Scott Tompkins

Cybersecurity SIEM Platform

4 min read

Cybersecurity SIEM Platform

I designed, built, and launched an on-premise SIEM platform that transformed a local family-operated Managed Service Provider from a thin-margin reseller into a product company generating consistent high-margin monthly recurring revenue.

Context

MSPs typically operate on flat margins because their business model is fundamentally resale—they package, mark up, and support other vendors’ products. The revenue ceiling is low and the differentiation is thin: if your value proposition is “we’ll manage Vendor X for you,” any competitor can offer the same thing. The owners of Decian understood this and wanted to change the economics. Their strategy was to build and own a proprietary software stack rather than resell someone else’s, which is what led them to hire me.

The bet had two dimensions. The obvious one was economic: if Decian could own the platform rather than license it, the margin structure changes completely—no per-seat vendor fees eating into every contract. But the deeper argument was about service quality. When you resell a large vendor’s product, you’re beholden to their roadmap. Features your clients actually need get deprioritized in favor of what the vendor’s largest customers want. Bugs that affect your clients sit in a queue behind thousands of other tickets. You can’t adapt the product to how your clients actually work—you adapt your clients to however the vendor decided the product should work. Owning the stack means building exactly what your clients need, responding to their problems directly, and evolving the platform based on real operational feedback rather than a vendor’s feature committee.

The risk was real: building and operating a SIEM product requires deep infrastructure and security engineering—capabilities the company needed to develop.

What I Built

I architected the entire stack from bare metal up: a hyperconverged infrastructure platform (Proxmox, Ceph, Talos Kubernetes) supporting a multi-tenant SIEM built on Wazuh with OpenSearch. The platform serves multiple clients from shared infrastructure with strict data isolation, meaning each new tenant adds revenue without proportional infrastructure or operational cost. Agents enroll securely over WAN, pipelines handle ingestion and enrichment, and an observability layer monitors the whole thing end-to-end.

The technical details—Document-Level Security for tenant isolation, replay-safe ingestion pipelines, ISM lifecycle management, pipeline-aware observability—are covered in the facet pages below. What matters at the outcome level is that all of this was purpose-built to support a business model, not just a technical architecture.

The Outcome

The SIEM platform is Decian’s core product. It generates consistent high-margin MRR because the company owns the entire stack—there are no per-seat vendor fees, no third-party licensing costs scaling with the client base. Adding tenants is operationally flat: shared infrastructure with proper isolation means the marginal cost of a new client is minimal compared to the revenue it brings.

Just as importantly, Decian can now serve its clients on its own terms. When a client needs a capability, the team can build it. When something breaks, the fix doesn’t depend on a vendor’s support queue. The platform evolves based on what Decian’s actual clients need, not what a vendor’s product team prioritizes for an entirely different market segment. That responsiveness is a competitive advantage that pure resellers can’t match.

A family-operated MSP that was competing on resale margins now has a proprietary product with the economics of a software company and the agility to serve its clients better than larger competitors can. That’s the outcome that mattered.

Facets

The technical decisions and architecture behind this outcome: