GreyMatter Transit: Detect on Data in Transit
Detect threats while data streams between tools. Filter what's irrelevant. Route what matters. 5-second mean time to detect—before data is parsed, indexed, or stored.
A Security Data Pipeline with Detection Built In
GreyMatter operates detection across three architectural positions: at source, in transit, and at storage. GreyMatter Transit is the "in-motion" layer: as data enters the pipeline, the Universal Translator normalizes raw telemetry to OCSF and the correlation engine runs detection logic against the normalized stream—all before data is parsed, indexed, or stored.
Transit is natively built into the GreyMatter platform, working with any connected source or storage technology. With Transit, security teams design their data architecture around what makes operational and financial sense—while detection runs continuously on data in motion, independent of where that data ultimately lands.
Core Capabilities
Data Enrichment
Transit applies threat intelligence to streaming data as it moves through the pipeline, enriching events with context before detection logic evaluates them. Detections fire against data that's already normalized and intel-enriched, improving signal quality without adding a separate enrichment step downstream.
Multi-Event Detection in Transit
GreyMatter's correlation engine maintains lightweight state for relevant entities like users, hosts, IPs, identities, and sessions. Transit holds partial event sequences in temporary storage while waiting for subsequent events to complete a pattern. This capability expands detection coverage to sophisticated attack patterns that require correlating multiple events.
Sequences
Detects when one type of event follows another within a specific time window. Transit tracks the ordered chain per entity and fires when the sequence completes, regardless of how much noise occurs between the relevant events.
Example: failed logins → successful login — Multiple failed authentication attempts from one source, followed by a successful login within the same window—a brute-force completion pattern.
Thresholds
Detects patterns across volume—spikes or repeated attempts of the same event within a defined period. Transit tracks event frequency per entity and fires the moment count meets the configured threshold.
Example: password spraying — A single source attempts authentication across many accounts within a short window. Each individual failure is unremarkable; the volume within the time window is the signal.
Intelligent Event Filtering
Filter data with precision as it moves through Transit. Pre-built filter packages handle common high-volume, low-value event types out of the box. Custom conditions let teams get granular, dropping events based on any normalized field, value, or combination.
Because detection runs before filtering, you can drop aggressively without losing coverage. Events that match a detection pattern get caught and acted on whether or not they're routed to storage.
Flexible Data Routing
Route data based on purpose and value. High-signal events go to the SIEM. Compliance data goes to S3 or a data lake. Everything else gets dropped or archived at minimal cost.
Add and remove source and storage tools as your business grows while maintaining control over the flow of data without rebuilding pipelines.
No-Code Pipeline Management
Build, deploy, and modify data pipelines within GreyMatter's no-code UI. Add filters, configure routing destinations, deploy detection logic without writing code or managing a standalone pipeline tool.
Live Event
See GreyMatter Transit Live
Join our upcoming democast to see detection in motion across the pipeline.
Detect on It. Then Decide What to Do with It.
Because detection happens before filtering and routing, you can detect on data you never have to store.
Detect and drop it. Detect and filter it. Detect and route it to cheaper storage. After a detection fires, send the data anywhere, based on conditions you define.
In Production: Retail Company Opens 30 New Stores Without Increasing SIEM Spend
A retail organization hit 90% SIEM license utilization—then opened 30 new stores with over 100 new hosts. Ingesting logs from those hosts pushed them over their license.
With Transit:
Mean time to detect reduced to seconds
Non-relevant logs and events dropped entirely
Detection in Transit ensured full visibility on the filtered stream
Relevant data for investigations and hunting routed to the SIEM
Compliance and retention data routed to S3 for affordable storage
They added 100+ hosts to their environment without increasing their SIEM license.
See GreyMatter Transit in Action
Learn how detection in motion accelerates threat response and reduces SIEM costs.