The Onum Blog
2025-05-01T05:00:00+01:0010 min

Redefining Real-time: Closing the Incident Response Gap with (Actual) Real-time Alerting

Onum redefines security with data pipelines built for real-time alerting and rapid response, achieving millisecond-speed processing for immediate threat detection.

Erika Childers
Director, Content & Brand
Erika Childers
Director, Content & Brand
2025-05-01T05:00:00+01:0010 min

In cybersecurity, milliseconds matter. When a threat actor gains access to your environment, the clock starts ticking — and every second that passes increases your risk exposure exponentially.

While some vendors liberally apply the term "real-time" to their solutions and others debate the “value in over-investing in real-time unless there is a driving business need,” we tend to see things quite differently. To us, the business need is clear, and investing in real-time is critical to staying ahead in a millisecond world.

Born from Frustration: Why We Built Onum

Onum was born from the firsthand frustration of handling massive volumes of telemetry data that delivered value too late to matter. By only processing data after storage, legacy analytical systems create detection delays that sophisticated attackers systematically exploit.

Our co-founders, Pedro Castillo and Lucas Varela, experienced this pain directly. They spent years buried in terabytes of daily log data that was growing non-stop — redundant, noisy, and pushed into slow, expensive systems. Pedro experienced a specific incident during his time at Bankinter where the tech stack he was using left him lagging behind a sophisticated phishing attack

"What we needed wasn't another tool to analyze data after the fact," he explains. "We needed a way to shape, route, and act on that data before it ever reached an expensive or slow system. That's what we built."

The Technical Limitations of "Near Real-Time" Processing

Conventional security architectures follow a store-then-process methodology, where raw data is transported to a central system before analysis can begin. This means dealing with egress costs, networking challenges, and infrastructure scaling. 

  1. Collect data from various endpoints and systems

  2. Transmit the data across the network

  3. Store and index the data in a central location

  4. Analyze the data after minutes - or longer - of delay

This architecture creates critical exposure windows at exactly the wrong time: during the early stages of an attack. And the consequences compound quickly:

Financial Impact: Every minute of delayed detection during a breach adds an average of $15,000 to remediation costs, according to industry benchmarks. When multiplied across multiple incidents annually, these delays translate to millions in preventable expenses.

Operational Disruption: While your security team waits for data to be processed, attackers move laterally through systems, compromise additional endpoints, and establish persistence mechanisms that require extensive remediation. This extends recovery timelines from days to potentially weeks, redirecting IT resources away from strategic initiatives.

Compliance Consequences: Regulatory frameworks increasingly mandate rapid detection and response capabilities. The gap between incident occurrence and detection often triggers reporting requirements, regulatory scrutiny, and potential penalties that could have been avoided with true real-time detection.

To mask these shortcomings, some vendors rebranded their delays as “near real-time” - a euphemism that lowers customer's expectations and additional accepted risk.

CrowdStrike reports the fastest breach times of just over two minutes and ransomware groups that operate on sub-24-hour timeframes. When faced with adversaries operating at this pace, cybersecurity leaders can’t afford to debate what true real-time actually means.

The Technical Architecture of True Wire-Speed Processing

Onum eliminates conventional processing delays through a fundamentally different approach to its architecture that prioritizes in-transit data processing. Rather than waiting for data to reach a centralized repository, Onum processes security telemetry while it's in motion through three integrated components:

Onum is built for wire-speed performance - processing telemetry as it moves, not after it rests. Unlike traditional platforms that store first and analyze later, Onum operates directly in the data path.

1. Precise Data Reduction: Cost Optimization at Scale

Our platform applies filtering rules to incoming data streams, identifying and eliminating redundant, duplicate, or irrelevant information with minimal processing overhead. This targeted approach not only reduces processing latency but transforms your security economics by:

  • Up to 50% savings on cloud storage

  • Reduced SIEM licensing costs by eliminating noise

  • Less alert fatigue, more analyst focus

"Not all data is created equal," explains Lucas. "Organizations must decide what data needs to be collected, analyzed, enriched, and acted upon immediately versus what should be stored, archived, or deleted."

2. In-Transit Enrichment: Accelerating Time-to-Value

Onum injects critical contextual elements — threat intelligence indicators, user behavioral baselines, asset metadata — directly into data streams as they move through the pipeline. This architectural innovation delivers measurable business outcomes:

  • Cuts mean time to detect by 73%

  • Reduces average incident cost by 38%

  • Enables teams to triage and respond to 3x more alerts with no new headcount

Where legacy architectures perform these computationally intensive operations post-storage, Onum enriches mid-flight—delivering insights, not just inputs.

3. Deterministic Routing: Operational Agility Without Compromise

Onum's flexible routing engine directs optimized data to any destination — SIEMs, EDR platforms, cloud storage, custom applications — without vendor-specific constraints or format limitations. This capability delivers strategic business benefits:

  • Accelerates new tool integrations from months to days

  • Future-proofs your stack against vendor change or architectural shifts

  • Eliminates lock-in, maximizing ROI across your ecosystem

The platform's distributed processing architecture processes and forwards security telemetry in an average of 230 milliseconds, compared to minutes with conventional approaches — transforming not just technical performance but business resilience in the face of sophisticated threats.

Real-World Impact: Impossible Travel Detection

To illustrate the operational and financial impact of millisecond-level processing, let's examine a standard credential theft scenario that organizations face daily: impossible travel detection.

The Scenario:

A user authenticates from New York at 14:00:00. Twenty minutes later, the same authentication credentials are used from Singapore — a geographic impossibility indicating credential compromise.

Conventional Architecture Response:

  1. Authentication logs traverse the network to a centralized SIEM (30-60 seconds)

  2. Data undergoes ingestion, parsing, and indexing (60-240 seconds)

  3. Detection rules execute on indexed data (60-360+ seconds)

  4. Alert generation and notification (7-10 minutes after second authentication)

During this processing window, the threat actor gains approximately 10 minutes of unrestricted system access — sufficient time to establish persistence, deploy lateral movement tools, or exfiltrate sensitive data. For financial institutions, this can mean millions in fraudulent transactions; for healthcare organizations, thousands of patient records accessed; and for any business, the commencement of a ransomware deployment that will cost an average of $4.5 million to remediate.

Onum's Millisecond Advantage:

  1. Authentication events are intercepted at ingestion points

  2. Geo-enrichment and user context are applied in-transit

  3. Correlation rules identify impossible travel patterns as data flows

  4. Alert generation occurs in approximately 230 milliseconds

  5. Automated response workflows initiate before the attacker can establish post-exploitation tools

This improvement in detection speed fundamentally changes security economics and operational outcomes:

  • Financial Protection - Real-time blocking prevents downstream damage reducing breach costs by 67% on average based on customer-reported outcomes

  • Security Team Efficiency - Reduced noise and manual triage equal fewer emergencies, lower burnout, and improved talent retention

  • Compliance Confidence - Demonstrate rapid detection during audits and avoid fines that can exceed $5.4M per incident in regulated sectors

  • Brand Protection - Contain threats early to prevent the reputational fallout of public breaches and customer churn

This difference fundamentally alters the detection/response equation and gives security teams critical time and control back — not just improving security metrics, but transforming business resilience and competitive positioning in the marketplace.

Quantifiable Benefits Beyond Security

True millisecond-level security operations deliver measurable benefits beyond theoretical security improvements:

  • Infrastructure optimization: Onum's intelligent data reduction decreases storage and processing requirements, with customers reporting an average 50% reduction in data storage costs

  • Compliance risk reduction: Complete data traceability simplifies adherence to evolving regulatory requirements

  • Detection acceleration: Processing security telemetry in motion reduces alert generation times from minutes or second to milliseconds

  • Operational efficiency: By eliminating data processing bottlenecks, security operations centers can process more alerts with existing staff resources

Security Demands Millisecond Precision

Today’s threats don’t wait. They operate at machine speed, automating actions in seconds or less. Security architectures must match this operational tempo to maintain defensive parity. Implementing millisecond-level detection with Onum establishes a critical capability against today's sophisticated threat actors.

As Lucas notes: "Teams need to act on data while it moves, not after it lands. Waiting for it to reach an analytical system is simply too late."

The technical reality is unambiguous: When detection lags by minutes, attackers already have a foothold. That delay isn’t a tradeoff, it translates to an exposure. Millisecond-level detection transforms security from reactive investigation to proactive prevention.

Want to see Onum’s true real-time detection in action? Get a personalized test drive with an Onum Pipeline Architect!  

Post content