Executive Summary
Splunk has 252 published CVEs. Elastic has 216. Wazuh has 28, including a critical remote code execution vulnerability rated 9.9. These are not theoretical risks โ they are documented in the National Vulnerability Database and affect the tools currently deployed in critical infrastructure.
Many of these vulnerabilities are memory safety issues: buffer overflows, heap corruption, use-after-free. These vulnerability classes have been documented for decades. They continue to ship because the tools used to build infrastructure software do not prevent them.
Tell is a log collection and analytics engine written in Rust. The Rust compiler eliminates memory safety vulnerability classes at compile time. Code containing buffer overflows, use-after-free, or data races is rejected before the binary is built. This is not a testing process or coding standard โ it is a property of the compiled software.
CVE Reality Check
The tools currently deployed in OT environments have documented security vulnerabilities. These are not theoretical risks โ they are assigned CVE numbers and published in the National Vulnerability Database.
Published CVEs by Vendor (Source: OpenCVE, January 2026)
| Vendor | CVEs | Memory Safety Issues | Critical Examples |
|---|---|---|---|
| Splunk | 252 | Yes | RCE via XSLT, SSRF, privilege escalation |
| Elastic Stack | 216 | Yes | Buffer overflow in Filebeat syslog parser |
| Wazuh | 28 | Yes | Heap overflow, use-after-free, RCE (9.9) |
| Logpoint | 25 | Yes | SSRF (9.6 Critical), template injection RCE |
| Graylog | 17 | Some | Session leak (9.8), privilege escalation |
| syslog-ng | 9 | Yes | Integer overflow in RFC3164 parser |
| CrowdStrike | 5 | Yes | TLS validation flaw (8.1), race conditions |
| LogRhythm | 4 | Yes | Command injection (9.8 Critical) |
| Tell | 0 | N/A | Rust compiler prevents these classes |
Many of these CVEs are memory safety vulnerabilities: buffer overflows, heap corruption, use-after-free. These are the vulnerability classes that Rust eliminates at compile time. Wazuh CVE-2025-62786 is a heap-based out-of-bounds write that can lead to remote code execution. Elastic CVE-2025-68383 is a buffer overflow in the syslog parser. These vulnerabilities cannot exist in Tell โ the Rust compiler rejects the code paths that produce them.
The Security Problem
Log collectors occupy a privileged position in network architecture. They sit on perimeters, process untrusted input from external devices, and often bridge zone boundaries between equipment networks and IT infrastructure.
โ70% of all Microsoft security vulnerabilities are memory safety issues.โ
Microsoft Security Response Center, 2019
Buffer overflows, use-after-free, and data races are the attack vectors behind Stuxnet, Dirty Pipe, and the majority of CVEs issued against infrastructure software annually. JVM-based collectors add garbage collection pauses โ during traffic spikes, logs may be lost while the collector is paused.
Compiler-Verified Security
Tell is written in Rust, a systems programming language jointly recommended by CISA, NSA, and the EU Cyber Resilience Act for critical infrastructure. Rust's compiler enforces memory safety and thread safety as part of compilation.
Buffer overflows, use-after-free, double-free, data races, null pointer dereferences, and uninitialized memory access. The code paths that would produce them cannot compile.
Buffer overflow in
syslog parser
Rust bounds checking
at compile time
Vulnerability Comparison by Language
| Vulnerability | C / C++ | JVM | Rust (Tell) |
|---|---|---|---|
| Buffer overflow | Possible | Runtime | Compile-time |
| Use-after-free | Possible | GC | Compile-time |
| Data races | Possible | Possible | Compile-time |
| Null dereference | Possible | NPE | Compile-time |
| GC pauses | N/A | Yes | N/A |
Full-Path Integrity
When using the Rust SDK, Tell's safety guarantees extend across the entire data path โ from instrumentation to storage.
serialize, encode, enqueue
O(1) routing, fan-out
disk / forward / both
Architecture
Data enters through sources, passes through a routing layer, and fans out to sinks. The entire pipeline operates on zero-copy buffers โ data flows from network socket to storage without duplication.
HTTP (JSON/binary)
Syslog TCP/UDP
Fan-out
Workspace isolation
ClickHouse
Arrow / Parquet
Forwarder
Deployment
Tell is a single static binary โ the OT collector is 2.8 MB. No JVM, no garbage collector, no Python interpreter, no Docker. Copy to host, point at config, run. No internet connectivity required. No license server. No telemetry.
Performance
Throughput by Source Type
| Source | Protocol | Throughput |
|---|---|---|
| TCP | FlatBuffers binary | 64M events/sec |
| HTTP | Binary | 24M events/sec |
| Syslog TCP | RFC 3164/5424 | 8.7M events/sec |
| HTTP | JSON | 2.1M events/sec |
Storage Options
Disk binary โ LZ4 compressed, 32 MiB buffer, hourly/daily rotation. Disk plaintext โ Human-readable, split by type. Parquet โ Zstd/Snappy/LZ4. Arrow IPC โ Query with DuckDB/Polars. ClickHouse โ Direct insert. Forwarder โ Retry, keepalive, source IP preservation.
Deployment Models
Equipment sends syslog or TCP data to Tell. The collector writes to local disk with hourly rotation and LZ4 compression. No internet, no outbound connections. Build with --features ot-collector to compile only TCP, syslog, and disk sink code.
The collector writes to disk as a compliance copy and simultaneously forwards upstream. Retry with configurable attempts, TCP keepalive, source IP preservation. Uses the same ot-collector build โ disk and forwarder sinks are both included. For relay-only nodes that don't need local retention, the ot-forwarder profile (2.5 MB, 170 crates) excludes disk storage entirely.
Each tenant authenticates with a dedicated API key mapping to an isolated workspace. Routing directs each workspace's data to tenant-specific storage paths.
HTTP source โ Per-workspace disk sinksCompliance Alignment
EU Cyber Resilience Act
| Requirement | Implementation |
|---|---|
| Security by design | Rust compiler eliminates memory safety and thread safety vulnerability classes |
| Supply chain transparency | CycloneDX SBOM generated per build |
| Vulnerability handling | cargo audit for CVE monitoring |
| Minimal functionality | OT profiles compile only required components: ot-collector (172 crates, 2.8 MB) and ot-forwarder (170 crates, 2.5 MB). Analytics, TUI, HTTP source, connectors excluded. |
IEC 62443
| Principle | Implementation |
|---|---|
| Zone/conduit architecture | Pipeline maps to zone boundaries; forwarder for conduits |
| Authentication | 16-byte API keys, O(1) lookup, constant-time comparison |
| Deterministic operation | No GC, no runtime; 84ns latency, zero-copy pipeline |
| Minimal functionality | Composable build profiles: OT collector (172 crates) excludes analytics, HTTP, TUI, connectors |
| Availability | Graceful shutdown, atomic file rotation, retry on failure |
NIS2 Directive
| Requirement | Implementation |
|---|---|
| Log retention | Disk sinks with configurable rotation and compression |
| Access controls | API key authentication, workspace isolation, RBAC |
| Supply chain security | Per-build SBOM, dependency CVE monitoring |
Why Existing Solutions Don't Fit OT
Beyond CVE counts, the architecture of existing solutions creates operational and security challenges in OT environments.
- Buffer overflow in Filebeat syslog parser (CVE-2025-68383)
- Buffer overflows in Packetbeat protocol parsers
- Java-based โ GC pauses cause log loss
- Complex multi-component architecture
- Remote code execution via XSLT (CVE-2023-46214)
- SSRF allowing unauthorized API calls
- Enterprise pricing, cloud dependency
- Heavy operational burden
- Critical RCE via deserialization (CVE-2025-24016, 9.9)
- Heap buffer overflow, use-after-free vulnerabilities
- Buffer over-read in message parsing
- Written in C โ memory safety issues
- TLS validation flaw enabling MITM (CVE-2025-1146, 8.1)
- Race conditions in Falcon sensor
- Requires bidirectional cloud connectivity
- Upstream connection = expanded attack surface
Some deployments consider forwarding logs to cloud-based platforms like CrowdStrike. This introduces bidirectional network connectivity to OT environments โ expanding the attack surface. CrowdStrike's own TLS validation vulnerability (CVE-2025-1146) demonstrates that even security vendors have implementation flaws. Tell's architecture supports air-gapped operation with optional one-way forwarding, minimizing exposure.
Feature Comparison
| Capability | Tell | Elastic | Splunk | Wazuh |
|---|---|---|---|---|
| Published CVEs | 0 | 216 | 252 | 28 |
| Memory-safe language | Rust | Java | C++/Python | C |
| Single binary | โ | โ | โ | โ |
| No GC pauses | โ | โ | โ | โ |
| Air-gap capable | โ | Limited | Limited | โ |
| Workspace isolation | โ | โ | โ | โ |
| SBOM per build | โ | โ | โ | โ |
CVE data from OpenCVE, January 2026. Tell CVE count reflects vulnerabilities in production releases.
Pricing
Revenue-based. All features included. No per-seat fees.
Government, education, non-profit: Contact for special terms.
Next Steps
Pilot requirements: Linux host, network access to sources, 30 minutes setup.
Built by the founder of Logpoint, the European SIEM platform (acquired). 15+ years in security information management. Tell applies that experience to operational technology: air-gapped networks, compliance requirements, and secure-by-design infrastructure.
CVE data independently verifiable at app.opencve.io. Data retrieved January 2026.