In cybersecurity, milliseconds matter. When a threat actor gains access to your environment, the clock starts ticking — and every second that passes increases your risk exposure exponentially.
While some vendors liberally apply the term "real-time" to their solutions and others debate the “value in over-investing in real-time unless there is a driving business need,” we tend to see things quite differently. To us, the business need is clear, and investing in real-time is critical to staying ahead in a millisecond world.
Born from Frustration: Why We Built Onum
Onum was born from the firsthand frustration of handling massive volumes of telemetry data that delivered value too late to matter. By only processing data after storage, legacy analytical systems create detection delays that sophisticated attackers systematically exploit.
Our co-founders, Pedro Castillo and Lucas Varela, experienced this pain directly. They spent years buried in terabytes of daily log data that was growing non-stop — redundant, noisy, and pushed into slow, expensive systems. Pedro experienced a specific incident during his time at Bankinter where the tech stack he was using left him lagging behind a sophisticated phishing attack.
"What we needed wasn't another tool to analyze data after the fact," he explains. "We needed a way to shape, route, and act on that data before it ever reached an expensive or slow system. That's what we built."
The Technical Limitations of "Near Real-Time" Processing
Conventional security architectures follow a store-then-process methodology, where raw data is transported to a central system before analysis can begin. This means dealing with egress costs, networking challenges, and infrastructure scaling.
Collect data from various endpoints and systems
Transmit the data across the network
Store and index the data in a central location
Analyze the data after minutes - or longer - of delay
This architecture creates critical exposure windows at exactly the wrong time: during the early stages of an attack. And the consequences compound quickly:
Financial Impact: Every minute of delayed detection during a breach adds an average of $15,000 to remediation costs, according to industry benchmarks. When multiplied across multiple incidents annually, these delays translate to millions in preventable expenses.
Operational Disruption: While your security team waits for data to be processed, attackers move laterally through systems, compromise additional endpoints, and establish persistence mechanisms that require extensive remediation. This extends recovery timelines from days to potentially weeks, redirecting IT resources away from strategic initiatives.
Compliance Consequences: Regulatory frameworks increasingly mandate rapid detection and response capabilities. The gap between incident occurrence and detection often triggers reporting requirements, regulatory scrutiny, and potential penalties that could have been avoided with true real-time detection.
To mask these shortcomings, some vendors rebranded their delays as “near real-time” - a euphemism that lowers customer's expectations and additional accepted risk.
CrowdStrike reports the fastest breach times of just over two minutes and ransomware groups that operate on sub-24-hour timeframes. When faced with adversaries operating at this pace, cybersecurity leaders can’t afford to debate what true real-time actually means.
The Technical Architecture of True Wire-Speed Processing
Onum eliminates conventional processing delays through a fundamentally different approach to its architecture that prioritizes in-transit data processing. Rather than waiting for data to reach a centralized repository, Onum processes security telemetry while it's in motion through three integrated components:
Onum is built for wire-speed performance - processing telemetry as it moves, not after it rests. Unlike traditional platforms that store first and analyze later, Onum operates directly in the data path.
1. Precise Data Reduction: Cost Optimization at Scale
Our platform applies filtering rules to incoming data streams, identifying and eliminating redundant, duplicate, or irrelevant information with minimal processing overhead. This targeted approach not only reduces processing latency but transforms your security economics by:
Up to 50% savings on cloud storage
Reduced SIEM licensing costs by eliminating noise
Less alert fatigue, more analyst focus
"Not all data is created equal," explains Lucas. "Organizations must decide what data needs to be collected, analyzed, enriched, and acted upon immediately versus what should be stored, archived, or deleted."
2. In-Transit Enrichment: Accelerating Time-to-Value
Onum injects critical contextual elements — threat intelligence indicators, user behavioral baselines, asset metadata — directly into data streams as they move through the pipeline. This architectural innovation delivers measurable business outcomes:
Cuts mean time to detect by 73%
Reduces average incident cost by 38%
Enables teams to triage and respond to 3x more alerts with no new headcount
Where legacy architectures perform these computationally intensive operations post-storage, Onum enriches mid-flight—delivering insights, not just inputs.
3. Deterministic Routing: Operational Agility Without Compromise
Onum's flexible routing engine directs optimized data to any destination — SIEMs, EDR platforms, cloud storage, custom applications — without vendor-specific constraints or format limitations. This capability delivers strategic business benefits:
Accelerates new tool integrations from months to days
Future-proofs your stack against vendor change or architectural shifts
Eliminates lock-in, maximizing ROI across your ecosystem
The platform's distributed processing architecture processes and forwards security telemetry in an average of 230 milliseconds, compared to minutes with conventional approaches — transforming not just technical performance but business resilience in the face of sophisticated threats.
Real-World Impact: Impossible Travel Detection
To illustrate the operational and financial impact of millisecond-level processing, let's examine a standard credential theft scenario that organizations face daily: impossible travel detection.
The Scenario:
A user authenticates from New York at 14:00:00. Twenty minutes later, the same authentication credentials are used from Singapore — a geographic impossibility indicating credential compromise.
Conventional Architecture Response:
Authentication logs traverse the network to a centralized SIEM (30-60 seconds)
Data undergoes ingestion, parsing, and indexing (60-240 seconds)
Detection rules execute on indexed data (60-360+ seconds)
Alert generation and notification (7-10 minutes after second authentication)
During this processing window, the threat actor gains approximately 10 minutes of unrestricted system access — sufficient time to establish persistence, deploy lateral movement tools, or exfiltrate sensitive data. For financial institutions, this can mean millions in fraudulent transactions; for healthcare organizations, thousands of patient records accessed; and for any business, the commencement of a ransomware deployment that will cost an average of $4.5 million to remediate.
Onum's Millisecond Advantage:
Authentication events are intercepted at ingestion points
Geo-enrichment and user context are applied in-transit
Correlation rules identify impossible travel patterns as data flows
Alert generation occurs in approximately 230 milliseconds
Automated response workflows initiate before the attacker can establish post-exploitation tools
This improvement in detection speed fundamentally changes security economics and operational outcomes:
Financial Protection - Real-time blocking prevents downstream damage reducing breach costs by 67% on average based on customer-reported outcomes
Security Team Efficiency - Reduced noise and manual triage equal fewer emergencies, lower burnout, and improved talent retention
Compliance Confidence - Demonstrate rapid detection during audits and avoid fines that can exceed $5.4M per incident in regulated sectors
Brand Protection - Contain threats early to prevent the reputational fallout of public breaches and customer churn
This difference fundamentally alters the detection/response equation and gives security teams critical time and control back — not just improving security metrics, but transforming business resilience and competitive positioning in the marketplace.
Quantifiable Benefits Beyond Security
True millisecond-level security operations deliver measurable benefits beyond theoretical security improvements:
Infrastructure optimization: Onum's intelligent data reduction decreases storage and processing requirements, with customers reporting an average 50% reduction in data storage costs
Compliance risk reduction: Complete data traceability simplifies adherence to evolving regulatory requirements
Detection acceleration: Processing security telemetry in motion reduces alert generation times from minutes or second to milliseconds
Operational efficiency: By eliminating data processing bottlenecks, security operations centers can process more alerts with existing staff resources
Security Demands Millisecond Precision
Today’s threats don’t wait. They operate at machine speed, automating actions in seconds or less. Security architectures must match this operational tempo to maintain defensive parity. Implementing millisecond-level detection with Onum establishes a critical capability against today's sophisticated threat actors.
As Lucas notes: "Teams need to act on data while it moves, not after it lands. Waiting for it to reach an analytical system is simply too late."
The technical reality is unambiguous: When detection lags by minutes, attackers already have a foothold. That delay isn’t a tradeoff, it translates to an exposure. Millisecond-level detection transforms security from reactive investigation to proactive prevention.
Want to see Onum’s true real-time detection in action? Get a personalized test drive with an Onum Pipeline Architect!