We have absolutely seen an ROI. We've been able to hire one more analyst with the money we saved on our licensing.

We extracted value within the first two weeks because we were able to ingest our cloud solutions, but at the 60 to 90 day point, we 100% realized our investment, and we were completely satisfied.

So far we've seen ROI from the fact that when the auditor comes in quarterly and looks at it, as happened the other day, they are extremely impressed. The return value is going to be there. It's already starting, where we're creating custom dashboards for various groups to look at their own data. We don't have to provide reports anymore. We just give them the data and they can log in and look at whatever they want in real time.

It's going to be huge as we move further down the road and we learn to better utilize the tool. We have some big plans for it.

In incidents where we are using Devo for analysis, our mean time to remediation for SIEM is lower. We're able to query faster, find the data that we need, and access it, then respond quicker. There is some ROI on query speed.

Devo saves us time. The turn-up time for the cloud is very quick with their SaaS infrastructure. Getting data in is relatively quick, whether it is leveraging relays, collectors or both. They are very modern in the sense that they are very friendly with GCP, AWS, Azure, etc., in terms of just needing plugin API keys, then it will start ingesting data and parsing it.

They have easy to configure Relays that can go on-prem and pretty much collect any type data that you can think of. I have always been very happy with that. It is a joy to partner and be able to work with this kind of system.

If you have acquired different data stores or SIEMs over time, especially if you are a large organization, you find yourself buying one of each. That is kind of wasteful, inefficient, and expensive. Because of the Devo’s scalability and low-cost, you can get the data from all those disparate environments into one place. Additionally, a lot of times in those environments, you have to filter out data so the systems don't get overwhelmed, thus you are partially blind on things you do not collect.  With Devo, their philosophy is you can go ahead and collect all the data. Devo’s ROI is saving on redundant licensing costs, storage/processing costs, collection costs, overhead of maintenance cost, but more importantly the ability to build a more holistic security program because you visibility to all your data for 400 days.  This helps any organization for detection and compliance reasons.

As is often the case with security solutions, it's hard to measure an ROI because we only need it once an incident occurs. The hope is that we get a return if an incident takes place. Devo is much better than we previously had, but it's also a lot more expensive, so it should be so.

We expect to see ROI from security intelligence and network layer security analysis. Probably the biggest thing will be turning off things that are talking out there that don't need to be talking. We found three of those types of things early in the process, things that were turned on that didn't need to be turned on. That's going to help us rationalize and modify our services to make sure that things are shut down and turned off the way they're supposed to be, and effectively hardened.

And the cost savings over Splunk is about 50 percent.

The solution has definitely decreased our MTTR. The faster you can get through data, the faster you can get to the actual root cause and remediation. Identifying a root cause, cuts time down in half by maybe 50 percent. As far as getting to remediation, I'd put it at about the same.

We have seen ROI. It's the fact of having a tool that you can build a repeatable process off of for your analysts. To be able to provide repeatable investigative capabilities is a big return on investment for us.

I have seen a return on investment, and without disclosing figures, I can put it in terms of capabilities. This product allows us to scale up the way we need to, without any additional costs, or there's already a fixed cost with that. This is key for us.

We can bring in any size of customer, from the smallest client to the largest company. Also, I have been able to bake in the pricing model to adjust to the margin that I need for a specific customer.

More than anything, we have seen ROI in the amount of time saved during investigations. From that perspective, it has paid for itself. 

Within the first quarter after we started using it, there were incidents that Devo was able to help us quickly assess and investigate. As a tool, it showed its value pretty quickly.

We've seen ROI, just from the time savings alone. I can't say we have recovered what we spent on it, but our staff is absolutely spending less time doing certain things, and getting more things done within the time they have, using the tool. 

Devo allows us to ingest more data compared to other solutions, using the same infrastructure. For example, compared to Splunk using the Capacity Planning Tool, Devo can ingest almost double the information in terms of events per second.

We have definitely saved time using Devo, but the greater visibility it gives us is really hard to quantify. Everybody's more effective, obviously. And the hardware costs are down compared to the other solution. Everybody feels it's a good value, especially in mitigating risk or attacks. With the greater visibility and the ability to aggregate and analyze data in a better way, we have better mitigation. We see the threats sooner or more in detail. We can do everything better.

The solution has decreased our mean time to remediation (MTTR) because of the immediate visibility, the prepackage dashboards, and the alerting that we built. With Devo, even if you didn't have any patch solution in place, you could just click in the platform and it could tell you when, where, and what endpoints were seen by Devo in the last year. Then, you can print a list of those computers and the IT people can just go to those to upgrade the patches. In a situation like WannaCry, as long as you know what you're looking for, the fix is immediate. For example, we have one customer who had a situation where they were waiting months for remediation. With Devo, it is immediate because it is available with a report.

The way that we charge our customers is not the same way we are charged by Devo. We need to keep it under control so it makes economical sense for us to sell our model based off of Devo. That's why we don't expand in an infinite way what we send to the Devo platform. We charge on an endpoint basis per license, subscription, or input annually. That's our business model. Devo charges based on ingestion and the time you store, which can be different one month to three months to a year. Therefore, it was difficult to build a model in the beginning that would work for us. That's why we limit the amount of ingestion that we do in the customers' platforms.

The ROI been great. The fact that we could launch it in a few months instead of a couple of years, that's a return on investment. Also, when you put all the costs together, it is less to have done it than with the open source approach.