This section explains the internal architecture of VAST, a telemetry engine for security investigations. By telemetry, we mean immutable descriptions of activity, represented in the form of an event (e.g., a log line, an IDS alert, a NetFlow record, or a network packet). By engine, we mean a scalable database system that acts as foundation for data-driven security analytics.

To make the use case of interactive investigations more concrete, we outline the design goals to motivate the scope of the system. Thereafter we take a deeper look at the different system components that make up VAST, such as the archive and index.