The secret is out. Security data is a mess, and everyone knows it. It’s hard to say what the tipping point was. Maybe it’s the fact that security breaches persist, and the post mortem clean up reveals that the data to detect and prevent was present, but went unused. Maybe it’s the experimenting with AI powered capabilities that highlight how hard it is to gain access to the clean and reliable data needed to make these tools effective. Whatever it is, there has been a shift, and security teams are looking for solutions to their messy data challenges that enable them to use the data they have where it lives. 

Every security team, regardless of size, faces the same data related challenges – you need the data you need, when you need it, and today that data is far too difficult to reach and use. This problem shows up when investigating alerts, requiring teams to pivot into dozens of distributed data sources and work across data in many data formats. It shows up in our data centralization and lake projects, when significant time and money is spent moving data but then security teams can’t easily use it when they need it. And on really bad days, it shows up in incident response efforts, when someone you are paying $5,000 an hour shows you how your environment was compromised, piecing everything together from your data. 

Based on working with hundreds of security teams, I believe the number one operational barrier security teams face today is friction, the friction of getting to, using, and making decisions using their data when it matters most.

The Data Problem Hiding in Plain Sight

For decades, the go to approach for managing security relevant data has been to determine what data is critical to security operations and then centralize it. This approach seems logical. It enables us to write rules to find things that are bad, and work across our historical data when we need it. The world has changed. Today there is far too much data, from too many distributed platforms and solutions, to centralize into one place. The real problem isn’t data centralization. The real problem is using all your data when you need it to ensure the organization is protected. If we approach our data problems with the goal to enable teams and technology to use the data they need to make the best possible decisions, then the ideal solution flips from a centralization problem to a data access and usability need, which we envision as a security data mesh.

Today’s security data is:

  • Spread across cloud, SaaS, and on-prem systems.
  • Controlled by multiple vendors with their own access and data models.
  • Locked behind APIs or schema differences that slow analysts down and lead AI agents and copilots to make up nonsense that waste time or even worse.

Security platforms from Microsoft M365 to CrowdStrike Falcon have become data ecosystems in their own right. Each delivers valuable telemetry, but none were designed to work seamlessly with the others. That leaves security teams with the impossible choice between incomplete visibility or endless integration work. Many of you have spent the last two years moving and transforming data all over your estate. While promising on paper, the reality is often more cost and complexity (the opposite of what was promised) and little to no gain in security operations capability. If you are frustrated with this, we are right there with you. 

A (Security) Data Mesh model is all about decentralization, federation of decision making, and flips from the tool-centric model to decomposing problems along functional lines. Instead of moving all your data into one place, you bring the analysis, search, and mission driven AI capabilities to your data. You get to use what you already have, where it already lives, for your job at hand. And, with this approach, you get to take advantage of the data collection and storage capabilities you are likely already paying for across your platform environments. 

AI as an Advantage, Not a Solution

AI can be a force multiplier for security teams, but only if it’s built on a strong data foundation. Right now, most teams are still in the experimentation stage, running pilots, trying copilots in the platforms they already have, or building small automations. The results are mixed not because the models are bad, but because the data they rely on is limited, in many different formats, and inconsistent.

To gain a real AI advantage, your team needs:

  • Access to all relevant data across your environment.
  • Normalization that allows AI to understand what it’s looking at.
  • Context from all your data together, so insights are complete, not just fast.

AI can’t fix bad or missing data. But when you deliver high-quality, normalized data from a normalized data mesh, AI becomes a real asset. Agents and copilots can summarize, correlate, and guide analysts in ways that were impossible before.

Think of it like giving a talented analyst full access to every piece of data context they need, without stressing over what sources must be accessed and all the data wrangling that comes with it, just in time whenever they need it. AI capabilities will continue to evolve. However, if you can’t feed your AI the right data at the right time, the results won’t be what you need.

Embrace Your Data Mess

A security data mesh isn’t just a new solution, it’s a new way of thinking about how to truly use the data you have, where it lives. It delivers real, immediate benefits. Here are four examples that CISOs and architects can measure:

Threat Hunting Where It Matters

Analysts can query across EDR, identity, cloud, and SaaS data from dozens or hundreds of independent sources in one step. No data engineering, no switching tools, no need to alter the data where it lives. A query for a single IOC can return all related network, process, and authentication events, normalized into a single unified data set. 

Result: Hours saved per hunt, more complete visibility.

Investigating Alerts Without Blind Spots

During an incident, analysts waste time pivoting between consoles, or miss something because they don’t have access. With a data mesh, investigations start with more complete data visibility to quickly zero in on what is actually happening. You can pivot from a CrowdStrike alert to Microsoft Entra sign-ins, AWS CloudTrail events, and Okta sessions, all from one interface.

Result: Faster triage, fewer missed indicators.

AI-Driven Context and Guidance

With normalized data feeding AI models, copilots can generate real-time guidance and summaries, link related entities, or suggest next steps based on MITRE ATT&CK context. This transforms AI from a novelty into a true analyst assistant. 

Result: Higher confidence decisions, consistent investigations.

Getting to Action Faster

Security outcomes depend on speed. A mesh provides the full picture from distributed data, correlated in place just when you need it, so teams can move from detection to decision faster.

Result: Reduced mean time to respond, lower operational drag, better resource use.

Cost and Time Efficiency

Every minute spent moving data between systems is a minute lost from defending. The pivot cost, switching between tools, normalizing results, and writing queries in multiple languages, is one of the biggest hidden expenses in security operations. It’s also why security analyst and engineering job descriptions are so long and read like a wish list for people that don’t actually exist.

A few simple truths: 

  • Centralized architectures multiply data storage and compute costs.
  • Pipelines are brittle. Every schema change breaks something. 
  • Onboarding a new source can take months.
  • The cost savings promised by pipeline tools are not delivering, and in fact, are proving more expensive than the original architecture they were meant to supplement.

A security data mesh eliminates much of that friction. Data stays where it is created or in the first-party ecosystem, so you can maximize your platform investments wisely. Teams consume data products on demand. There’s no need to duplicate petabytes of data or rewrite pipelines. Your existing investments, Splunk, Snowflake, Azure, Google, CrowdStrike, AWS, etc., all remain valuable, but now they work together.

The Value of a True Security Data Mesh

At its core, a data mesh unlocks answers from the data you already have. It allows you to:

  • Maximize your platform investments instead of replacing them. 
  • Improve visibility without duplicating storage or compute.
  • Feed AI and automation with normalized, reliable data.
  • Enable distributed teams to act on the same truth.

Security data mesh isa mindset shift driven by your new normal, from centralization to federation, from silos to interoperability, from friction to flow.

AI will not save you from poor data. But a well-architected and implemented data mesh will enable you to accomplish more right now. It gives you the foundation to finally make use of everything you’ve already built, and enables function-aligned consumption for your teams, instead of being beholden to what is in the SIEM or data lake. That’s how security teams turn data into action, and action into advantage.

The organizations that make this shift will gain a measurable advantage. They’ll detect faster, respond smarter, and spend less doing it. And I bet, the people in these security teams will accomplish more because they will be freed from the data use tax we are all paying, whether we realize it or not.

Ready to make your data work for you? Speak with a SecDataOps expert at Query.