Devo Reviews

Devo is a SIEM replacement technology used to run security operations. It centralizes security management within a business, functioning as a core system for a SOC. This system is the central cybersecurity hub, helping manage and streamline service tickets.

One of Devo's standout features is its cloud-first architecture, which sets it apart from many traditional SIEM providers that still rely on legacy, on-premise solutions. While many companies have started shifting to the cloud, Devo offers a hybrid solid approach with full cloud deployment. This mature architecture is one of Devo's significant strengths. Unlike other providers like Fortinet and Sentinel, which handle specific security parts, Devo offers a more comprehensive, end-to-end solution, making it one of the most advanced SaaS products.

They can improve their AI capabilities. If you look at some integrations like XDR or AI, which add to the platform to correlate situations in events, there are areas for enhancement. For instance, when an event comes in with many tickets, the best systems excel at correlating and grouping the different instances or alerts into a single instance or ticket, providing context. Their correlation engines sometimes miss the mark, leading to false positives. They're not as strong as other vendors, like SentinelOne, regarding AI power and data or event correlation.

I have been using Devo as a partner for four years now.

Devo's stability is a strong point. As a SaaS provider, they've had no performance issues. 

I rate the solution’s stability a ten out of ten.

When it comes to scale, they're architected quite well. They handle some of the biggest customers globally, with significant throughput on their platform, managing thousands of customers. One of the most impressive aspects of Devo is its customer community. A large majority, over 80 percent of their customers, actively participate on a Devo-specific community page. They're contributing to product development and support, events, and user group information, helping each other out. This high level of engagement is rare and demonstrates both the loyalty of their customer base and the quality of their product.

They offer a range of small, medium, and large options to cater to everyone. I sold Devo products while working with them, focusing on enterprise solutions. However, as a small reseller, my customers were typically smaller businesses.

I rate the solution's scalability a nine out of ten.

The community support is excellent. I rate the direct support around eight, mainly because the company is based in America and has more support infrastructure there than in Europe. In the U.S., the support level rating should be closer to ten.

Positive

The initial setup is easy. They have a lot of out-of-the-box integrations and are quite lightweight in their implementation. There are plenty of options for integration, which I would consider one of their strengths. One standout feature beyond data analytics and real-time diagnostics is something called DeepTrace. If I recall correctly, this feature involves automated threat hunting and investigation. It uses AI to expedite the investigation process, identifying attack chains and conducting root cause analysis without human intervention. Essentially, they're using AI to perform tasks typically done by analysts, automating the investigation process. When you start an investigation, their AI-driven tool provides the best guess at identifying the problem, potentially offering root cause analysis without human involvement. You can either use their suggested analysis or investigate further if needed. This DeepTrace feature is likely one of the unique selling points of their platform, making it a significant differentiator for them.

I rate the initial setup an eight out of ten, where one is difficult and ten is easy.

Compared to Splunk or SentinelOne, it is really expensive.

I rate the product’s pricing a nine out of ten, where one is cheap and ten is expensive.

It integrates several critical components, such as SIEM, SOAR, and UEBA, to make it a robust solution for SOCs. The platform's cloud-based architecture ensures excellent performance, scalability, and quick deployment, particularly beneficial in environments with heavy production loads or when integrating additional tools.

Devo provides near-real-time capability for threat alerts, analysis, and updates. This allows SOC teams to stay on top of security incidents as they happen. Additionally, the platform excels in visualization, providing clear and timely dashboards that help SOCs avoid missing critical incidents or failing to interpret data correctly. Its user-friendly design allows for high-level overviews and detailed drill-downs, ensuring security professionals can quickly grasp the situation and act.

They push AI as their differentiation, calling it a next-gen SIEM. It offers a more inclusive platform that delivers end-to-end security for the entire customer. Using some weighting system, they use AI to drive down false positive rates by determining whether something is a real threat. They have an AI-powered system that assesses if an issue is real, though the specifics of how it works are difficult to explain. This includes machine learning and algorithms designed to identify complex issues, with some of that learning built into the tool. However, this is pretty standard for most SIM platforms today. The biggest challenge for SIEMs has been to make the information they present smarter and more context-heavy. This is not a differentiation but rather being on par with other AI-driven platforms that aim to reduce false positives and minimize manual checks.

I 100% recommend the solution. It can help most medium to large enterprises develop their IT capabilities to advance quickly. However, if you're already at the top of your field and willing to invest heavily, some pedigree products might offer a ten out of ten experience, but that would be due to the higher cost and specialized features.

Overall, I rate the solution an eight out of ten.

We are a value-added reseller focused on cybersecurity and big data analytics. Devo is a premier partner of ours. We not only resell Devo but we provide deployment services, content development, and analytic services for Devo customers.

Devo helps organizations save money and become more efficient by providing a scalable cost-effective data platform. A lot of organizations have the challenge of way too many data stores. This might be the result of company acquisition, different projects in time, etc.  But the result is they end up having one for each SIEM, Hadoop clusters, S3 buckets, custom solutions, etc. Basically, the data is everywhere. Devo provides a cost-effective, scalable way to get all that data into one place and streamline their processes.

Devo also provides a multi-tenant, cloud-native architecture. This is critical for managed service provider environments or multinational organizations who may have subsidiaries globally. It gives organizations a way to consolidate their data in a single accessible location yet keep the data separate. This allows for global views and/or isolated views restricted by access controls by company or business unit.

Devo keeps 400 days of hot data to look for historical patterns or analyze trends. A lot of organizations top out from the limitations of their hardware. Depending on the volume of data, they may be limited to only 30, 60, or 90 days retention for analysis.  After which, they might have to roll out data off to long term storage. They must do this because it is so costly to have the hardware to support long-term real-time analysis. Even if this “saves” some money, this also becomes a configuration and technical logistics challenge. Whereas with Devo, they just give you 400 days of accessible, searchable hot storage. This also helps with better visibility and meet a lot of compliance requirements.

Devo’s UI, high-speed search, and analytic capabilities.

The UI ease of use for analysts is very good. We love it. The UI really gives you two ways to work with the data. First, the UI lets junior analysts work through and understand the data. They can interact with the data, perform all kinds of built-in enrichments and/or functions using the intuitive, user-friendly UI.  Second, every UI interaction builds the actual query syntax being used along the way.  Devo’s query code editor gets updated with the query that the user is building via the UI.  Once the user gets comfortable with the query language, which is LINQ, they can continue to use the UI or simply choose to use LINQ directly.   It goes the other way too, you can also start with LINQ and if you get stuck on syntax, you can just leverage the UI and it will update the query you started from. Very nice.

Another nice capability is if some ingested data is nested inside a field that you need for your use case, you can easily parse it out in-line and make the data inside the field usable immediately! You can even go back historically and further process data that has been ingested already.  For Analytica42, the ability to build parsers easily without reliance on Devo Engineers really helps us support all our end customers who might be ingesting that same data source.

On high-speed search capabilities and real-time analytics, it’s one thing to ingest data as quickly as possible, it’s another to query and use that data. We have seen this problem historically in SIEMs where you can ingest data but aren’t really able to query and retrieve that data which makes it kind of pointless. Devo does both quite well.

Finally, you can then take any query you build and easily create alerts and detections that can alert your security team, SOC, and/or drive tools like a SOAR to do response.

Some basic reporting mechanisms have room for improvement. Customers can do analysis by building Activeboards, Devo’s name for interactive dashboards. This capability is quite nice, but it is not a reporting engine.  Devo does provide mechanisms to allow 3^rd-party tools to query data by their API, which is great. However, a lot of folks like or want a reporting engine, per se, and Devo simply doesn't have that. This may or may not be by design.

I say this because I’ve seen many, many times where a customer states that they absolutely need to have a reporting engine.  But based on my experience with other SIEMs, the vendor ends up building a reporting engine, and the customer acknowledges the effort, but then they don’t actually use it. They end up extracting the data into whatever reporting mechanism/tools they use already.  So, often it seems it is the most requested mandatory/nice-to-have feature. Again, not having full reporting feature may or may not be by design for Devo but it has not been a showstopper because you are able to leverage their API to query the data you need and put it into any tool or format you like.

We have been using it for about two years.

It is very stable. I can't really think of any hiccups. It has always been available when we need to use it.

All the maintenance is handled by Devo. That takes that headache and burden off the end-user. It lets them focus on their job vs spending time keeping the system up and running. That is the benefit of the SaaS offering that they provide, it allows an organization to focus their analysts on security, or their IT resources on other projects.

It is very scalable. We have worked with Devo to design architectures that can go from a single terabyte to100 terabyte-plus daily ingestion of data. It is purpose built to maximize the advantages of the cloud infrastructure to scale.

We work with their support all the time. From a support perspective, we get relatively quick responses, and they follow up on a regular basis until issue is resolved. They use a ticketing system to help manage the process and also lets us know the status of progress. So far, the team that we work with has been good.

They are customer-friendly and partner-friendly. They are easy to work with from their technology all the way to our relationship. Having a good partnership means a lot, especially for Analytica42 and what we do for a living. We have a good, bidirectional relationship, which is very important. We have been building upon that over the past two years.

Positive

We work and support other SIEM and log management solutions for our customers who use Elastic, Sumo Logic, Splunk, and more.

Initial setup with Devo is very straightforward.

If a customer has cloud services like AWS, O365, Gsuite, etc, and they want to ingest the data, you can probably get that up in a day to a day and a half. Everything is ready when you are ready. You just need to provide the respective API information.

The Relay, their local log collector, may take a little bit longer because it tends to be on-premise. But it is very easy to install. The Relay supports direct hardware installation, in Virtual Machines and/or in Docker containers. With motivated customer and available resources, a deployment could take as little as week or two to get all the data sources flowing.

The staff required will depend on the size of the organization implementation team, change control process, the number of unique data sources, access to those data sources, how hands-on the customer wants to be, and finally their availability and timeline. Based on these factors, you could probably have only one or two Devo engineers or partners like Analytica42 assist a customer and their organization.  It is not a heavy lift technically, but the challenges are more centered around coordination.

For a typical deployment, the Devo team provisions the cloud instances, then Analytica42 are given access to the cloud environment. This model makes it easy for us to work with their customers globally. Once provisioning is complete, we typically are hired to assist customers to onboard their data sources, set-up performance analytics, and build content within the environment.  A lot of times, it is about mining the data and creating detections and rules with the data that gets ingested. For example, a customer might be ingesting AWS data into the Devo platform, we will then build searches and detections off that data to cover a wide range of use cases. Once validated, we also walk the customer through the process to get those alerts operationalized with their SOC or MSSP for validation, triage, and remediation.

It is worth mentioning something that is dear to my experience. Devo invests a lot in customer success. Devo assigns a CSM (Customer Success Manager) who walks the customer thru the whole on-boarding process. They assist with project planning, coordinate the efforts of the customer team with the Devo Professional Services Team or with a partner like Analytica42. They are focused on making sure the customer is happy and successful.

Devo saves us time. The turn-up time for the cloud is very quick with their SaaS infrastructure. Getting data in is relatively quick, whether it is leveraging relays, collectors or both. They are very modern in the sense that they are very friendly with GCP, AWS, Azure, etc., in terms of just needing plugin API keys, then it will start ingesting data and parsing it.

They have easy to configure Relays that can go on-prem and pretty much collect any type data that you can think of. I have always been very happy with that. It is a joy to partner and be able to work with this kind of system.

If you have acquired different data stores or SIEMs over time, especially if you are a large organization, you find yourself buying one of each. That is kind of wasteful, inefficient, and expensive. Because of the Devo’s scalability and low-cost, you can get the data from all those disparate environments into one place. Additionally, a lot of times in those environments, you have to filter out data so the systems don't get overwhelmed, thus you are partially blind on things you do not collect.  With Devo, their philosophy is you can go ahead and collect all the data. Devo’s ROI is saving on redundant licensing costs, storage/processing costs, collection costs, overhead of maintenance cost, but more importantly the ability to build a more holistic security program because you visibility to all your data for 400 days.  This helps any organization for detection and compliance reasons.

I like the pricing very much. They keep it simple. It is a single price based on data ingest, and they do it on an average. If you get a spike of data that flows in, they will not stick it to you or charge you for that. They are very fair about that.

Additionally, that one price is all-inclusive. As a partner, I appreciate that as I am able to resell that easily. I just need to know your volume per day and I can price it out.  And with that you get 400 days of storage, the management full capability, all the analysis, additional applications, with no additional hidden costs that we have seen. That is very attractive.

We work with Elastic, Sumo Logic, Splunk, other SIEMs, and more. These solutions are very comparable to Devo when it comes to threat hunting and incident response. It just depends on the end customer and what solution will work best for them.

Some advantages of Devo are multi-tenancy and scale. It was built to be multi-tenant which uses resources in an intelligent way. This helps being able to manage multiple organizations. Some of the security solutions you need to create a separate instance for every single organization, which can be inefficient.

The other advantage or sweet spot of where Devo shines is price/volume at scale. Some of the other vendors may be a better solution at lower volumes of data ingest. Devo really accelerates once you get above 500 gigs or a terabyte a day. Cost-wise, once you start hitting that terabyte mark or above, some of the other vendors won't necessarily compare in price or scale. We have seen it where others would need a lot more TCO infrastructure to manage the same volumes that Devo can handle.

If you are in need of a new SIEM or Log Management Platform and/or want to leverage the advantages of a cloud-based solution, Devo can offer a Proof of Concept (PoC) so you can see it for yourself.   

More and more organizations are moving away from on-prem and leveraging the cloud. I know a lot of companies still feel like they have to do on-prem but I see this loosening up. In scenarios where there are strict regulations, companies have ended up leveraging Devo for their IT and security infrastructure logs but then kept a small on-prem solution for strict compliance of more regulated sources.  Again, I see this changing as more and more organizations are adopting use of the cloud and is worth considering.

I would rate Devo as 8.5 out of 10.

Our initial use case is to use Devo as a SIEM. We're using it for security and event logging, aggregation and correlation for security incidents, triage and response. That's our goal out of the gate.

Their solution is cloud-based and we're deploying some relays on-premise to handle anything that can't send it up there directly. But it's pretty straightforward. We're in a hybrid ecosystem, meaning we're running in both public and private cloud.

We're very early in the process so it's hard to say what the improvements are. The main reason that we bought this tool is that we were a conglomeration of several different companies. We were the original Qualcomm company way back in the day. After they made billions in IP and wireless, they spun us off to Vista Equity, and we rapidly and in succession bought three or four companies in the 2014/2015 timeframe. Since then, we've acquired three or four more. Unfortunately, we haven't done a very good job of integrating those companies, from a security and business services standpoint.

This tool is going to be our global SIEM and log-aggregation and management solution. We're going to be able to really shore up our visibility across all of our business areas, across international boundaries. We have businesses in Canada and Mexico, so our entire North American operations should benefit from this. We should have a global view into what's going on in our infrastructure for the first time ever.

The solution is enabling us to bring all our data sources into a central hub. That's the goal. If we can have all of our data sources in one hub and are then able to pull them back and analyze that data as fast as possible, and then archive it, that will be helpful. We have a lot of regulatory and compliance requirements as well, because we do business in the EU. Obviously, data privacy is a big concern and this is really going to help us out from that standpoint.

We have a varied array of threat vectors in our environment. We OEM and provide a SaaS service that runs on people's mobiles, plus we provide an in-cab mobile in truck fleets and tractor trailers that are both short- and long-haul. That means our threat surface is quite large, not only from the web services and web-native applications that we expose to our customers, but also from our in-cab and mobile application products that we sell. Being able to pull all that information into one central location is going to be huge for us. Securing that type of landscape is challenging because we have a lot of different moving parts. But it will at least give us some insight into where we need to focus our efforts and get the most bang for the buck.

We've found some insights fairly early in the process but I don't think we've gotten to the point where we can determine that our mean time to resolution has improved. We do expect it to help to reduce our MTTR, absolutely, especially for security incidents. It's critical to be able to find a threat and do something about it sooner. Devo's relationship with Palo Alto is very interesting in that regard because there's a possibility that we will be pushing this as a direct integration with our Layer 4 through Layer 7 security infrastructure, to be able to push real-time actions. Once we get the baseline stuff done, we'll start to evolve our maturity and our capabilities on the platform and use a lot more of the advanced features of Devo. We'll get it hooked up across all of our infrastructure in a more significant way so that we can use the platform to not only help us see what's going on, but to do something about it.

So far, the most valuable features are the ease of use and the ease of deployment. We're very early in the process. They've got some nice ways to customize the tool and some nice, out-of-the-box dashboards that are helpful and provide insight, particularly related to security operations.

The UI is 

• clean
• easy to use
• intuitive. 

They've put a lot of work into the UI. There are a few areas they could probably improve, but they've done a really good job of making it easy to use. For us to get engagement from our engineering teams, it needs to be an easy tool to use and I think they've gone a long way to doing that.

The real-time analytics of security-related data are super. There are a lot of data feeds going into it and it's very quick at pulling up and correlating the data and showing you what's going on in your infrastructure. It's fast. The way that their architecture and technology works, they've really focused on the speed of query results and making sure that we can do what we need to do quickly. Devo is pulling back information in a fast fashion, based on real-time events.

The fact that the real-time analytics are immediately available for query after ingest is super-critical in what we do. We're a transportation management company and we provide a SaaS. We need to be able to analyze logs and understand what's going on in our ecosystem in a very close to real-time way, if not in real time, because we're considered critical infrastructure. And that's not only from a security standpoint, but even from an engineering standpoint. There are things going on in our vehicles, inside of our trucks, and inside of our platform. We need to understand what's going on, very quickly, and to respond to it very rapidly.

Also, the integration of threat intelligence data provides context to an investigation. We've got a lot of data feeds that come in and Devo has its own. They have a partnership with Palo Alto, which is our primary security provider. All of that threat information and intel is very good. We know it's very good. We have a lot of confidence that that information is going to be timely and it's going to be relevant. We're very confident that the threat and intel pieces are right on the money. And it's definitely providing insights. We've already used it to shore up a couple of things in our ecosystem, just based on the proof of concept.

The solution’s multi-tenant, cloud-native architecture doesn't really affect our operations, but it gives us a lot of options for splitting things up by business area or different functional groups, as needed. It's pretty simple and straightforward to do so. You can implement those types of things after the fact. It doesn't really impact us too much. We're trying to do everything inside of one tenant, and we don't expose anything to our customers.

We haven't used the solution's Activeboards too much yet. We're in the process of building some of those out. We'll be building dashboards and customized dashboards and Activeboards based on what those tools are doing in Splunk. Devo's going to help us out with our ProServe to make sure that we do that right, and do it quickly.

Based on what I've seen, its Activeboards align nicely with what we need to see. The visual analytics are nice. There's a lot of customization that you can do inside the tool. It really gives you a clean view of what's going on from both interfaces and topology standpoints. We were able to get network topology on some log events, right out of the gate. The visualization and analytics are insightful, to say the least, and they're accurate, which is really good. It's not only the visualization, but it's also the ability to use the API to pull information out. We do a lot of customization in our backend operations and service management platforms, and being able to pull those logs back in and do something with them quickly is also very beneficial.

The customization helps because you can map it into your business requirements. Everybody's business requirements are different when it comes to security and the risks they're willing to take and what they need to do as a result. From a security analyst standpoint, Devo's workflow allows you to customize, in a granular way, what is relevant for your business. Once you get to that point where you've customized it to what you really need to see, that's where there's a lot of value-add for our analysts and our manager of security.

Devo has a lot of cloud connectors, but they need to do a little bit of work there. They've got good integrations with the public cloud, but there are a lot of cloud SaaS systems that they still need to work with on integrations, such as Salesforce and other SaaS providers where we need to get access logs.

We'll find more areas for improvement, I'm sure, as we move forward. But we've got a tight relationship with them. I'm sure we can get anything worked out.

This is our first foray with Devo. We started looking at the product this year and we're launching an effort to replace our other technology. We've been using Devo for one month.

The stability is good. It hasn't been down yet.

The scalability is unlimited, as far as I can tell. It's just a matter of how much money you have in your back pocket that you're willing to spend. The cost is based on log ingestion rate and how much retention. They're running in public cloud meaning it's unlimited capacity. And scaling is instantaneous.

Right now, we've got about 22 people in the platform. It will end up being anywhere between 200 and 400 when we're done, including software engineers, systems engineers, security engineers, and network operations teams for all of our mobile and telecommunications platforms. We'll have a wide variety of roles that are already defined. And on a limited basis, our customer support teams can go in and see what's going on.

Their technical support has been good. We haven't had to use their operations support too much. We have a dedicated team that's working with us. But they've been excellent. We haven't had any issues with them. They've been very quick and responsive and they know their platform.

We were using Splunk but we're phasing it out due to cost.

Our old Splunk rep went to Devo and he gave me a shout and asked me if I was looking to make a change, because he knew of some of the problems that we were having. That's how we got hooked up with Devo. It needed to have a Splunk-like feel, because I didn't want to have a long road or a huge cultural transformation and shock for our engineering teams and our security teams that use Splunk today. 

We liked the PoC. Everything it did was super-simple to use and was very cost-effective. That's really why we went down this path.

Once we got through the PoC and once we got people to take a look at it and give us a thumbs-up on what they'd seen, we moved ahead. From a price standpoint, it made a lot of sense and it does everything we needed to do, as far as we can tell.

We were pulling in all of our firewall logs, throughout the entire company, in less than 60 minutes. We deployed some relay instances out there and it took us longer to go through the bureaucracy and the workflow of getting those instances deployed than it did to actually configure the platform to pull the relevant logs.

In the PoC we had a strategy. We had a set of infrastructure that we were focusing on, infrastructure that we really needed to make sure was going to integrate and that its logs could be pulled effectively into Devo. We hit all of those use cases in the PoC.

We did the PoC with three people internally: a network engineer, a systems engineer, and a security engineer.

Our strategy going forward is getting our core infrastructure in there first—our network, compute, and storage stuff. That is critical. Our network layer for security is critical. Our edge security, our identity and access stuff, including our Active Directory and our directory services—those critical, core security and foundational infrastructure areas—are what we're focusing on first.

We've got quite a few servers for a small to mid-sized company. We're trying to automate the deployment process to hit our Linux and Windows platforms as much as possible. It's relatively straightforward. There is no Linux agent so it's essentially a configuration change in all of our Linux platforms. We're going through that process right now across all our servers. It's a lift because of the sheer volume.

As for maintenance of the Devo platform we literally don't require anybody to do that.

We have a huge plan. We're in the process of spinning up all of our training and trying to get our folks trained as a day-zero priority. Then, as we pull infrastructure in, I want those guys to be trained. Training is a key thing we're working on right now. We're building the e-learning regimen. And Devo provides live, multi-day workshops for our teams. We go in and focus the agenda on what they need to see. Our focus will be on moving dashboards from Splunk and the critical things that we do on a day-to-day basis.

We worked straight with Devo on pretty much everything. We have a third-party VAR that may provide some value here, but we're working straight with Devo.

We expect to see ROI from security intelligence and network layer security analysis. Probably the biggest thing will be turning off things that are talking out there that don't need to be talking. We found three of those types of things early in the process, things that were turned on that didn't need to be turned on. That's going to help us rationalize and modify our services to make sure that things are shut down and turned off the way they're supposed to be, and effectively hardened.

And the cost savings over Splunk is about 50 percent.

Pricing is pretty straightforward. It's based on daily log ingestion and retention rate. They keep it simple. They have breakpoints, depending on what your volume is. But I like that they keep it simple and easy to understand.

There were no costs in addition to their standard licensing fees. I don't know if they're still doing this, but we got in early enough that all of the various modules were part of our entitlement. I think they're in the process changing that model a little bit so you can pick your modules. They're going to split it up and charge by the module. But everything was part of the package that we needed, day-one.

We were looking at ELK Stack and Datadog. Datadog has a security option, but it wasn't doing what we needed it to do. It wasn't hitting a couple of the use cases that we have Splunk doing, from a logging and reporting standpoint. We also looked at Logstash, some of the "roll-your-own" stuff. But when you do the comparison for our use case, having a cloud SaaS that's managed by somebody else, where we're just pushing up our logs, something that we can use and customize, made the most sense for us. 

And from a capability standpoint, Devo was the one that most aligned with our Splunk solution.

Take a look at it. They're really going after Splunk hard. Splunk has a very diverse deployment base, but Splunk really missed the mark with its licensing model, especially when it relates to the cloud. There are options out there, effective alternatives to Splunk and some of the other big tools. But from a SaaS standpoint, if not best-in-breed, Devo is certainly in the top-two or top-three. It's definitely a strong up-and-comer. Devo is already taking market share away from Splunk and I think that's going to continue over the next 24 to 36 months.

Devo's speed when querying across our data is very good. We haven't fully loaded it yet. We'll see when the rubber really hits the road. But based on the demos and the things that we've seen in Devo, I think it's going to be extremely good. The architecture and the way that they built it are for speed, but it's also built for security. Between our DevOps, our SecOps, and our traditional operations, we'll be able to quickly use the tool, provide valuable insights into what we're doing, and bring our teams up to speed very quickly on how to use it and how to get value out of it quickly.

The fact that it manages 400 days of hot data falls a little bit outside of our use case. It's great to have 400 days of hot data, from security, compliance, and regulatory retention standpoints. It makes it really fast to rehydrate logs and go back and get trends from way back in the day and do some long-term trend analysis. Our use case is a little bit different. We just need to keep 90 days hot and we'll be archiving the rest of that information to object-based long-term storage, based on our retention policies. We may or may not need to rehydrate and reanalyze those, depending on what's going on in our ecosystem. Having the ability to be able to reach back and pull logs out of long-term storage is very beneficial, not only from a cost standpoint, but from the standpoint of being able to do some deeper analysis on trends and reach back into different log events if we have an incident where we need to do so.

Our primary use case is so we have historical logs in case of an event or if we need to do any troubleshooting.

Our secondary use of Devo is for incident detection; certain logs trigger alerts, so we now have a 24/7 monitoring service that detects and alerts us to incidents. 

We can ingest virtually any log source, which is much better than our previous solution. We can access those logs more quickly and efficiently, with a better focus on our points of interest.

Cloud log sources were more difficult with our previous solution. Devo isn't wholly worry-free, but it's much more manageable.

With Devo, we don't have desperate multiple log storage solutions; we can do it for the most part with one. The sheer breadth of logs we can ingest is very beneficial.

The solution allows us to ingest much more data; our event volume is around 100 GB. That's ten times the volume we were ingesting before. 

The alerting is much better than I anticipated. We don't get as many alerts as I thought we would, but that nobody's fault, it's just the way it is. 

Having at least one year of data was one of our requirements, so 400 days of hot data benefits us. We are used to this capability, as our previous solution offered the same, and we wouldn't have purchased Devo if it didn't provide that.  

There are some issues from an availability and functionality standpoint, meaning the tool is somewhat slow. There were some slow response periods over the past six to nine months, though it has yet to impact us terribly as we are a relatively small shop. We've noticed it, however, so Devo could improve the responsiveness.

When we first started implementing the solution, the staff that helped us with the migration and getting it set up seemed very new. The tool could be more mature, which we knew going in, but we were hopeful for quick improvements. We would prefer to be further along than we are in that respect, but 18 months later, we still feel pretty good about adopting Devo.

The price could be more friendly as we pay significantly more than what we were paying before, but it's in line with other solutions on the market.

We've used the solution for 18 months. 

The solution is relatively stable; I'd rate it eight out of ten here. We heard about somewhat shaky performance from other customers over the last six to nine months, but we were fine.

The solution seems scalable, though we're a small shop, so we're probably not the best to answer that well.

We have 400-450 end users across three locations. 

Once we get a hold of someone and they respond, customer support is fine. It isn't extraordinary, and the escalation process is a little below average for the industry.

Neutral

We previously used IBM QRadar, and we switched because it was antiquated. We had difficulty ingesting logs from cloud solutions, which is the direction our organization is moving in. We have several cloud solutions now versus two or three years ago, so the migration to Devo from QRadar was very timely for us in that regard.

QRadar's interface was pretty antiquated. They have updated it now, but we weren't satisfied with it at the time. We also had some support-related issues around updating the solution as it was on-prem. We were coming to a point where we had to update the hardware and software, so it was a good time for us to look for another product.

The initial setup was relatively straightforward. 

In terms of maintenance, I go through every quarter to ensure that each of our log sources is still sending logs to Devo. We were a little disappointed that they didn't have a good way of informing us if a log source stopped sending logs. I appreciate that each source sends on a different frequency, but we should be able to define that frequency and receive a notification of any issues.

As is often the case with security solutions, it's hard to measure an ROI because we only need it once an incident occurs. The hope is that we get a return if an incident takes place. Devo is much better than we previously had, but it's also a lot more expensive, so it should be so.

Devo is a hosted or subscription-based solution, whereas before, we purchased QRadar, so we owned it and just had to pay a maintenance fee. We've encountered this with some other products, too, where we went over to subscription-based. Our thought process is that with subscription based, the provider hosts and maintains the tool, and it's offsite. That comes with some additional fees, but we were able to convince our upper management it was worth the price. We used to pay under 10k a year for maintenance, and now we're paying ten times that. It was a relatively tough sell to our management, but I wonder if we have a choice anymore; this is where the market is.

We focused on four solutions: Splunk, AlienVault OSSIM, the incumbent QRadar, and Devo. We narrowed it down pretty quickly to Splunk and Devo, and the latter was a bit cheaper, though less mature. We took a chance and went with Devo.

I rate the solution seven out of ten.

Devo's cloud-native SIEM increased our threat visibility, though we had hoped for a bit higher. Visibility is critical, as we rely upon knowing about security incidents as soon as possible. We expected the solution would provide additional insight, but we're finding it isn't. Devo gives us the historical logs, a fantastic capability we are very happy with. However, the incident and threat detection is not what we had hoped for. Regarding security operations, the tool is different from what we wanted.

Getting our staff up to speed with the solution was right in the middle in terms of difficulty. It wasn't as easy as we had hoped, but it wasn't insurmountable by any stretch of the imagination. Devo provided us with several training sessions, and I wonder how much that helped because our group is very technical. The tool's interface is intuitive, so our staff can find what they need. With regular use, the learning curve is relatively low, but without that, it can take some getting used to, as with any solution. Devo is broad and encompassing, so it requires familiarity to leverage it fully. We don't have dedicated internal staff to manage the solution, so we outsourced the monitoring to an MSP.  

The migration from QRadar to Devo was relatively straightforward and painless; we essentially cut the cord on QRadar, maintained the logs and moved them over to the new solution. The ease of migration was relatively important, the old solution was antiquated, so we expected any newer tool to be better. 

Migrating the bulk of the initial logs took about three months. We got some aspects up and running during a proof of concept while we were still using the old solution. Once we went live, we migrated the POC environment to a production environment, so it was much less stressful than it could have been. 

The Devo team was intimately involved in the migration. They weren't as responsive as we had hoped, and they seemed new and didn't completely understand the product. We received better support on escalation; overall, they were critical to the migration.

Before going down this path, I advise potential customers to document their log sources and what information they need based on their use cases.

We're primarily using it to correlate WAN and endpoint activity for our clients. We work with vendors that have endpoint solutions or that control the networks for our clients. We are receiving their feeds, along with some of our other custom deployed equipment, to not only collect endpoint data, but to monitor network activity and correlate it to identify threats, vulnerabilities, attacks, and provide incident response.

We've integrated Devo with a SOAR solution. We have prioritized the severity of our alerting in Devo and that corresponds directly to automated playbooks that are kicked off in the SOAR. With that SIEM-SOAR solution, we have drastically reduced the number of incidents that our analysts have to work through, and we have improved our time to respond as well as the time to remediate, through that integration.

Devo absolutely saves us time. We brief our project manager and client weekly on the number of man-hours saved just by having this SIEM-SOAR integration. Considering the quantity of data feeds and events and endpoints that we have, we can actually present a funnel chart that shows how many "events" we start with and how many become actual incidents. We then have that calculated into the number of dollars saved. It's phenomenal when you look at it. When we show the people who are in charge of getting funding that we saved this number of man-hours, which correlates to this number of dollars, they're more willing to fight to get that funding for the next fiscal year.

The strength of Devo is not only in that it is pretty intuitive, but it gives you the flexibility and creativity to merge feeds. The prime examples would be using the synthesis or union tables that give you phenomenal capabilities. There is such a disparity in how, say, a network feed or an endpoint feed comes in. They're all over the range, not only in the information they present, but in how that information is categorized. The ability to use a synthesis or union table to combine all those feeds and make heads or tails of what's going on, and link it to go down a thread, is functionality that I hadn't seen before.

It also provides high-speed search capabilities and near real-time analytics. I haven't had any problem with it in those contexts. The high-speed search and near real-time analytics are important to us because when it comes to incident response, we have a certain amount of time to turn these events and incidents around. That's how we're graded. That responsiveness, where it's not waiting on any results, is critical to how we do our jobs and how we stay alive in this game.

And because of the ease of integrating Devo with the SOAR solution, we've created an API for a visualization capability, and that works pretty easily. I'm usually an incident response, content development, threat hunting guy. But I was able to do all this stuff on the back end myself. The way it's set up makes it easy for someone who is not a back-end engineer to go in and set up that kind of integration.

We look for historical patterns and analyze trends with that data. That historical data is critical when putting separate events together and trying to detect a pattern or when looking for a low-and-slow, advanced, persistent threat. Without that reach-back capability, you would just see these one-offs and you would never put that information together. What makes a SIEM work is not only seeing the real-time event feed but being able to reach back and put things together. That's at the core of any SIEM solution.

We have a list of things that we'd like to see. I have had all my analysts put in suggestions. I've tested a number of solutions through the years, and I've found that companies appreciate that analyst perspective and anything that makes future releases more user-friendly.

The biggest thing we've found, when trying to integrate Devo with the SOAR solution, is the priority or severity rankings. If they could make those a little bit more intuitive that would help. It seems that when we set the priority of an alert, it doesn't always translate, in the back end, the way you would expect. The severities include "very low," "low," "medium," "high," and "very high." Those correlate to numerical value ranges one to three, four to five, six to seven. It's a little confusing. It would help if they made that priority/severity labeling and numerical system match up a little better.

Also, it would help if some of the error messaging could be a little bit more descriptive when you run a query and an error pops up. It would be good to have a log where you could find those, as well. 

Another issue is that an admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that. That's a big one.

I started looking into it and training on it in August of 2020, so I have been using it for about 16 months.

I can count on one hand the number of times it has gone out. It's very stable. A few times we've needed to reboot the stack and that has usually resolved the issue. We're pleased with the solution when it comes to incident response.

It's highly scalable.

I have all the personal numbers of my Devo support guys. I can text them and they usually respond within the hour. It's excellent customer support. I've been in this game for 20 years and you can generally expect someone to get back to you within a business day or two. But if I'm in a pinch, these guys usually respond within an hour.

In terms of being an ally to our business and providing a customer-first approach. They are a highly trusted ally and partner. The success of our solution relies directly on their delivery. We include them in all of our success stories. We consider Devo on par with our company.

Positive

Setting up the solution was pretty complex. Working with the number of external vendors that we had, the way that they would send the information to us, and the fact that they were constantly changing the way that data was being sent, meant we were constantly having to go in and tweak the relay rules. To know what you're doing with the relays, and putting in those rules, takes some homework. Devo was very responsive and worked with us hand in hand, troubleshooting and putting in the parsers and the relay rules to help us get things integrated.

It took six to eight months of that type of work just to get it to work. For our project, the setup was very complex. We had two environments, a lab environment and a live environment and it took that long to get both running. That seems like a lot of time. But we were working with a number of different vendors, and this was the first time any of us had ever done this.

I'm a long-time ArcSight and Splunk user. I see Devo as the evolution of both of them. If the capabilities of those two got together and had a baby, it would probably be Devo.

Devo is a definite upgrade from both ArcSight and Splunk, in my experience. It combines some of the best of each and it takes it to another level when it comes to ease of use and how you can expand the capabilities.

Another benefit of Devo is that it enables us to ingest more data compared to other solutions. This project has such a widespread ingestion of so many endpoints and networks.

The ease of use of Devo really depends on whether you've had experience with a SIEM before. If you have, you should be okay. If this is your first time walking into a SIEM, it may be a little bit overwhelming, which is natural for any SIEM.

But it's very easy to pick up and has great documentation. The tutorials that Devo has provided, the upfront user training, and their lab environment are all very helpful. I just sat through a monthly tutorial where they had one of their commercial users come in and speak for 35 minutes on their best-case uses. The support element, combined with the training that they provide upfront, creates a customer experience where you're not flying solo. You have a lot of people to lean on. We use Devo as a service, but I've found that there is so much documentation at my fingertips that I really don't need to reach out to them that often.

Where they have exceeded my expectations is the training element. They're constantly putting out training tidbits and interactive sessions. They don't have to do that but they're holding sessions where they bring in analysts who do straight run-throughs. That's stuff you don't get anywhere else, other than with someone in a SOC environment. Those sessions are invaluable for picking up tips on how to better use the solution.

In terms of Devo providing a multi-tenant cloud-native architecture, if you can switch domains, it does. At this point in the evolution of our architecture, that is not important because we only have one client at this point. But I do see the usefulness of it to separate your domains and your traffic while, at the same time, potentially filing some of that activity or using it for correlation. We're just not at that stage right now.

We are an MSSP and we provide security monitoring services for our customers. We also treat ourselves as a customer. That means we use Devo internally for our own services in addition to using it to monitor our customers. The use case varies by customer, but they are all security-related as well as dealing with a little bit of storage retention, depending on the customer's needs.

Because of the way Devo works, our onboarding time has shrunk by 50 percent at least.

Also, at a high level, Devo's cloud-native SIEM has helped improve visibility into threats with its data analytics. That's very important because, as an MSSP, we need to be able to analyze the data for our customers and spot anomalies. This feature is still relatively new even to Devo, so I cannot say how happy we are with it at the moment; we still haven't taken full advantage of it. But the Big-Data analytics features included with Devo are allowing us to write some advanced alerting mechanisms that were not available to us in the past.

We are also able to ingest data that, in the past, would have been difficult to ingest.

The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored.

By way of an analogy, if you have ever taken a text file and inserted it into a spreadsheet, the individual fields within that text file now belong in individual cells in the spreadsheet. If a particular set of data should have been in a single cell but was split into two cells, searching for it as a whole becomes difficult. The way Devo stores its data, it never gets separated. It's always stored as original data. The only time it gets split up is on extraction, when I actually need to look at my data. That gives me control over how the data is parsed or normalized. I don't have to worry about data being mangled as it's being collected and that gives me confidence that I always have 100 percent fidelity in my data.

The second most valuable feature is the way the alerting mechanism works. It is a code-based approach. You write your queries like code, with a lot of flexibility and access to internal libraries. Those aspects are not available in Boolean or natural language alerting mechanisms that are used by Devo's competitors.

For example, IBM's QRadar uses natural language and you construct a sentence out of predefined options to create your alerting mechanism. With ArcSight and McAfee you use Boolean logic statements. That restricts what you can actually do with the alerting mechanism. You cannot do sub-selections or complicated math problems. Those approaches are less data-centric and more just simple logic. Devo takes a Big-Data approach, rather than simple logic, when it comes to alerting. That makes it super-duper powerful.

Another important feature for us, as an MSSP, is that it allows us to carve up the data from each individual customer that fits into each individual tenant, and that data funnels up into a single master tenant through which we control everything. It becomes invaluable for customers who still want access to their data and we don't have to worry about them potentially accessing another customer's data.

In addition, Devo has an extremely powerful API that is now allowing us to create third-party integrations with forensic tools. That allows us to use Devo as a Big-Data storage facility. As a result, when Devo fires off an initial alert, our third-party forensic analytics tools can pull up the alert and use Devo's extremely powerful query engine to pull in all the secondary and tertiary metadata right into them. That allows us to track the incident with even more powerful tools.

The overall performance of extraction could be a lot faster, but that's a common problem in this space in general. 

Also, the stock or default alerting and detecting options could definitely be broader and more all-encompassing. The fact that they're not is why we had to write all our own alerts.

They could also provide more visual dashboards, what they call Activeboards, within their environment. Activeboards enable you to create custom or pre-defined dashboards. In that context, there are a couple of very useful features for us that are not available when I compare them to some of their competitors. They are features that help you quickly analyze data in a visual way. What they have is still pretty decent but they could beef it up a little bit.

We onboarded it a little bit over a year ago. 

In general, any stability issues have not been very impactful. There have been frequent small outages that make things difficult, but we're giving them a little bit of leeway because they're still a growing platform.

It scales really well, at least from our perspective. We don't know if there are any performance issues in the back-end. As I said earlier, it could be faster. But overall, because it's a cloud-based solution, we really don't worry about scaling. We simply onboard a new customer. They go into their own tenant and their data flows up to the management MSSP tenant. We simply size the licensing accordingly, so it's super easy to scale.

Support is pretty good. They're responsive and they usually solve problems relatively well. And if they mess something up, they will actually put professional services people in to solve the problems, if a wide range of issues is involved.

Both our technical and channel-partner relationships have been very good. We meet with them for status calls at least twice a month. They're very good about staying in contact to provide both satisfaction and technical assistance.

Positive

We used McAfee ESM on-prem. We switched because it  

• was getting old and not evolving
• was not cloud-based or cloud-centric
• had limited correlation engine capabilities compared to Devo
• was hard to segment customer data
• required us to host all the hardware in-house.

The list goes on and on and on.

The switch to Devo helped reduce blind spots and had a very good effect on our ability to protect our organization.  With the limitations removed on how data is inserted and extracted, we were able to alert on things we were never able to alert on before.

It was not an easy deployment because we're an MSSP. Devo's core content, its alerting and security content, is limited. We have a very wide variety of requirements with a lot of our customers. Unfortunately, most of the content that came with Devo couldn't be used. We had to write a lot of our content from scratch. 

We're still learning to crawl with the product because it's insanely powerful, but we were able to see value from it almost instantly. The value became instant because of the granularity with which we could write our content and how powerful the writing of that content was. Because the content that it came with was somewhat limited, we're pretty much writing our own content.

McAfee and Devo co-existed for quite a lot of time in our environment because we needed to make sure Devo was stable before we could cut McAfee off. In fact, some customers are still on it.

There is a bit of a learning curve with Devo because its search language is based on Microsoft LINQ. If you're used to graphic-interface types of SIEMs, like McAfee or LogRhythm or QRadar, where you point-click-drag-drop rather than write your own queries, or you haven't worked with Microsoft LINQ before, there's a learning curve. In addition, Devo has its own "flavors" on top of everything, like its own powerful libraries. If you don't know them there is a bit of a learning curve there as well. All of us are still learning it a year later.

But they do offer both basic and advanced training, and that helps you get started. They also have a pretty advanced Knowledge Base library to help.

Devo's team was involved in the migration and they assisted us quite a bit.

Our experience with them was decent. It wasn't bad. They put in quite a few man-hours helping us create the content and setting up the initial cloud environment. But they misunderstood our overall use case, early on. In the beginning, we were going in the wrong direction for a little bit. Once that was figured out, we were able to get back on track but time was already spent moving in that direction.

But they were very closely involved and helped us scope it out and prep everything. They were instrumental in the migration process.

We did a competitive bake-off between Devo, Elastic, and Google.

Google dropped out very early on. They didn't seem to be very forthcoming in the whole process. It turned out their product no longer exists, so that explains why they weren't being very good about the onboarding process. They didn't want to waste anybody's time.

Early on, Elastic was ahead of Devo in our PoC but when it came time to create very advanced security alerting use cases, Elastic was failing to create the advanced alerts we needed. Devo's proof of concept team was able to help us create those advanced use cases. Devo won there. And, price-wise, Devo was the cheapest out of the three in the bake-off.

Between Devo's advanced features, the price, and the longer default retention period of 400 days, compared to Elastic at 90 days, they ticked enough boxes that they won. The retention days were an important aspect because about 90 percent of our customers fall within a 400-day retention range, and that means we don't have to come up with alternative storage solutions and pay extra for them.

The most valuable feature of the solution is the log retention time. The dashboarding, what Devo calls Activeboards, is a very useful feature enabling rendering a range of insights from data and related detections. Devo enables collaborative working across security teams within the platform.

Devo continues to invest in their analytic capability and the platform's durability. Regarding the service management side, Devo are maturing their service management, ensuring they are absolutely on it when they have service incidents or problems with the service. I think the tool offers a great and promising future because the platform's fundamentals are good.

In general, over time Devo should look to provide more customization options and support wraps.

We have been using Devo for two years. We use the solution's latest version.

The solution is stable, there have been rare instances where Devo has lost some accessibility and other issues, which they resolved rapidly. Devo are improving on their service management side to ensure fast recovery from issues. High stability in a cloud native platform is key.

Scalability is one of Devo's strengths. Its ability to scale is good, and for a customer, the scalability works out of the box, they can accommodate all customers from small and up to enterprise-sized customers.

Customer service management is prompt and improving enabling faster recovery from issues.

Neutral

The setup phase required technical input and that increases with the scale of the project, but Devo are willing to assist.

The solution is deployed in Devo’s cloud. It is possible to get Devo on-premises, but that is not the main offering.

Deploying Devo you can get the right security outcomes within a few weeks to a month. Its heavily dependent on the scope of the solution.

Devo is taking on the market leaders, and their pricing is commensurate with that strategy.

Core and additional features Devo provide guidance around and help in making value-based pricing discussions.

It is important with any SIEM deployment cloud-based or otherwise to have an experienced implementation team. The implementation team should be prepared to engage closely with the SIEM vendor to get the best from the scope of the deployment.

Overall, I rate the product an eight out of ten.

We have several use cases for Devo. The first is related to the security center (SOC) operations, and they do the log correlation for Devo security.

We now have fraud use cases and application monitoring use cases, and we're starting to work on some use cases related to business analytics.

Devo provides us with high-speed search capabilities and real-time analytics, which is the most important thing for us. The reason is that when we need to analyze something, we need to have the information as fast as possible. It needs to be easy to use because if we have a security incident, or an application monitoring incident, we need to find the problem as quickly as possible, and have the ability to fix it.

It is difficult to correlate in terms of security and application monitoring but in terms of fraud, we have the ability to correlate a lot of different log sources to form a picture. This gives us the ability to reduce fraud cases by 40%.

In our environment, we retain some of our logs for 10 years. This is important for us because of regulatory requirements. We have critical information stored that is related to anti-money laundering, and the law requires us to be able to provide it quickly.

Devo provides us with more clarity when it comes to network, endpoint, and cloud visibility. We use it to ingest a lot of the related information. If you need to detect threats, you need to have the ability to find the network connections, and also the cloud-based connections that the threat actor is trying to access. This is the very reason that we are ingesting all of this information.

This solution helps us to release the full potential of our data, which is one of the most important things that we do. By creating the dashboards that work in real-time, we can see how our services are being used and we can monitor our security ecosystem.

Overall, using Devo has saved us time when compared to our previous security solutions. I estimate that it took us 10 times longer to achieve the same thing without Devo. 

What we find most valuable is the ability to create complex features in the engine, and to do real-time dashboarding. In traditional BI solutions, you need to wait a lot of time to have the ability to create visualizations with the data and to do searches. With this kind of platform, you have that information in real-time.

Devo, as with almost all of the analytics products, is a product that you need to learn how to use. Fortunately, with just a short training time of perhaps four hours, you can get a lot of power with the tool. Overall, it's pretty easy to use.

I would like to have the ability to create more complex dashboards.

We implemented Devo in 2016 and started using it in production in 2017.

Stability-wise, Devo is a good solution.

Scalability is one of the most powerful features. We started with five terabytes and we are now at 30, with almost the same performance. That is pretty scalable.

We have more than 500 users. The roles are security analysts, business users, application developers, and the IT operations team.

We plan to increase our usage in the next couple of years.

The vendor monitors the application and it is quite good. When we were last having a problem, it was solved within two hours.

Devo has a customer-first approach. They are quite open to discussing new features, and they like to be close to the customer to understand any problems that they have.

The support team has exceeded our expectations, in particular, when it came to the implementation. We originally had a four-year plan and in six months, everything was completed. The originally planned work was done, and the work for the next three and a half years was also done.

Prior to Devo, we were using QRadar and Elastic. We switched because Devo is more powerful and the scalability is better.

With respect to analyst threat hunting and incident response, you can create a lot of complex dashboards and consequently, it is easier to perform a deep dive. It is really aligned with Splunk in terms of capabilities and usability.  Our analysis had data from different solutions to work with and they preferred to use what was coming from Devo.

The initial setup is straightforward. It took approximately one week to deploy.

The Devo implementation team came to our building and installed everything. After that, we moved all of our information, which included creating a copy of all of the logs that we had in the other solutions. Once that was complete, we were able to start working with Devo.

Our implementation strategy was originally part of a four-year plan. However, we finished the full implementation early and the four years were reduced to six months.

Devo professional services assisted us with the implementation.

We have two full-time people in charge of maintenance. This includes tasks like implementing new services, doing correlations, alerts, and management.

Devo allows us to ingest more data compared to other solutions, using the same infrastructure. For example, compared to Splunk using the Capacity Planning Tool, Devo can ingest almost double the information in terms of events per second.

Our licensing fees are billed annually and per terabyte. This seems to be that the market is generally going to.

We created an alternative business plan that used QRadar and Elastic, and finally, we selected Devo because it was most aligned with our strategy.

Comparing the cost and value of Devo versus these other solutions, I think that it's very efficient. We're getting a lot of power for the cost, which is good.

Devo provides multi-tenant cloud-native architecture but in our organization, I would rate it a six out of ten in terms of importance. The feature is important, although not so much for our specific use case. I don't expect that this will change in the next few years.

I would rate this solution a nine out of ten.