High-Cardinality Aggregation Use case

A Million Unique Values. One Detection Engine. Zero Lag.

Your SIEM chokes on cardinality. Count distinct users per source IP? Fine at 100. At 100,000? The query times out, the cost explodes, or the search just... doesn't run. So you do what everyone does — you lower the fidelity. Fewer group-bys, wider time windows, less granularity. You trade detection quality for query survival.

That's why port scans across /16 subnets go unnoticed. Why slow credential stuffing against thousands of accounts flies under the radar. Why DNS beaconing across hundreds of domains blends in. The data is there. The SIEM can't count fast enough.

How spotr.io does it?

spotr.io aggregates on stream — no query, no storage, no cost cliff. Cardinality of the group-by key doesn't matter because we're maintaining state as events flow, not scanning a warehouse after the fact. Track distinct destination ports per source IP across your entire network. Count unique failed-auth usernames per origin across every identity provider. Measure DNS query entropy per host across millions of queries. All in real time. All simultaneously.

This unlocks detections that batch systems literally cannot run: cardinality spikes (a host suddenly resolving 500 unique domains in an hour), low-and-slow aggregation (50 failed logins spread across 50 accounts from one source over a week), and ratio-based anomalies (one user generating 10x the distinct connections of their peer group).

SIEMs scale by paying more. spotr.io scales by design.

When the group-by has a million keys, batch is bankruptcy. Streaming is just Tuesday.