%20(1).png)
Anyone who has been in security long enough knows that breaches rarely hinge on a single mistake. They are the result of hundreds of invisible gaps: logs never enabled, security telemetry never collected, alerts that did not fire because the right data never arrived. They are the result of schemas so tangled they are unusable, data sources so expensive they are skipped entirely, and context that could have connected the signals into a clear threat story but was entirely missing.
But one breach from my days doing incident response taught me something I couldn't unsee.
We were called into a major incident at a large enterprise, one of those "all hands on deck, sleep later" situations. The attackers had already moved laterally, touched internal systems they were never supposed to know about, and exfiltrated material that should never leave a secure environment. Our job was to reconstruct what happened and stop anything still in motion.
We pulled disks from compromised servers, imaged hard drives, and deployed forensic tooling across subnets. But the deeper we went, the harder it was to ignore the truth: the defenders never had a chance. Detecting the incident, investigating it, responding to it, all of that requires context. And context cannot exist when the data layer underneath is broken.
And wow, was the data layer broken.
The domain controller logs that should have shown who created a suspicious service account? Gone, because the servers had been replaced recently. Endpoint logs that should have revealed the attack chain? Only partially collected, and the PowerShell logging configuration for full script block and module logging had been turned off. Audit logs the team believed were enabled? Misconfigured for years. Database logs? Disabled entirely, unclear whether by the attackers or by the team.
This was not the first time I saw this. And it was not the tenth. Again and again, the core problem was not security expertise, it was the absence of usable and trustworthy security data. The defenders were brilliant, creative, and dedicated. And every time, they were fighting blind.
That was the moment it became painfully clear: security's biggest problem is not a lack of tools or detection rules. It is not even a lack of data. It is the missing layers between raw data and real security, the data management capabilities and context that turn endless telemetry into something defenders can actually get, access, understand, and use.
And no product in the market was doing that.
The Pattern Becomes Inescapable
Once I started seeing the pattern, I could not unsee it. We spoke with hundreds of security teams across industries, and the story was always the same.
The scale and diversity of security telemetry have exploded beyond what traditional architectures can sustainably support. Organizations that once managed a handful of enterprise systems now manage thousands of services, each generating telemetry that carries real risk if missed. Security telemetry hasn't just grown - it has outpaced the infrastructure beneath it.
SIEMs filled with terabytes of logs that had never been used in a single detection rule. Critical logs missing because a connector had silently failed months earlier. Ingest bills so high that teams had to turn off the high fidelity data they actually needed. Identity logs with inconsistent field names across tools, making it impossible to correlate a single user journey. Cloud logs filled with cryptic asset identifiers that analysts could not decode in real time.
Even the most advanced enterprises described the same reality: redundant data they could not use, missing context they could not reconstruct, and noisy sources that buried the signal. Underneath it all was a constant operational tax. Engineers spent their days fixing broken pipelines, normalizing fields, enriching data that should have arrived enriched, and reconciling schemas that never matched in the first place. More data did not mean more visibility. More investment did not mean stronger defense.
At the same time, attackers have rapidly embraced AI. They use it to automate reconnaissance, sharpen phishing, mutate malicious payloads, and move through environments at machine speed. To keep up, defenders must unleash AI that can fight back, but defensive AI is only as strong as the data it receives.
The issue was never the absence of data. It was the absence of valuable data that could be understood.
Why the Industry Never Fixed It
Over the past decade, security vendors focused on solving more and more use cases, but they unintentionally deepened the silos. SIEM vendors tried to become the place where all security data could be correlated and understood, but they focused on content and workflows while relying on weak underlying data capabilities. Data ingestion and retention costs remained high, telemetry ingestion options were limited and coverage was missing. These were among several factors that did not contribute to SIEM becoming both the single data collector and the destination for all security telemetry.
Security data lakes and cloud-storage-based analytics tools emerged as another promised solution, offering scalable and more affordable storage. But they suffered from the same blind spots: weak data management, limited ingestion capabilities, and insufficient integration with the rest of the organizational stack. Organizations ended up with systems that had strong potential as storage and search destinations but could not be properly activated because they did not have the right data in the right format with the right context.
For a brief moment, it looked like the industry had finally found an answer. Pipeline vendors arrived with promises of fixing ingestion and unlocking the value of these analytics destinations. But the limitation became clear quickly. Without security context or an opinionated view of how data should behave, these tools became little more than generic log shippers. They had no concept of identity, session, asset state, or threat context, all of which were essential in security. And because they treated a log as a simple record rather than a piece of a larger narrative, they missed the underlying security story entirely.
Even today, pipeline vendors focus on lowering data volume rather than improving security. They filter data, but often apply reductions that harm security fidelity. For example, sampling out every other event to achieve a fifty percent reduction. Their main impact is reducing bills, not strengthening security. Teams use them mostly to drop unwanted records and cut SIEM costs, while the underlying data problem stays exactly the same.
Through all of this, security teams do everything they can to keep up. They patch broken integrations at night, chase failing connectors, perform tedious data operations, and carry the burden the industry has placed on them. Yet organizations spend more money than ever on storing data and still miss critical signals.
And as AI-driven investigation tools begin emerging, the disconnect becomes striking. AI agents are fed with the same fragmented telemetry that would confuse a human analyst. The agents hallucinate timelines, miss threats, and confidently propose fixes for attacks that never happened - not because the models are flawed, but because the data feeding them is partial, messy, and noisy.
What security teams need is a real data management strategy, the ability to execute it, and the context layers required to turn raw telemetry into real security. Until someone addresses this foundational layer, the industry will continue building increasingly sophisticated analysis on unstable ground.
What We Set Out to Build
Security needed something that did not exist: a data and context platform designed specifically for the age of cloud, data, and AI. Not a SIEM. Not an ETL pipeline. Not another log router. But an opinionated system that could collect, structure, enrich, optimize, and deliver the right data and context to humans, security tools, and AI agents in real time, at enterprise scale, without friction.
The problem space was clear, but delivering on this vision requires a blend of deep data engineering, real-world security experience, and AI expertise, a combination that is uncommon in most teams. Someone had to build it, and our paths happened to intersect in a way that gave us the perspective and motivation to take on the challenge.
Gal had spent more than two decades building and scaling security, deep tech, and AI practices - as an engineer on advanced technology initiatives, as a tech leader launching security ventures, and as a consultant guiding the world's largest organizations through data-driven defense. He saw the systemic gaps that kept appearing no matter how advanced the tooling became.
Iddo came from large-scale data engineering, where architectural shortcuts don't survive real workloads. He had built pipelines at petabyte scale under strict performance and reliability requirements. He learned how to design data foundations that stay resilient under pressure - exactly what security has always lacked.
And I brought the scars and clarity from years at the intersection of data and cybersecurity, working as attacker, defender, and builder. I saw firsthand how fragile the data foundations were in the moments that mattered most, and I wished I had a system that could have supported me in those moments.
Together, these perspectives allowed us to see the problem from multiple angles and attempt to create something ambitious: a security-first data platform built from the ground up to create understanding, not just collection.
From the beginning, we set out to create an AI-powered system that treats telemetry as the raw material of defense and turns it into something contextualized, consistent, complete, and ready for action. AI has finally given defenders a way to escape the manual workflows that have slowed security for years. It can accelerate detection, triage, investigation, and response, but only if it has the right data and context.
We envisioned a platform that discovers the sources that actually matter, enables teams to manage their logging posture, and collects the right telemetry with the right fidelity. A system that automatically reduces noisy data, performs normalization across logs that were never designed to align, resolves identities and assets into coherent stories, and enriches events with the context analysts rely on but rarely have. A system that gives analysts and AI workflows the clarity to reason instead of react, and integrates seamlessly with the entire ecosystem, elevating every other tool by giving it better data. And on top of that data layer, we imagined a fabric that simply makes context available everywhere it is needed.
We knew this would not be simple. For example, building a petabyte-scale, exactly-once, self-healing, hybrid and multi-cloud pipeline with deep security logic and countless integrations, is not a shortcut-friendly task. But it was the only path to a system that could endure the real world of security operations: outages, schema drift, evolving threats, and massive data volumes.
A platform like this would let organizations build a true security data mesh and finally treat data as a product. It would give practitioners telemetry they can rely on, investigations that feel streamlined rather than cumbersome, automations that act instead of misfire, detections that run in real time and AI agents that work as a force multiplier.
The Path Forward
The future of security will be defined by how quickly and efficiently data consumers - humans, tools, workflows, agents, and intelligence - can access the right information and how reliably they can understand it and act on it. Routing information should be effortless. Data should move wherever it needs to go with a click or a prompt, not a project plan.
In a modern security program, any question about a user, device, workload, session, service, or event should return an answer instantly because the context is already resolved. No tool hopping. No log spelunking. No manual data wrangling. These are just a few examples of what security looks like when the data layer runs itself, when context is maintained continuously, and information arrives fast and reliably.
And when an organization can own and control its data this way, the limits start to disappear. Once the data and context are unified, the boundary between security and the rest of the organization begins to blur. What begins with SecOps often grows far beyond it. The data layer stops inheriting the limitations of existing systems and starts defining what the next generation of systems will become.
We believe that this is the world we deserve, not in the future, but now. And this is the world we are building with Beacon.
