Real-time data engine analyzes 9.8PB per week to detect cyber attacks

Cybereason provides cybersecurity solutions that help organizations detect and stop cyber attacks across endpoints, networks, and cloud environments.

Its platform processes millions of events per second and analyzes nearly 9.8 petabytes of data each week, enabling security teams to identify coordinated attacks and respond before they spread across systems.

Instead of relying on traditional alert-based security tools, Cybereason correlates signals across machines and systems to identify MalOps (malicious operations), groups of related events that represent coordinated attack activity.

By presenting security teams with a small number of meaningful incidents instead of thousands of alerts, the platform enables faster investigation and response.

Identifying real attacks hidden in massive event streams

Modern cyber attacks rarely occur on a single machine. Attackers move laterally across endpoints, servers, and cloud systems while generating large volumes of activity designed to overwhelm traditional security tools.

Many security platforms generate thousands of alerts that must be investigated manually. Attackers exploit this noise to hide malicious behavior.

Cybereason addresses this challenge by correlating signals across systems to identify MalOps, representing the full scope of an attack rather than isolated alerts.

Real-time correlation across machines

The Cybereason detection engine continuously ingests telemetry from endpoints, network devices, and cloud infrastructure.

Events must be correlated across machines in real time to determine whether activity is benign or part of a coordinated attack.

If the platform cannot process and correlate events immediately, analysts lose valuable time responding to threats as they unfold.

“Aerospike is our key real-time data engine that collects the data, crunches the data, and applies cross-machine correlation,” said Eviatar Tenne, Data Platform Director at Cybereason.

Massive and rapidly growing telemetry volumes

Enterprise environments generate enormous amounts of telemetry data. Cybereason collects signals from:

• Endpoint agents

• Network infrastructure

• Cloud services

• Enterprise applications

These telemetry streams must be processed continuously while maintaining low latency for detection and investigation.

“We’re dealing with quite insane amounts of data coming to us from our sensors,” said Itsik Harel of Cybereason.

To support this model, the data platform needed to:

• Process millions of events per second

• Analyze nearly 10PB of data per week

• Correlate signals across machines in real time

• Maintain predictable performance under fluctuating workloads

Real-time detection engine powered by Aerospike

Cybereason built a real-time data platform combining Aerospike, Kafka, and Elasticsearch.

Telemetry from endpoints and infrastructure is streamed through Kafka and processed by microservices before being written to Aerospike.

Aerospike acts as the real-time data layer that enables cross-machine correlation with low latency and high throughput.

Architecture for large-scale security analytics

The platform architecture includes:

• Kafka for large-scale event ingestion

• Aerospike for real-time data storage and correlation

• Elasticsearch for investigative search and analytics

Data is streamed into Kafka, processed by microservices, and stored in Aerospike to enable real-time detection.

“We are reading the data from Kafka using microservices, and then we write it to Aerospike,” said Dotan Gutmacher, DevOps Data & Infrastructure Team Leader at Cybereason.

Aerospike serves as the single point of truth for real-time telemetry data, while Elasticsearch provides search and analysis capabilities.

Operating at petabyte scale

Cybereason’s Aerospike deployment includes:

• 150+ hosts across multiple clusters

• Approximately 1PB of stored data

• 2 million events processed per second

• 40TB of unique real-time correlation data

• Sub-30ms latency for bulk operations

Integration between Aerospike and Elasticsearch also improved investigative performance.

“We are using Aerospike as the single point of truth and Elasticsearch as the search engine… and by doing that, we managed to boost the Elasticsearch performance by five times,” Gutmacher said.

With Aerospike powering its detection engine, Cybereason can analyze massive telemetry streams and surface a small number of actionable incidents for security teams.

Key outcomes include:

• 9.8PB of security data analyzed weekly

• 2M events processed per second

• 93% increase in detection and response efficiency

• 75% reduction in platform management through a single agent

1:200,000 analyst-to-endpoint ratio