H33 vs SIEM Evidence
SIEM aggregates logs for security operations. H33 produces verifiable evidence bundles for audit, regulatory, and legal verification.
Security Information and Event Management platforms — Splunk, Microsoft Sentinel, Datadog, IBM QRadar, Elastic Security, Chronicle — aggregate logs from across an enterprise to support detection, investigation, and response. SIEMs are essential for security operations. H33 produces a different artifact: cryptographically-signed evidence bundles for specific decisions, events, or claims that need to be verifiable by third parties who do not trust the entity's internal systems.
What SIEM solves
A SIEM aggregates log data from across the enterprise: endpoints, network devices, identity providers, cloud platforms, applications, security tools. The aggregated log stream supports detection (correlate events across sources), investigation (reconstruct what happened when alerts fire), response (trigger automated actions), reporting (produce security operations dashboards), and limited compliance evidence. Modern SIEMs handle petabytes of log data, run sophisticated correlation rules, integrate with SOAR platforms, and serve dozens to thousands of analysts. For security operations, the SIEM is the central nervous system.
What SIEM does not solve
A SIEM is built for security operations, not for external evidence verification. SIEM-stored logs face the same problems as any other log: The log is mutable — a SIEM with administrative access can modify or delete log entries. The log is vendor-coupled — logs ingested into Splunk are interpretable via Splunk's APIs. The log requires trust — a regulator reading an enterprise's SIEM dump must trust the SIEM has not been tampered with. The log does not include cryptographic signatures by default. The log does not include policy, authority, or model binding. Logs are event-focused; they do not capture the decision-context binding that H33 EC objects provide. The log does not survive vendor change. The log does not anchor in time. For internal security operations, these limitations are acceptable. For external evidence verification, they are not.
What H33 produces
H33 produces evidence bundles for specific decisions, events, or claims that require external verification. The bundle is canonical JSON, contains the eight evidence control objects, is signed with three independent post-quantum algorithm families, can be anchored to a public blockchain for time binding, is verifiable by any third party with the open-source verifier, and stays under customer control. The bundle is not an aggregated log stream. It is a per-event evidence artifact.
The layering
Most enterprises with serious security operations and serious external evidence requirements need both. SIEM handles the operational detect-investigate-respond loop. Petabytes of logs flow in; correlation rules fire alerts; analysts investigate; response actions execute. The SIEM is for internal security teams. H33 evidence handles per-event verification for external audiences. For specific events that need to be verifiable by regulators, auditors, courts, insurers, or other external parties, H33 produces bundles. The bundles are not in the SIEM; they are stored as portable artifacts for external use. The integration pattern: the SIEM observes the event and triggers a workflow; the workflow generates an H33 bundle; the bundle is signed, optionally anchored, and stored separately.
Side-by-side
| Dimension | SIEM | H33 Evidence |
|---|---|---|
| Primary purpose | Security operations | Verifiable evidence |
| Data shape | Continuous log stream | Per-event signed bundle |
| Audience | Security analysts, IR responders | Regulators, auditors, courts, insurers |
| Mutability | SIEM admins can modify | Cryptographically tamper-evident |
| Verification model | Trust the SIEM | Independent verification |
| Vendor portability | SIEM-specific | Open canonical JSON + open-source verifier |
| Time binding | Self-reported timestamps | Optional public-chain anchor |
| Cryptographic signatures | Not standard | Three-family post-quantum |
Common questions
Can H33 ingest into my SIEM?
Yes. H33 bundles can be ingested into a SIEM as JSON events.
Can the SIEM produce H33 bundles?
Some SIEM workflows can be configured to generate H33 bundles for specific events. The generation requires access to the EC object inputs, which most SIEMs do not natively integrate with.
Does H33 replace my SIEM?
No. H33 is not a SIEM. H33 produces per-event verifiable evidence; SIEM produces operational log aggregation.
What's the cost of producing bundles for every SIEM event?
Not all SIEM events warrant H33 bundles. Most operational logs are appropriately handled by the SIEM alone.
Does this work with SOAR?
Yes. SOAR workflows can include H33 bundle generation as an action.
Related: H33 vs Traditional Audit Logs · Claims Evidence · Independent Verification · H33 Comparison Hub