The challenge
The operational cost of growth
Customer onboarding takes too long
Setting up log pipelines per customer – syslog forwarders, agents, custom parsing scripts, machines on customer premises – takes days or weeks per new customer. And every environment is different.
Ingestion costs eat your margins
Traditional approaches ingest everything and filter later: inside the SIEM, at full cost. As customer count grows, ingestion bills grow faster than revenue. Margins shrink. Pricing conversations get harder.
Every change touches every customer
Log forwarders sit on customer premises, out of reach. When a parsing rule changes or a new source gets added, you have to reach out to each customer individually and coordinate every change separately.
New log sources slow everything down
When a prospect asks about ingesting a log source you haven’t had before, the answer is rarely a confident yes, and that can cost you deals. Supporting diverse customer environments requires custom work every time, and that doesn’t scale.
The solution
One pipeline platform. Every customer. Full control.
DataStream is a multi-tenant security data pipeline built for the way MSSPs actually operate. Centralized management, per-tenant isolation, and automated onboarding with standardized, reusable pipelines across tenants – so you can add customers without adding complexity.
Standardize onboarding across customers
Connect customer environments agentlessly or via a lightweight agent. From there, everything – sources, destinations, filtering, routing – is configured and managed centrally. No more coordinating changes on-site with individual customers.
Cut ingestion costs per tenant
DataStream filters, normalizes, and compresses data before it reaches the SIEM, so you only ingest what matters. SIEM-critical alerts go to analytics. Bulk telemetry goes to low-cost storage. Each tenant’s cost is controlled independently.
Better correlation across every tenant
Clean, normalized data across all tenants improves correlation and reduces noise. Your SOC gets higher-quality alerts, faster triage, and better outcomes — without increasing data volume.
Say yes to any log source
DataStream supports a broad range of security data sources (firewalls, endpoints, cloud platforms, identity systems, critical business applications, AI platforms) out of the box. When a customer brings an unfamiliar vendor, VirtualMetric’s engineering team helps build the parser. You own the pipeline.
Full control and visibility across every tenant
Manage all customer pipelines from a single portal. Push configuration changes across your entire customer base at once, and get real-time visibility into data flows, ingestion volumes, and pipeline health for every tenant. Spot issues before they affect your customers.
Simplify SIEM migrations and architecture changes
When vendors rebrand, pricing changes, or customers want to switch SIEMs, DataStream makes the transition seamless. Reroute data to a new destination, apply different content packs, and keep pipelines running without touching individual customer environments.
What MSSPs achieve with DataStream
How it works
How MSSPs run DataStream
Deploy
Deploy a lightweight agent at the customer edge or connect agentlessly. One command, any OS.
Configure
Configure sources, filtering rules, and destinations from the centralized management portal. No on-site changes needed.
Process & route
DataStream normalizes at ingestion, filters noise, and routes clean data to each tenant’s SIEM, data lake, or storage tier.
Update at scale
When rules change or new sources are added, push updates from the portal: changes roll out across all customer pipeline instances automatically.
Customer Story
How Wortell scales its MXDR services
Wortell runs a 24/7 MXDR service for hundreds of customers. Before DataStream, onboarding third-party log sources required weeks of custom engineering, slowing operations and limiting their service offering.
“Sometimes we lost a deal or two because we were not as open to third-party log ingestion. Now that we offer very easy onboarding with third-party logs, it’s a much better conversation with our customers.”
Koos Goossens · Security Architect, Wortell
How MSSPs work with VirtualMetric
Use DataStream in your SOC
Buy a bulk subscription and run DataStream as part of your own MSSP service delivery. Manage all customer tenants under one account with volume discounts.
Resell DataStream to your customers
Resell DataStream directly to your customers and earn a margin, or join the referral program. Full technical onboarding support included.
Frequently asked questions
How long does it take to onboard a new customer?
For log sources that already exist on the platform via content packs, or that you’ve previously configured for another customer, onboarding takes minutes — connect the environment and apply the existing pipeline configuration from the portal. For a new vendor, VirtualMetric’s engineering team works with you to build the parser. You own it and can reuse it across all customers from that point on.
Can I manage all customer pipelines from one place without switching between accounts?
Yes. The DataStream management portal gives you a unified view of every customer pipeline — data flows, ingestion volumes, and pipeline health — all from one account. You switch between tenant views without separate logins.
Can I reuse pipeline configurations across customers?
Yes. Once you configure a pipeline for a log source, you can apply that configuration to any other customer using the same source. Changes to a shared configuration roll out to all customers automatically.
How does pricing work for MSSPs?
MSSPs can choose between three models: buying a bulk subscription for their own SOC operations with volume discounts, reselling DataStream to customers and earning margin, or referring customers to VirtualMetric and earning a referral margin. See the partner page for details.
How does DataStream help control per-tenant ingestion costs?
DataStream filters and compresses data before it reaches the SIEM, so each tenant only pays for what matters. Critical logs go to analytics. Bulk telemetry goes to low-cost storage. You can track and manage each tenant’s ingestion volume independently from the portal.
How is customer data isolated between tenants?
Each customer’s pipeline, configuration, and data is fully isolated within the DataStream portal. Pipelines are managed centrally but data never crosses tenant boundaries.
What happens if a customer’s SIEM or storage destination goes down?
DataStream uses WAL-backed buffering to persist data locally. If a downstream destination is unavailable, data is queued and not dropped: processing resumes automatically when the destination recovers. On top of that, the health monitoring dashboard actively tracks the status of all destinations across your customer base and alerts you when something goes wrong, so you’re not finding out after the fact.
What schemas and formats does DataStream support?
DataStream supports all major security schemas and formats including ASIM, OCSF, ECS, CIM, UDM, CEF, CSV, JSON, Syslog, and others. This ensures compatibility with Microsoft Sentinel, Splunk, Google SecOps, Elastic, and other destinations without manual format conversion.
What if a customer wants to switch SIEMs?
DataStream makes SIEM migrations straightforward. Reroute data to the new destination from the portal and apply the appropriate content pack without touching individual customer environments. Customers can also run parallel destinations during the transition period.
Does DataStream support both agentless and agent-based collection?
Yes. DataStream supports agentless collection via secure read-only connections for most sources. For environments that require deeper visibility or where network access is restricted, lightweight agents are available for Windows and Linux.