Temporal is a cloud SaaS provider specializing in durable execution, offering nearly bulletproof code execution for distributed systems. With nearly 400 employees and customers who demand the highest levels of privacy and reliability, the company needed an enterprise-grade security program that could match their technical sophistication.

When Dave Green joined Temporal as their Threat Detection and Response Lead, he faced a daunting task: Build a comprehensive security program from absolute scratch. "We didn't have anything," Dave explains. "No SIEM, no EDR anywhere."

The existing security posture was minimal; CloudTrail logs sat in S3 buckets, and when anyone needed to investigate something, the team relied on ad hoc queries in Athena. With no data schemas or common frameworks, Dave knew they needed a more systematic approach to security monitoring.

Temporal's privacy-sensitive and reliability-focused customers also expected a mature security program that could demonstrate real capabilities and scale with the organization.

The traditional SIEM dilemma

As Dave evaluated traditional SIEM solutions, he quickly discovered why building from scratch seemed so appealing to many companies. The economics and technical inflexibility of a traditional SIEM simply didn't work for a growing company like Temporal.

"If you had a Splunk, it was going to be extremely expensive to begin ingesting logs at the rate we were generating them," he explains.

The vendor lock-in problem was equally concerning. Most traditional SIEM providers use proprietary indexing and backend technologies that make migration nearly impossible once you've committed. "When you pick a SIEM provider because of the way they handle their indexing and the backend technology, that's kind of who you're locked into," Dave says.

Adding to the complexity, Temporal's unique cloud architecture presented additional challenges. The company uses just-in-time provisioning across its cloud infrastructure services, ensuring permanent credentials like IAM users and their associated long-lived access keys don't exist. Taking advantage of a centralized location to issue credentials makes this simple to implement; however, constant cycles of provisioning/de-provisioning makes detections more difficult because human user principals are constantly changing.

This architecture means that most out-of-the-box detection rules simply don't apply to Temporal's environment, requiring extensive customization that traditional SIEMs don't handle well.

Finding the right solution

When Dave discovered RunReveal, he immediately recognized several key advantages that aligned with Temporal's philosophy and technical needs.

First was the compelling cost structure. "[RunReveal supports] really low insertion cost, as compared to competitors," Dave notes. "Most of [RunReveal's] competitors charge you based on the amount of data you send them," making it expensive to achieve the comprehensive visibility that Temporal needed.

Perhaps most importantly, RunReveal's approach to data flexibility meant that Temporal wouldn't need to rebuild their architecture to fit a vendor's expectations. "The ability to just take data from me in any format that I want" was crucial for a company with such a unique cloud posture.

Implementation and immediate benefits

Implementing RunReveal paid dividends immediately. RunReveal provides default schemas and transforms out of the box, crucially allowing pipeline without penalties. "I have the option to transform and add to that right out of the box, as opposed to me having to do pipelining work and transforms on my own beforehand." This stands in stark contrast to traditional SIEMs where non-standard data transformation can be challenging, manual, and less searchable.

The developer-friendly approach also proved valuable for team building. By using standard SQL instead of proprietary query languages, Dave helped build a team that required broad technical skills rather than expensive SIEM certifications.

One of the most unexpected benefits has been RunReveal's impact beyond the security team. The centralized logging infrastructure now serves multiple purposes across the organization.

"Sometimes we get asked to assist in incidents that come from infrastructure teams," Dave explains. "Being able to provide access to the CloudTrail or equivalent GCP logs in a way that they can query or help assist in solving whatever their problems are is super useful."

This cross-team value has created cultural changes as well. "It's really nice when people come and ask us about infrastructure changes," Dave notes. "It's a lot more visible that people are watching," which has encouraged more proactive security thinking across engineering teams.

Scaling with confidence

As Temporal has grown, RunReveal has evolved alongside them. "Right now, [RunReveal] is shipping more features than we have the people to operationalize," Dave says as a good problem for his team to have. The regular bug fixes and feature releases demonstrate RunReveal's commitment to continuous improvement.

Recent additions like the open API specification and CLI tools have made integration even easier. "It's much more developer friendly now so that I can get things in front of people faster," Dave notes.

Looking forward

Temporal's security team has ambitious plans for leveraging their RunReveal foundation. They're exploring machine learning-based detections, deeper integration with Temporal's own workflow orchestration platform, and expanding their custom detection library.

"We really want to get a much larger corpus of custom detections out," Dave explains. "High fidelity, low noise rules" that take advantage of their comprehensive data collection.

Ultimately, for companies looking to build serious security programs without the traditional constraints of vendor lock-in and prohibitive costs, Temporal's journey demonstrates how the right partnership can transform security from a compliance checkbox into a strategic advantage.