Endpoints are where most security incidents begin. Compromises often start with phishing, software vulnerabilities, or misconfigurations on individual laptops and servers. Modern security teams need rich endpoint telemetry for detection, investigation, and response. Commercial products often act as black boxes that limit flexibility, collect data in proprietary ways, and create vendor lock-in.

This talk presents a practical blueprint for building a scalable endpoint telemetry and security pipeline using open technologies. At the foundation is osquery, a Linux Foundation project that turns every endpoint into a high-fidelity sensor. On top of this, we build four layers: a control layer for managing endpoints, an ingestion, streaming, and storage layer for moving and retaining data, a detection and intelligence layer for applying rules and enrichment, and a correlation, visualization, and hunting layer for analysis and response.

We will walk through architectural patterns, real-world lessons, and tradeoffs. Attendees will learn how to assemble their own endpoint telemetry stack from collection to correlation without relying on closed products.