> For the complete documentation index, see [llms.txt](https://docs.blusapphire.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.blusapphire.io/release-6.0/06_what-is-siemless/01-detection-at-edge.md). # 01 Detection at Edge ## What is "Detection at Edge"? **Detection at Edge** is BluSapphire's shift-left architecture that allows customers to deploy threat detection capabilities at the **cloud edge**, **data center edge**, or **branch edge** — exactly where logs are generated. This eliminates the traditional requirement to move massive volumes of log data to centralized SIEM infrastructure or SaaS platforms. ### The Paradigm Shift Traditional SIEM Architecture: ``` Branch/Cloud → Forward All Logs → Central SIEM → Detect Threats (Expensive) (Vendor Lock-in) ``` BluSapphire Detection at Edge: ``` Branch/Cloud → Detect at Edge → Send Metadata/Alerts Only → Central Console (Local Storage) (98% Cost Reduction) (Unified View) ``` *** ## Core Value Propositions ### Data Sovereignty & Complete Control The Problem with Traditional SIEMs: * Competitors (Splunk, QRadar, Elastic, DNIF) require logs to be forwarded to centralized infrastructure * Data must leave customer premises/cloud VPC * Shared control with vendor * Complex multi-region deployments require separate instances BluSapphire's Solution: * Logs stay where generated — never leave customer premises or cloud region * Customer owns 100% of their data * Independent edge deployments per region/site * Perfect data residency — data never crosses jurisdictional boundaries Business Impact: * Complete control over sensitive data * Simplified sovereign cloud compliance * No vendor access to raw logs * Clear audit trail (logs never moved) *** ### 98% Cost Reduction The Hidden Cost of Traditional SIEMs: * Cloud egress charges for moving logs out of AWS/Azure/GCP * Network bandwidth costs for centralizing all log data * Expensive vendor storage (Splunk: $1,800–$18,000/GB/year) * Data transfer costs from branches to central location BluSapphire's Cost Savings: | Cost Category | Traditional SIEM | BluSapphire Edge | Savings | | ----------------- | ---------------- | --------------------- | ---------- | | Cloud Egress | $0.09/GB (AWS) | $0 (logs stay in VPC) | **100%** | | Data Transfer | Full log volume | Metadata only | **98%** | | Storage | Vendor premium | Customer's S3/blob | **80-90%** | | Network Bandwidth | Massive | Minimal | **95%** | Real-World Example: * 1 TB/day of logs from AWS to Splunk SaaS * AWS egress: $0.09/GB × 1,000 GB × 30 days = **$2,700/month** * Splunk storage: $5/GB × 1,000 GB = **$5,000/month** * **Total: $7,700/month = $92,400/year** With BluSapphire Detection at Edge: * AWS egress: $0 (logs stay in S3) * Storage: S3 standard $0.023/GB × 1,000 GB = **$23/month** * Metadata transfer: \~20 GB × $0.09 = **$1.80/month** * **Total: $25/month = $300/year** * **Savings: $92,100/year (99.7%)** *** ### Compliance & Data Localization Made Simple Traditional SIEM Compliance Challenges: * GDPR: Data movement across borders creates compliance burden * Sovereign cloud requirements: Conflicts with centralized architecture * Industry regulations (HIPAA, PCI-DSS): Data must leave secure zones * Cross-border data transfer: Required for centralized processing * Audit complexity: Must track data movement and storage locations BluSapphire's Compliance Advantages: | Requirement | Traditional SIEM | BluSapphire Edge | | --------------------- | ------------------------------------ | ------------------------------------ | | GDPR | Complex - data crosses borders | Easy - EU data stays in EU | | Data Localization | Difficult - centralization conflicts | Perfect - data stays in jurisdiction | | Sovereign Cloud | Not supported | Native support | | HIPAA/PCI-DSS | Complex - data leaves secure zone | Simple - data never leaves | | Cross-Border Transfer | Required | Zero | | Audit Trail | Complex - track movement | Clear - logs never moved | Use Cases: * Financial services: Keep transaction logs in regulated jurisdictions * Healthcare: HIPAA-compliant — PHI never leaves secure network * Government: Sovereign cloud requirements met natively * EU operations: GDPR compliance simplified — data stays in EU * Multi-national: Each country's data stays in-country *** ### Operational Complexity Eliminated Traditional SIEM Operational Burden: | Task | Traditional SIEM | BluSapphire Edge | | --------------------- | --------------------------------------- | ---------------------------------------- | | Log Forwarding | Configure forwarders for every source | Not needed - detection at edge | | Forwarder Management | Heavy/universal forwarders, agents | Zero - no forwarders | | Network Configuration | Complex - all sources to central | Simple - edge to console (metadata only) | | Firewall Rules | Extensive - all log sources | Minimal - edge outbound only | | Troubleshooting | Complex - forwarders, network, indexers | Simple - local edge processing | Benefits: * Zero forwarder management overhead * Minimal network configuration * Simplified troubleshooting * Reduced IT burden * Faster deployment *** ### Future-Proof with Open Standards The Vendor Lock-In Problem: | Vendor | Data Format | Portability | Migration Risk | Lock-In | | ----------- | -------------------------- | --------------------------- | -------------- | ----------- | | Splunk | Proprietary | Difficult, expensive export | High | Severe | | QRadar | Proprietary | Difficult | High | Severe | | Elastic | Elasticsearch | Moderate | Medium | Moderate | | DNIF | Proprietary | Limited | High | High (SaaS) | | BluSapphire | **Open (Parquet/Iceberg)** | **Full, easy export** | **Zero** | **None** | BluSapphire's Open Data Advantage: * Open standards: Parquet, Iceberg — industry-standard formats * Vendor-neutral: Any analytics tool can read the data * No migration ever needed: Data already in portable format * Multi-vendor analytics: Use any tool (Athena, Spark, Tableau, etc.) * Future-proof: Not dependent on BluSapphire's continued existence Business Impact: * Zero switching costs if you ever want to change vendors * No data migration projects — data already accessible * Leverage existing analytics tools and investments * Negotiating power — not locked in *** ### Superior Performance & Resilience Traditional SIEM Performance Bottlenecks: | Scenario | Traditional SIEM | BluSapphire Edge | | ------------------ | ------------------------------------- | --------------------------------- | | Detection Latency | High - wait for log forwarding | Lowest - detection at source | | Network Dependency | High - requires constant connectivity | Low - edge operates independently | | Branch Office | Poor - limited by WAN bandwidth | Excellent - local detection | | Offline Operation | No - forwarding stops | Yes - edge continues detection | | Scalability | Vertical - scale central (expensive) | Horizontal - add edge nodes | Resilience Benefits: * Branch offices: Detection continues even if WAN is down * Cloud regions: No cross-region dependencies * Disaster recovery: Each edge operates autonomously * Performance: No network latency for detection *** ## Use Case Enablement ### Multi-Cloud Strategy Challenge: Aggregating logs from AWS, Azure, GCP to central SIEM * High cross-cloud egress costs * Network complexity * Latency issues BluSapphire Solution: Edge in each cloud * Logs stay in native cloud * Zero cross-cloud transfer * Unified view in central console * Savings: 98% reduction in cross-cloud costs ### Hybrid Cloud Challenge: Bridging on-prem and cloud logs to central SIEM * Complex network architecture * VPN/ExpressRoute costs * Security concerns BluSapphire Solution: Edge in cloud + on-prem * Seamless hybrid deployment * No data movement required * Unified threat detection * Benefit: Simplified hybrid architecture ### Distributed Enterprises Challenge: Aggregating logs from 100+ locations to central SIEM * Massive bandwidth requirements * Network bottlenecks * High costs BluSapphire Solution: Edge at each location * Logs stay at each site * No WAN bandwidth consumed * Autonomous detection * Savings: 95%+ bandwidth reduction ### Mergers & Acquisitions Challenge: Integrating acquired company into central SIEM * Months of integration work * Data migration complexity * Network integration BluSapphire Solution: Deploy edge at acquired entity * No integration required * Data stays at acquired company * Immediate unified visibility * Benefit: Days vs. months for security coverage ### IoT/OT Security Challenge: OT data must leave secure operational network for SIEM * Security risk moving OT data * Compliance violations * Air-gap requirements broken BluSapphire Solution: Edge at OT network * OT data never leaves secure zone * Detection at OT edge * Air-gap maintained * Benefit: OT security without compromising isolation ### Remote/Branch Offices Challenge: Limited WAN bandwidth to send all logs to central SIEM * Log loss during WAN outages * Performance degradation * High WAN costs BluSapphire Solution: Edge at each branch * Autonomous detection at branch * No WAN dependency * Continues during outages * Benefit: Branch security without WAN constraints *** ## Competitive Comparison Summary | Capability | BluSapphire | Splunk | QRadar | Elastic | DNIF | | ------------------- | ----------- | ------------- | ------------- | ---------------- | --------------- | | Deploy at Edge | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | | Logs Stay at Source | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | | Data Sovereignty | ✅ Complete | ❌ Shared | ❌ Shared | ❌ Shared | ❌ Vendor-hosted | | Cost Reduction | ✅ 98% | ❌ High costs | ❌ High costs | ⚠️ Medium | ❌ Premium | | Open Data Format | ✅ Yes | ❌ Proprietary | ❌ Proprietary | ⚠️ Elasticsearch | ❌ Proprietary | | No Migration Ever | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | | Offline Operation | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | | Multi-Cloud Native | ✅ Yes | ⚠️ Complex | ⚠️ Complex | ⚠️ Complex | ❌ No | *** ## Key Differentiators Why No Competitor Offers This Technical Barriers: 1. Architecture: Competitors built on centralized indexing 2. Business model: SaaS vendors need data in their cloud 3. Storage: Proprietary formats require vendor infrastructure 4. Complexity: Distributed detection is harder than centralized BluSapphire's Unique Approach: 1. Designed for edge from ground up 2. Open data lake architecture 3. Agentless detection works at edge 4. Cloud-native but customer-controlled *** ## ROI Calculation Example Scenario: 10 TB/day enterprise with AWS + Azure + on-prem Traditional SIEM (Splunk) Costs: * Cloud egress: 10 TB × $0.09/GB × 30 days = $27,000/month * Splunk storage: 10 TB × $5/GB = $50,000/month * Network bandwidth: $10,000/month * Total: **$87,000/month = $1,044,000/year** BluSapphire Detection at Edge: * Cloud egress: $0 (logs stay in cloud) * Storage: S3/blob at $0.023/GB × 10 TB = $230/month * Metadata transfer: 200 GB × $0.09 = $18/month * Total: **$248/month = $2,976/year** Annual Savings: **$1,041,024 (99.7%)** *** ## Strategic Advantages For CISOs: 1. Cost control: Predictable, minimal data transfer costs 2. Compliance simplified: Data localization native 3. Risk reduction: Complete data sovereignty 4. Future-proof: Open standards, no lock-in 5. Negotiating power: Not dependent on vendor For SOC Managers: 1. Faster detection: No network latency 2. Simplified operations: No forwarder management 3. Better resilience: Edge operates independently 4. Easier scaling: Add edge nodes vs. central infrastructure For IT/Cloud Teams: 1. Lower cloud bills: 98% reduction in egress 2. Simpler architecture: No log aggregation complexity 3. Faster deployment: No complex network setup 4. Better performance: Local processing For Compliance Teams: 1. Clear audit trail: Logs never moved 2. Data localization: Native support 3. Sovereign cloud: Perfect fit 4. Simplified reporting: Data location always known *** ## Conclusion BluSapphire's Detection at Edge is a fundamental architectural advantage — not an incremental improvement. The combination of data sovereignty, 98% cost reduction, compliance simplification, operational efficiency, open standards, and superior performance addresses major enterprise pain points. No other SIEM vendor offers: * Detection at the edge where logs are generated * Logs that never leave customer premises * Open data formats with zero migration risk * 98% reduction in data transfer costs * Native support for sovereign cloud requirements This is the future of SIEM architecture — and BluSapphire is delivering it today. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.blusapphire.io/release-6.0/06_what-is-siemless/01-detection-at-edge.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.