// Warm data tier for security

Your data lake is your warm data.

Cut observability and SIEM costs by turning your existing data lake into a fast, searchable warm tier — without changing ingest, moving data, or replacing your stack.

Calculate your savings See how it works

10×: Lower SIEM cost
50×: Lower lake compute
30×: Faster investigations

storage_tiers.tsv

HotSIEM · expensive

WarmDAG · queryable lake

DAG

ColdArchive · slow

$$$

cost

$ · fast

warm

slow

access

// The market shift

Data is surging out of closed SIEMs into open data lakes.

Cloud providers, data platforms, and observability vendors are all moving with it.

Observability / SIEM stays

The analyst workflow layer remains, but the data layer is becoming open.

Data moves

Open formats and cloud-native lakes are replacing proprietary hot storage.

Real-world examples

Major platforms already participating in the shift to open security data lakes.

AWS Security LakeMS Sentinel DLLakewatch

// The cost problem

Security teams are stuck between hot bills and cold archives.

Hot tier is expensive

Hot tier costs snowball fast. Retention bloat keeps the bill climbing.

Investigations demand speed

Security teams have no choice but to keep data hot. When an investigation hits, slow access is not an option.

Cold tier is too painful

Cut costs and you cripple investigations. Keep it queryable and the bill keeps bleeding — a trap with no clean exit.

// Why existing approaches fall short

Most cost tools fight the wrong battle.

Existing tools focus on ingest: deduplication, filtering, routing — deciding what to send to the SIEM.

Our focus is different. We reduce how much data must stay in the expensive SIEM hot tier by making the cold tier queryable and 10× cheaper — without touching ingest at all.

!The risk

Putting data in cold tier makes investigations both costly and slow — defeating the purpose of keeping the data.

ingest tools

filter / route

DAG

query the lake

// our thesis

Cold is cheap. Hot is fast.
Warm is now critical.

The missing layer is warm: retained like cold, usable like hot, and built for AI-era workflows.

Long-horizon data

In the AI era, teams need historical data that's accessible and affordable — not a tradeoff between expensive hot and painful cold.

Built to fit workflows

A practical warm tier: cheap, fast, and seamless inside the SIEM and analyst tools your team already uses.

AI needs context

Cold storage hides costly rehydration and query delays. AI needs historical correlation — not just the latest hot data.

// Platform overview

One layer between your lake and your analysts.

DAG sits over your existing customer data lake — adding context-aware indexing and query acceleration without moving a byte.

Security tools

EDR
Firewalls
Identity
Cloud audit
Network

// DAG over your lake

Customer data lake (warm tier)

Context-aware index

regex · IOC · free-text · behavioral

Query acceleration

TBs scanned in seconds, not minutes

No data movement

queries run in-place over open formats

Native API

plugs into existing SIEM workflows

Analyst workflows

Splunk
Sentinel
AI agents
Hunters
IR teams

// How it creates value

From 90 days hot to 1–7 days hot.

Older data is searched directly from the data lake — fast and seamless.

10×

Lower observability / SIEM cost

Dramatically reduce hot storage spend.

50×

Lower data lake compute

Avoid expensive scans across TBs of data.

30×

Faster investigations

Access all your data — including cold — without compromise.

// ROI calculator

See how much you'd save with DAG.

Adjust your environment below to estimate the cost reduction from shifting hot SIEM data into a DAG-powered warm tier.

// your environment

Daily ingestion volume500 GB / day

50 GB5,000 GB

Total retention90 days

30 days24 months

Hot days kept in SIEM with DAG7 days hot

1 day30 days

The rest stays warm in your data lake — queryable in seconds.

43.9 TB

total retained

7d hot · 83d warm

tier split

// estimated savings

with DAG

89%

Reduction in cost

Monthly savings

$100K

Yearly savings

$1.2M

Today (all hot)$113K / mo

With DAG warm tier$13K / mo

Estimate based on industry-standard SIEM hot ingest of $2.50/GB/month and warm-tier lake storage + DAG indexing of $0.10/GB/month. Actual savings depend on your stack.

// Differentiation

Built for your lake, not against it.

Not another observability / SIEM
Not proprietary storage
Not another ingest pipeline
Not basic federated search

The key difference

Context-aware indexing and query acceleration over your existing lake.

Purpose-built for regex, free-text, IOC, and behavioral analysis — at warm-tier price with hot-tier speed.

regex

free-text

IOC

behavioral