Based on SiliconANGLE’s Duncan Riley’s recent article, Daylight Security has introduced Agentic Security Data Lake, a managed service built to help managed detection and response customers retain and search large volumes of security telemetry without running their own SIEM.
The launch addresses a common challenge for security teams: the need to keep years of security data available for investigations, compliance, audits, legal inquiries, and operational review, while avoiding the rising cost and complexity of traditional SIEM infrastructure.
Security telemetry has become one of the most difficult parts of the modern security stack to manage. Organizations now collect data from identity providers, cloud environments, endpoints, email systems, SaaS applications, and other tools. That data may be essential during an investigation, but retaining it in fully searchable form for long periods can quickly become expensive.
Daylight’s new service is aimed at that gap between simple storage and full SIEM operations.
A Data Retention Problem for Modern Security Teams
For many organizations, security data retention is no longer just a technical issue. It is tied to regulatory requirements, internal governance, legal needs, and the practical realities of incident response.
When an incident is discovered late, investigators often need to look back across months or years of activity. They may need to understand when an account was first compromised, whether suspicious activity touched other systems, or whether an older event was connected to a current alert.
The challenge is that long-term telemetry only has value if security teams can search it when needed. Storing old logs in a low-cost archive may help with retention requirements, but it does not always solve the operational problem of retrieving and analyzing the right data quickly.
Traditional SIEM platforms are often used to make security data searchable. But as data volumes grow, the cost of ingesting, indexing, storing, and querying years of telemetry can become a major burden.
Daylight is positioning Agentic Security Data Lake as a way to preserve long-term visibility without requiring customers to maintain a full SIEM environment.
How Daylight’s Two-Tier Model Works
According to SiliconANGLE, Daylight’s Agentic Security Data Lake uses a two-tier architecture.
Recent telemetry remains live and available for active investigations. Older telemetry is moved into lower-cost archival storage. When investigators need to search historical data, the system rehydrates only the relevant data back into searchable storage.
That model is designed to reduce the cost of keeping years of telemetry accessible. Instead of paying full search and indexing costs for all historical data at all times, customers can retain the data and bring back only the portions needed for a specific investigation.
For security teams, this could be useful in cases where the majority of older telemetry is rarely queried, but still needs to remain available. It also gives MDR customers a way to support historical investigations without operating the underlying infrastructure themselves.
The service is not framed as simply another storage bucket for logs. Its value depends on keeping archived data usable when it matters.
Natural-Language Search and Kusto Query Support
One of the more notable parts of Daylight’s announcement is the search interface.
The service includes a natural-language chat interface that allows analysts to ask questions in plain English. That can lower the barrier for teams that do not want every investigation to depend on advanced query-writing skills.
At the same time, Daylight also supports direct access through Kusto Query Language. That gives more technical users a familiar way to run structured searches and investigations when needed.
This combination matters because security teams are rarely uniform. Some analysts may prefer natural-language investigation workflows, while others may want precise query control. Supporting both approaches gives the service flexibility across different levels of security operations maturity.
For MDR customers, this could also make historical telemetry more accessible outside a small group of SIEM specialists.
Preserving Original Telemetry Format
Daylight’s service also stores telemetry in its original format instead of normalizing it at ingestion.
That is an important design choice. Normalization can make data easier to query across different sources, but it can also force teams to decide early which fields and structures matter. In future investigations, seemingly minor original fields may become important.
By preserving telemetry in its native format, Daylight is presenting the service as a way to avoid losing potentially useful context during ingestion.
For security teams dealing with cloud, identity, endpoint, and SaaS data, this could be especially relevant. Different systems generate logs in different structures, and not every future investigation can be predicted when the data is first collected.
Why This Matters for MDR Customers
The launch is particularly relevant because Daylight is offering the data lake as a managed service for its MDR customers.
MDR providers are often evaluated on detection quality, response speed, threat expertise, and alert handling. But long-term telemetry access is becoming an increasingly important part of the value proposition.
If a customer needs to answer a legal question, support an audit, or investigate activity that happened many months earlier, the MDR provider’s ability to retrieve and search historical data can matter just as much as its ability to respond to a live alert.
Daylight’s service suggests that MDR offerings are expanding beyond real-time monitoring and response into broader security data operations.
That shift reflects how security leaders are thinking about resilience. Detection is only one part of the equation. Organizations also need to retain evidence, revisit old activity, support compliance needs, and reconstruct timelines after the fact.
A Different Approach to the SIEM Burden
Daylight’s announcement also reflects a broader debate around the role of the SIEM.
SIEM platforms remain central to many enterprise security operations programs. But they can be costly to operate, especially when organizations feed them large amounts of telemetry that may not be searched regularly.
For smaller teams, or for organizations that rely heavily on MDR, maintaining a full SIEM environment may not always be practical. Even larger organizations may want a separate model for retaining less frequently searched historical data.
Daylight’s Agentic Security Data Lake is aimed at that operational middle ground. It does not simply eliminate the need for searchable telemetry. Instead, it changes how and when that telemetry becomes searchable.
For CISOs, the key question is whether this type of model can reduce the cost of long-term retention without weakening investigation readiness.
The Bottom Line
Daylight’s Agentic Security Data Lake is a response to a practical security operations problem: organizations need to retain more telemetry for longer periods, but traditional SIEM economics can make that difficult.
By combining live telemetry, low-cost archival storage, selective rehydration, natural-language search, Kusto Query Language support, and preservation of original data formats, Daylight is positioning the service as a managed alternative for MDR customers that need long-term searchable visibility.
For security leaders, the launch highlights an important point. Long-term retention is no longer enough on its own. Historical telemetry must remain accessible, searchable, and useful when investigations, audits, or legal questions require it.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.