Reduce spending on Splunk and other high-cost security data solutions through LimaCharlie

The economics of security data have a structural flaw that no amount of negotiating with a SIEM vendor fixes. Splunk and the data lakes that compete with it charge by volume, which means the tool that gives you the most analytical power is also the one you can least afford to feed completely. So providers do the thing that feels responsible and filter at the front door, dropping data before it lands in the expensive store. Maxime Lamothe-Brassard, co-founder and CEO of LimaCharlie, spent this session making the case that this is the wrong cut to make, because the moment you discard data at the boundary of your premium tool, you have not saved money so much as bought yourself a blind spot you will not discover until you need the data that is gone.

His alternative is to separate two decisions that the SIEM-centric model forces you to make at the same moment: what you keep, and what you analyze in your most expensive tool. Those are not the same question, and treating them as one is what makes the bill grow quietly until it becomes the line every provider has to defend.

Retention and routing are different problems

The architecture Lamothe-Brassard demonstrated puts LimaCharlie in front of the expensive back end as a first layer that ingests everything, then forwards only what earns its place downstream. The reason this works is that LimaCharlie's retention is not priced like a SIEM's. General-purpose logs run at fifteen cents per gigabyte, retained for a full year, with published pricing and no long-term contract, which he frames as an order of magnitude below a traditional data lake. That gap is the whole argument. When keeping a year of telemetry is cheap, you no longer have to decide what to throw away to control cost. You decide what to route, which is a smaller and far less destructive decision.

And the retained data is not inert. He showed the timeline view where you can jump to any point in a sensor's history, search the full year, and export whatever you need. His own example was pulling a 1Password audit log from seven months ago at three in the morning, reachable for a manual investigation in seconds by dropping onto the sensor's timeline and selecting that point in time. That is the part the front-door-filter approach cannot offer. Once you have filtered an event out at the boundary of your premium tool, there is no timeline to scroll back to.

A switching layer only works if everything speaks the same language

The leverage in this design comes from consolidation, and consolidation only pays off if the sources are genuinely uniform once they arrive. In the demo tenant, Lamothe-Brassard had Windows EDR, Chrome OS, a box running Microsoft Defender, a Linux box, macOS, Office 365 audit logs, and GCP audit logs all flowing into one place. Data enters two ways: through LimaCharlie's own EDR, which covers Linux with eBPF and Docker support alongside Windows and macOS, or through an adapter that ingests external telemetry regardless of source, from on-prem syslog to CloudTrail to 1Password audit logs to text and JSON. Whatever the origin, it lands in a common format, so a GCP audit log and an endpoint event are queryable and routable the same way.

That sameness is what turns routing into configuration rather than engineering. He walked through three output types to make the point. Events carry raw telemetry from any sensor. Detections carry the alerts the rules engine generates. The tailored output is the interesting one: it emits nothing by default and is fed by a detection and response rule, so you describe in a rule exactly which events should flow to it. His example matched Windows Event Log ID 4625 and routed only those events to the tailored stream, but the same mechanism scales to arbitrarily specific criteria. The contrast he kept returning to is what this would cost you to build inside Splunk itself. Engineering that selectivity into every place data lands gets painful fast and surrenders flexibility, and if you filter at the front door you lose the data. Doing it in the switching layer, you keep everything and still shrink what flows downstream.

The mechanics are deliberately unglamorous. He set up a bulk webhook into Logz.io in a couple of minutes, with options to sample high-volume sources, scope to a single sensor, include or drop specific events, and add an authentication header. One detail matters more than it looks: you can disable the routing wrapper LimaCharlie normally adds, the JSON envelope carrying internal and external IPs, sensor tags, and timestamps, so a clean single stream like GCP audit logs arrives downstream byte-for-byte as it came in. For cost work, where every field you forward is a field you pay to store, that control is the point.

Why the flexibility matters more than the discount

The cost reduction is the headline, but Lamothe-Brassard kept circling back to something subtler that should land harder with any MSSP or MDR running real client volume. The expensive part of a SIEM is not only the per-gigabyte rate. It is the lock-in that rate buys. Once you have instrumented hundreds of servers to feed one back end, evaluating a competitor or migrating a tenant means re-instrumenting all of it, which is why most providers never seriously test alternatives.

Putting the switching layer in the middle dissolves that. If a vendor you are evaluating tomorrow needs DNS traffic, you add an output, select the events, point it at the new tool or a Kafka queue, and data streams in seconds. Run the trial, remove the output, and the flow stops just as fast. No contract, no re-instrumentation, no touching the endpoints. The same move that adds a new analytics platform also onboards a new client or moves a tenant between back ends. He described LimaCharlie as security infrastructure built the way AWS builds infrastructure, provisioned when you need it and torn down when you do not, and this is where that framing earns its keep. The reason to filter in the middle rather than at the front door is not just that you keep your data. It is that you keep the freedom to change your mind about where the expensive analysis happens, which over the life of a service contract is worth more than the discount itself.