified pipeline securely in place, the company is now integrating MyDecisive directly into its core DevOps workflows, shifting focus toward reducing Mean Time to Resolution (MTTR) and improving end-to-end system reliability for their global user base.

Read the full case study.