We own every byte.

Most security platforms lease their data plane. Splunk's index runs on S3. Sentinel's analytics runs on Azure Data Explorer. Chronicle runs on BigQuery. The vendor brands the dashboard; somebody else owns the bytes.

Sandworm runs its own data plane end to end. Six storage engines — Vespa (search), ClickHouse (UEBA and analytics), Postgres (auth and control-plane state), TimescaleDB (long-horizon log retention), NATS (events), and Redis (cache) — are deployed inside each Sandworm region and operated by the Sandworm team. There is no upstream tenancy boundary, no third-party retrieval API, no proprietary query language we pay per call to execute.

Owning the data plane is not aesthetic. It is the only way to control four numbers that customers actually feel: query latency, residency boundaries, retention pricing, and the federation roundtrip that crosses products. Lease the indexer and all four become someone else's decision. Sandworm makes them ours, and that decision is the moat.

An investigation that asks 'show me everything I know about this user in the last 24 hours' has to read from Vespa (the document index), ClickHouse (the UEBA baselines and z-scores), Postgres (the auth-service identity record), and TimescaleDB (the raw log timeline). On a leased data plane each of these stores is a separate tenant of a separate vendor's cluster, with separate auth, separate quotas, and separate per-call billing.

Move 11 Federated Search fans the query out across all four stores in parallel inside a single region, then aggregates the result before the operator's keystroke is two seconds old. The reason this works is that we own all four. There is no cross-cloud serialization tax, no S3-prefix scan, no proprietary-query-language fee, and no per-call retrieval cost that forces us to ration which fields we return.

The competitor who leases the indexer can match the user interface. They cannot match the latency profile. Sub-second cross-product fan-out is a structural property of owning the bytes.

Splunk charges by ingest volume. Sentinel charges by GB-ingested-per-day. Chronicle bills against retention tiers. The result, in every customer environment that has been honest about it, is the same: logs get rationed. Some sources never get onboarded. Some fields get dropped at the agent. Some retention windows get shortened until they're useless for forensics.

Rationed logs degrade everything downstream. The detection engine sees less than the attacker. The UEBA baselines train on a subset. The AI triage analyst (Move 9) cites only the evidence that was kept. There is no model improvement that compensates for the data you never indexed.

Sandworm's Sovereign tier is flat-rate by design. Full-fidelity ingest, full retention, full coverage. The reason we can quote a flat rate is that we own the data plane and we know its unit economics directly — we are not reselling someone else's storage at a markup. Flat-rate pricing is what lets a customer onboard every source from day one. Full coverage is what makes the AI useful.

Data residency is usually a contractual claim. The customer signs an addendum; the vendor's actual storage topology stays the same. Audit at your own risk.

In Sandworm, residency is enforced at the data-plane layer. Move 5 ships a multi-region control plane (us-east plus eu-west today, architected for N) where each tenant is region-pinned and the storage cluster for that region holds the bytes. There is no cross-region replication for tenant data unless the tenant has explicitly opted into federation, and even then Move 6 federated threat intelligence carries a verified differential-privacy guarantee (epsilon=3.0, empirically validated by 18 statistical correctness tests).

Sovereign tenants get the federal industry profile auto-selected (Move 18). FedRAMP, EU-GDPR, and Schrems II are structural constraints inside the platform, not paragraphs in a contract. The customer's compliance team can verify the topology — what crosses a region boundary and what does not — by reading the cluster manifests, not by trusting a vendor narrative.

Owning the data plane could be used to trap customers. We chose the opposite. Every record Sandworm writes is in OCSF — the open Cybersecurity Schema Framework. The schema is normalized inside the sandworm-ocsf package and exported verbatim. A customer who leaves takes their full dataset with them, in a format any other SIEM understands.

Beyond export, customers verify what they got. The Move 20 public trust portal exposes every monthly attestation — triage decisions, response actions, federation submissions — signed with Ed25519 and verifiable against a published key. Move 21 ships a sandworm CLI that fetches and re-verifies any attestation in one command. The customer leaves with the data plus a cryptographic record of what the platform did with it.

No multi-year contracts. No exit fees. No proprietary query language to unlearn. The combination — open output format, signed attestations, full data export — is the only honest version of 'no lock-in' the security industry has shipped. Owning the data plane is what makes it possible.