Chain of Thought: Why Your AI Model Does Not Reason

/in
AI · Reasoning · LLM

Chain of Thought: Why Your AI Model Doesn't Reason.

Chain of Thought is not thinking. It is the statistical shape of thinking. Apple, Arizona State and UC Berkeley prove it with data. Here is what it means for anyone deploying AI in production.

9 min readAI · Production · Infrastructure

Chain of Thought (CoT) is a technique that makes language models generate intermediate steps before answering. While it improves benchmark results, recent research demonstrates it does not constitute genuine reasoning: it is a statistical constraint that mimics the form of human thought.

For organisations deploying AI in production environments, understanding this difference is not a philosophical debate. It is an architectural decision that affects reliability, cost and operational risk. At SIXE we have spent over 15 years designing critical infrastructure where failure tolerance is zero. That experience has taught us a rule that applies equally to an IBM Power cluster and to an AI agent: never trust a single component for anything that cannot go down.

01 · What it is

What is Chain of Thought and why does it look like reasoning?

When you enable "reasoning" or "thinking" mode in models like GPT-5, Claude or DeepSeek, the model generates an intermediate monologue before answering: "okay, first I'll analyse X... now let me consider Y... wait, let me check Z...". In the technical literature this is known as Chain of Thought (CoT).

The problem is that this is not thinking. It is generating text with the statistical shape of human reasoning. The model saw millions of examples of step-by-step reasoning during training and learned to reproduce that pattern. When you ask it to "think", what it actually does is recognise the problem category and fill in the statistical template that best matches.

A concrete example: if you ask a "reasoning" model to size a Ceph storage cluster with 12 OSDs, 3x replication and tolerance for 2 simultaneous node failures, it will return four flawless paragraphs with formulas, failure-domain considerations and a final number. It looks like structured thinking. What it actually did was detect "Ceph sizing problem" and apply the statistical pattern it has seen in hundreds of similar technical documents.

Why does it work? Because most of the time it gets the right answer. The question is what happens when the problem goes off-script.

02 · The evidence

Do LLMs actually reason? What the papers say

CoT works. It measurably improves benchmarks. The relevant question is not whether it works, but why it works. And the answer from the most rigorous studies is uncomfortable.

CoT as a statistical crutch

A team from Arizona State University demonstrated that CoT shines when the problem data falls within the training distribution. As soon as the problem moves outside known territory, performance collapses. It is the difference between a system that has memorised solutions and one that genuinely understands the underlying principles.

CoT as an architectural constraint

CoT is not abstract reasoning: it is a constraint that forces the model to imitate the form of reasoning. Forcing the model to write "first... second... therefore..." makes each generated token influence the next one more coherently. It is an architectural trick that improves the internal coherence of the text, not a cognitive act. The paper Chain-of-Thought Reasoning In The Wild Is Not Always Faithful documents how CoT can give an inaccurate picture of the actual process the model follows to reach its conclusions.

Technical conclusion

CoT is useful for many tasks. But it is not reasoning. It is formal coherence with the appearance of logic.

03 · The decorative

What are "decorative thinking steps" in AI reasoning?

A paper from October 2025 by researchers at UC Berkeley and UC Davis introduced the concept of decorative thinking steps, and their finding is especially relevant for anyone evaluating AI models for production.

The researchers found that many intermediate CoT steps are literally decorative. The model writes things like "wait, let me check... I think I made a mistake... let me recalculate", and then completely ignores that self-correction and delivers the answer it had already decided internally.

The demonstration was elegant: they deliberately perturbed the intermediate steps (changed numbers, altered logic) and checked whether the final answer changed. In many cases, it did not. The conclusion was already decided. The chain of thought was generated afterwards, as post-hoc rationalisation.

Tap each step to discover if it is real or decorative
"Hmm, wait. I think I got the replication factor wrong. Let me recalculate from the beginning..."
Tap to reveal
Decorative The model already had the answer. The "self-correction" did not change the final result. It is narrative theatre.
"Raw capacity = 12 × 8 TB = 96 TB. With 3x replication: 96 / 3 = 32 TB usable."
Tap to reveal
Real This step contains the calculation that determines the final answer. High TTS: the output depends on it.
"Let me verify my answer step by step to make sure I haven't made any calculation errors in the previous estimate..."
Tap to reveal
Decorative Pure rhetorical formula. The model does not re-execute any calculation: it has already emitted the answer tokens. It just adds words that look like rigour.
"Interesting question. Before answering, let me consider multiple angles: the failure domain, OSD balancing and metadata overhead..."
Tap to reveal
Decorative Listing factors without processing them is not analysis. It is the statistical form of what an expert would do. The model has already chosen the answer.
"With 2-node failure tolerance and 4 OSDs per node, the worst case loses 8 OSDs. Minimum guaranteed capacity: (12−8) × 8 / 3 ≈ 10.7 TB."
Tap to reveal
Real Introduces new variables (nodes, OSDs per node) that actually change the result. Without this step, the answer would be different.

A concrete finding: on the AIME dataset, only 2.3% of reasoning steps in the CoT had real causal influence on the model's final prediction. The rest was decoration. (Source: Can Aha Moments Be Fake?, UC Berkeley)

Direct implication

A model explaining well why it reached a conclusion does not mean that conclusion is correct. The explanation is generated alongside (or after) the result, and in many cases it is a justification built on top of a predetermined answer.

04 · Apple

"The Illusion of Thinking": Apple's study that changes everything

If decorative steps demonstrate that CoT does not guarantee reasoning even when it gets the right answer, Apple's study goes one step further: it shows that when the problem gets truly complex, the models give up.

In June 2025, Apple published The Illusion of Thinking, a study that tested state-of-the-art reasoning models on classic computer science puzzles: the Tower of Hanoi, river-crossing problems and other exercises that any first-year student solves with pen and paper.

PERFORMANCE BY COMPLEXITY — APPLE "ILLUSION OF THINKING" DATA (2025) 100% 75% 50% 25% 0% 88% 72% Easy 55% 82% Medium 8% 10% Hard No CoT With CoT
Model performance with and without CoT by complexity — Based on data from Apple ML Research, "The Illusion of Thinking", June 2025
Drag the slider — how does CoT perform as complexity increases?
Easy Medium Hard
No CoT
88%
With CoT
72%
El modelo sin CoT gana. El "pensamiento" extra solo añade coste y latencia.

The most significant finding is the third one. "Reasoning" models do not just fail on complex problems — they reduce computational effort precisely when they should increase it. It is the equivalent of a monitoring system that stops generating alerts when the infrastructure needs it most.

It is worth noting that the paper sparked debate: a team from CSIC in Madrid replicated part of the experiments and noted that some failures were due to output token limits, not pure cognitive limitations. But the core conclusions — that performance collapses with complexity and CoT does not scale predictably — held up.

05 · Cost

Is it worth paying for reasoning models?

It depends. And that is precisely the answer most vendors do not want to give you.

A case that illustrates the risk: a European company built a "reasoning" agent to classify support tickets. The chain of thought the model generated was narratively flawless. The problem was that 30% of the tickets ended up in the wrong queue, and the model explained with impeccable eloquence why that incorrect classification was the right one. Perfect narrative, wrong result.

This happens because we are confusing quality of explanation with quality of decision. They are different things. A model can produce formally flawless reasoning and reach an incorrect conclusion, exactly the same way a presentation with spectacular charts can defend a wrong strategy.

Rule of thumb

Before paying for reasoning models, benchmark with your real-world use case. Vendor marketing decks show results from their best days. Your data, your edge cases and your specific scenarios determine whether the extra cost is justified.

06 · Perspective

Is AI useless then?

No. And it is important to understand this clearly, because the pendulum can swing to the other extreme just as easily.

An LLM not reasoning like a human does not make it useless. It means you need to understand exactly what it does to use it correctly.

An IBM Power10 system running AIX does not "think" about workloads. It has no intuition. What it has is a high-performance RISC architecture, memory bandwidth that an equivalent x86 cannot match, and mainframe-grade reliability (RAS). If you understand what it does, you use it for what it is worth: critical databases, HPC, AI inference at scale. If you do not understand it, you use it as an expensive x86 server and wonder why it underperforms.

The same applies to LLMs. They are extraordinary language processors. They synthesise, translate, draft, classify and extract text patterns at a speed no human team can match. That is real, it has measurable value, and it is transforming operations across every sector.

What they are not is thinking agents with genuine understanding of the world. And selling the latter when what you have is the former is what is creating an expectations bubble that, sooner or later, will correct itself.

07 · In production

How to use AI in production without falling into the trap

In the world of critical infrastructure — IBM Power, AIX, high-availability clusters — there is a principle that never fails: design with redundancy. You never trust a single component for anything that cannot go down.

1. Do not use the explanation as proof the answer is correct

The model's explanation is generated alongside (or after) the result. It is often a post-hoc rationalisation. If the system makes critical decisions, you need independent verification. No matter how well it explains itself.

2. Benchmark with your real use case before choosing a model

For simple tasks, the cheaper model can outperform the expensive one. For medium tasks, CoT pays off. For highly complex tasks, both fail. The only way to know is to test with your real data, not the vendor's.

3. Design architectures with external verification

If your AI architecture is "ask the model and trust what it says", you do not have an architecture. A serious AI deployment includes cross-validation, business rules as a control layer, alerts when model confidence drops, and humans in the loop for critical decisions.

4. Demand evidence, not promises

The AI market is full of extraordinary claims without proportional evidence. A serious vendor shows you benchmarks on your type of data. A less serious vendor shows you a spectacular demo with prepared data.

08 · Our methodology

How do we evaluate AI models for production environments?

At SIXE we apply the same criteria to AI that we have applied to every critical infrastructure component for over 15 years:

  • Testing with real client data, not generic datasets or prepared demos.
  • Performance measurement on edge cases, not just the happy path. Errors do not show up in the median; they show up at the extremes.
  • Redundant architecture always. AI is one more layer in the system, not the entire system. It is complemented by business rules, cross-validation and human oversight where the decision is critical.
  • Model selection by use case, not by marketing. A model with CoT can be perfect for complex text analysis and entirely unnecessary (and more expensive) for simple classification.
  • Infrastructure sized for inference. An AI model is only as good as the infrastructure that supports it. We have verified this first-hand with vLLM on IBM Power and with Ceph as the AI storage backend.
Summary

For executives short on time

The essentials in 6 points

Chain of Thought is not thinking: it is the statistical shape of thinking, a constraint that improves the coherence of generated text.

Apple demonstrated that reasoning models collapse on complex problems and reduce their effort precisely when they should increase it.

Only 2.3% of reasoning steps have causal influence on the model's answer. The rest is decoration.

Do not pay for "reasoning" without measuring it on your specific use case with your real data.

Never use the model's explanation as proof that the answer is correct.

Design with external verification. AI is an extraordinary tool, not an oracle.

Sources

References and cited papers

Apple Machine Learning Research. The Illusion of Thinking: Understanding the Strengths and Limitations of Reasoning Models via the Lens of Problem Complexity. June 2025. machinelearning.apple.com

Zhao, C. et al. (Arizona State University). Is Chain-of-Thought Reasoning of LLMs a Mirage? A Data Distribution Lens. August 2025. arxiv.org/abs/2508.01191

Zhao, J. et al. (UC Berkeley, UC Davis). Can Aha Moments Be Fake? Identifying True and Decorative Thinking Steps in Chain-of-Thought. October 2025. arxiv.org/abs/2510.24941

Arcuschin, I. et al. Chain-of-Thought Reasoning In The Wild Is Not Always Faithful. March 2025. arxiv.org/abs/2503.08679

Dellibarda Varela, I. et al. (CSIC, Madrid). Rethinking the Illusion of Thinking. July 2025. arxiv.org/abs/2507.01231

Last updated:

AI in production

Need to evaluate how to integrate AI into your infrastructure?

At SIXE we design AI architectures with the same philosophy we apply to any critical system: redundancy, external verification and real benchmarks. Tell us about your case.

WhatsApp Contact SIXE +34 91 198 02 43

Why your RAG pipeline serves last month’s data

/in
RAG · IBM Fusion CAS

Why your RAG pipeline serves last month's data.

Re-vectorizing thousands of documents every time something changes doesn't scale. IBM Fusion CAS integrates vectorization directly into storage: documents change, vectors update themselves.

7 min readRAG · Storage · Unstructured data

IBM Fusion CAS (Content Aware Storage) is a capability built into IBM Fusion that vectorizes, indexes, and keeps documents continuously updated directly in the storage layer — without moving data or rebuilding the vector index.

If you have a RAG pipeline in production, you've probably run into this: documents change, but vectors don't. The contract was amended in March, the chatbot still answers with the December version. It's not a model problem — it's that nobody re-ran the ingestion pipeline. CAS solves exactly that.

80–90%
Of enterprise data is
unstructured
Source: IBM Redbooks
40%
AI prototypes never
reach production
Due to data quality
0
Data copies required
with CAS
Zero-copy ingestion
01 · The problem

Why do vector embeddings in a RAG pipeline go stale?

Between 80% and 90% of enterprise data is unstructured — PDFs, scanned documents, spreadsheets, contracts, support tickets. In a conventional RAG pipeline, the flow to make them accessible to AI is: extract documents → parse → generate embeddings → load into a vector database → search when a query arrives. It works. Until the documents change.

Versioned technical manuals, contracts with addenda, quarterly financial reports, support tickets that get reopened. Every time something changes, you have to re-run the entire pipeline. With thousands of documents, that means hours of GPU time, massive data movement between systems, and a team babysitting the process. According to IBM, 40% of AI prototypes never reach production precisely because of data quality and availability issues.

The usual alternative is to skip re-vectorization. And then your AI answers with two-month-old information.

The security gap nobody sees

In most RAG deployments, vectorization strips out the access controls from original documents. The chatbot has access to the entire vector index, and suddenly a sales rep can extract financial information they shouldn't see because the file's ACLs weren't propagated to the vectors. CAS solves this: vectors inherit the permissions from the source document.

02 · The solution

What is IBM Fusion CAS and what does it do?

CAS (Content Aware Storage) is a capability built into IBM Fusion that operates on top of Storage Scale. It's not a separate product. Storage goes from being a place where bytes are kept to understanding what's inside each file: its structure, its semantics, and how it has changed since it was last processed.

AI-Q Research Assistant architecture with IBM Fusion CAS — ingestion, vectorization, and RAG query flow
AI-Q Research Assistant architecture on IBM Fusion — Source: IBM Community, Sandeep Zende
Capability Traditional RAG pipeline IBM Fusion CAS
Data movement
Copy to external system
Zero-copy in place
Vector updates
Full re-ingestion
Automatic incremental
Change detection
Manual / cron
Real-time
Access control on vectors
Not propagated
ACLs inherited
GPU acceleration
Inference only
From ingestion
Orchestration
Scripts + crons + queues
Built into storage

If you already use Docling (or LibrePower's port for IBM Power) with Milvus and an LLM, you don't need CAS for that to work. A deployment with a few hundred PDFs that rarely change is well served by an orchestrated pipeline and a cron. The tipping point comes when documents number in the tens of thousands, change daily, and access control matters.

03 · How it works

How does CAS process documents without moving them out of storage?

IBM Fusion CAS flow — ingestion and query
📄
Document lands or changes in Storage Scale PDFs, scans, tables, contracts — CAS detects the event automatically
GPU-accelerated extraction and semantic chunking OCR, table recognition, layout analysis — all in storage, no copies
🧬
Embedding generation with NeMo Retriever Vectorization on NVIDIA Blackwell GPUs — RTX PRO 6000, linear scaling
🗄️
Incremental indexing in integrated vector database Only what changed gets updated — with inherited ACLs from source document
🔁
RAG query: retrieve → reason → refine → respond AI-Q Research Assistant: iterative loop with Nemotron + Llama-3, not a single-shot answer
↻ Continuous loop — data is automatically re-processed when it changes

The key difference from a conventional pipeline: there is no manual step between "the document changed" and "the vector index reflects that change." CAS closes that gap automatically, with NVIDIA Blackwell GPUs accelerating every phase — not just final inference. Ingestion and query throughput scales linearly as more NVIDIA RTX PRO 6000 GPUs are added, as documented in the IBM Redbook on NVIDIA AI Data Platform. On BEIR benchmarks (the industry standard for evaluating semantic search), CAS outperforms the most advanced retrieval systems on the market.

04 · Deployment

On-premises because there is no alternative

The entire architecture runs on-premises. This isn't a preference: if your data falls under GDPR, the EU AI Act, EBA banking regulations, or classified information requirements, sending it to a cloud API for vectorization is not a legal option.

It's the same philosophy we described when talking about building an on-premises AI factory with Ceph and Kubernetes, with one difference: CAS integrates data preparation directly into storage. No separate processing cluster to orchestrate, no message queues between NAS and pipeline, no temporary S3 buckets.

Storage Scale vs Ceph: a new argument

If you're evaluating which storage you need for AI workloads — the decision between Storage Scale and Ceph we covered last week — CAS tips the scale. It's something that only exists in the Storage Scale / Fusion ecosystem and has no direct equivalent in Ceph or any other distributed file system today.

05 · Scope

When does CAS make sense over a hand-built RAG pipeline?

CAS requires IBM Fusion on OpenShift. It's not a component you plug into any infrastructure. If your RAG works fine with Docling + Milvus + a cron job, you don't need this.

It makes sense when several of these conditions apply at once:

  • High volume of unstructured documents that change frequently.
  • Granular access control requirements — healthcare, banking, public administration, legal.
  • Existing or planned IBM infrastructure (Fusion, Storage Scale).
  • Need for the vector index to stay current without manual intervention.
  • Data sovereignty and European regulatory compliance.
Technical references

From RAG to Real Research — Sandeep Zende, IBM Community

IBM Redbooks: AI Inference at Scale with Storage Scale ECE and Fusion CAS

Official IBM Fusion CAS documentation

On-premises RAG architecture

Need to size an AI architecture on Fusion?

At SIXE we work with IBM Fusion, Storage Scale, and RAG pipelines in production. Tell us about your use case and we'll help you design the solution.

Contact SIXE +34 91 198 02 43

Servers & Storage in Stock | Delivery Under 30 Days

/in
Availability · May 2026

Servers and storage in stock. Delivered in under 30 days.

The SSD supply crisis and surging demand for AI infrastructure are pushing industry lead times to 3–6 months. At SIXE we have hardware available, we configure it internally, and we deliver in under 30 days.

8 min readStorage · Servers · Infrastructure

If you're looking to buy a rack server or an enterprise storage array and your usual supplier has quoted weeks or months, it's not an isolated case. It's the new normal.

The good news: we have stock. IBM Power10 and Power11, Dell PowerEdge, Lenovo ThinkSystem servers. IBM FlashSystem storage arrays across all ranges. Configured by our own engineers and ready for production.

<30
Days guaranteed
delivery
3–6
Months average
industry lead time
100%
In-house config
— no middlemen
01 · Context

Why getting hardware is a real problem in 2026

The hardware supply crisis didn't end with the pandemic. It transformed. In 2026, chips are no longer scarce, but global demand for AI compute and storage is consuming SSD, memory and server component production at a rate the supply chain cannot match.

The consequences for any business needing to refresh or expand its on-premise infrastructure are concrete:

  • Migration projects stalled due to unavailable hardware.
  • Expired maintenance contracts with no replacement equipment in sight.
  • Capacity expansions arriving too late for business commitments.
  • Rising prices across the channel due to flash and NVMe SSD shortages.
Actual lead times — industry vs SIXE (May 2026)
All-flash
storage
SIXE
FlashSystem
GPU server
(AI)
SIXE
Servers
x86 rack
server
SIXE
Dell / Lenovo
Industry — high lead time
Industry — variable
SIXE — own stock
Key fact

IBM designs and manufactures its own flash drives (FlashCore Modules). Unlike Dell, HPE or NetApp — who depend on third-party SSD suppliers — IBM controls its own flash storage supply chain. That translates directly into shorter, more predictable lead times for IBM Business Partners like SIXE.

02 · Storage

IBM FlashSystem storage arrays in stock

If there's one product where urgency is highest and SIXE's delivery advantage matters most, it's enterprise storage. The NVMe SSD shortage is stretching lead times for all all-flash arrays. But IBM manufactures its own flash drives — and that lets us hold stock when others can't.

IBM FlashSystem storage arrays — all-flash NVMe enterprise storage with FlashCore Modules
IBM FlashSystem — 2026 generation with FlashCore Module 5 (FCM5)

Entry range: FlashSystem 5015 and 5045

The gateway to enterprise all-flash storage. A 2U dual-controller array with compression, deduplication and AI-powered predictive analytics included. Ideal for SMB storage, backup or mixed workload consolidation. Check availability and conditions.

Mid-range: FlashSystem 5200 and new 5600

For businesses needing real performance. The new FlashSystem 5600 features fifth-generation FlashCore Modules (FCM5) in NVMe EDSFF format with up to 105 TB per module. Hardware-level ransomware detection in under a minute, immutable snapshots (safe-guarded copies) and encryption at rest as standard.

Enterprise: FlashSystem 7200/7600 and 9600

For mission-critical environments: SAP HANA, Oracle databases, AI factories, HPC. The 9600 scales to hundreds of PB with sub-100μs latencies.

Hardware ransomware protection

All FlashSystem arrays include threat detection at the I/O level, beneath the OS and filesystem. Safe-guarded copies create immutable snapshots that cannot be deleted or modified, even with root access.

Beyond the arrays

We also supply IBM Storage Scale (GPFS) for HPC and AI inference, Storage Protect and Storage Defender for enterprise backup, and Storage Fusion for Red Hat OpenShift and Kubernetes architectures.

Competitive terms

As a direct IBM Business Partner we have access to conditions other distributors cannot offer. If you already have a quote from another vendor, talk to us before you decide — we can surprise you.

03 · Servers

Enterprise servers: IBM Power, Dell PowerEdge, Lenovo

IBM Power10
S1012, S1022, S1024, E1050, E1080. AIX, IBM i and Linux. PowerVM. Extreme consolidation.
In stock
IBM Power11
S1122, S1124, E1150, E1180. New generation. Built-in AI and energy efficiency.
New 2026
Dell PowerEdge
T360 (tower server), R660, R760 (rack), XE9680 (8× NVIDIA H100 GPU server for AI).
In stock
Lenovo ThinkSystem
x86 rack servers for virtualisation, databases and enterprise applications.
In stock

IBM Power: runs Linux exactly like an x86 server

This is where many clients pause. "But it's Power…". IBM Power servers run Red Hat, SUSE and Ubuntu natively. You install your Linux distro, spin up containers, deploy OpenShift or Kubernetes. The admin experience is identical.

The difference is underneath. A single Power10 or Power11 consolidates what previously required four or five racks of commodity servers. PowerVM virtualises with a reliability that VMware can no longer promise — or charge you for, since Broadcom changed the licensing model. For anyone looking for a VMware alternative without starting KVM from scratch, Power is the lowest-risk option.

Dell and Lenovo: x86 when x86 is the right answer

Not everything needs a Power. For an SMB tower server running a local ERP, a Dell T360 solves the problem. For the data centre, the R660 and R760 rack servers are the market standard. And if you need a GPU server for on-premise AI inference, the Dell XE9680 with 8 NVIDIA H100 GPUs is the most versatile AI server available today. Check availability and conditions.

04 · Catalogue

What we stock and what it's for

ProductUse caseAvailability
FlashSystem 5015/5045
SMB, backup, consolidation
In stock
FlashSystem 5200/5600
ERP, SAP, virtualisation, AI
In stock
FlashSystem 7600/9600
Mission-critical, HPC, Oracle
In stock
Dell T360
Tower, SMB, ERP, file server
In stock
Dell R660 / R760
Rack, virtualisation, databases
In stock
Dell XE9680
On-premise AI, 8× NVIDIA H100
Enquire
Power10 S1022/S1024
Linux, AIX, IBM i, consolidation
In stock
Power11 S1122/S1124
New generation, built-in AI
In stock
Lenovo ThinkSystem
Standard x86, simple management
In stock

Check availability and conditions →

05 · Service

We don't deliver a box — we deliver a production system

Every hardware project includes solution design, configuration and validation at our facilities, on-site or remote installation, and post-sale support. We don't ship unconfigured hardware.

Our engineers — the same people who deliver official IBM training and provide L2/L3 support — know every product because they work with them daily. If you need to migrate from VMware, from another vendor's array, or from an unsupported server, we handle it.

Optionally: annual maintenance contracts 8×5 or 24×7 with guaranteed SLA.

No middlemen

We're a direct IBM Business Partner. No distributors, resellers or intermediate layers between your project and the manufacturer. That means direct access to IBM stock, partner terms, and the ability to escalate to manufacturer support when needed.

Check availability

Don't wait for the supply chain to get worse.

Tell us what you need — server, storage or both — and we'll confirm availability and delivery timeline within 24 business hours.

Message us on WhatsApp Request availability 📞 Call us

Storage Scale vs Ceph for AI Inference: How to Choose

/in
Storage Scale vs Ceph · AI Inference

Storage Scale vs Ceph for AI inference: how to choose.

We deploy both. We've run both in production for years. And no, the answer isn't "use both" — it's understanding what each does well, where each falls short, and which fits your workload.

12 min readStorage · AI · Architecture

The same question keeps showing up in different disguises: "Storage Scale or Ceph for AI inference?"

We're an IBM Business Partner. We sell Storage Scale. We also deliver Ceph training and run Ceph consulting engagements in production. We work with both daily, so what follows comes from building real architectures — not from reading datasheets.

This is what we'd tell a client sitting across the table designing their AI storage architecture.

01 · First things first

Before you choose: what AI inference actually needs from storage

Most people start with the product. We start with the access pattern, because that's what determines whether the choice works or gives you headaches for years.

A real inference environment — not a Llama demo on a laptop — looks like this:

What lives on your inference storage
# The heavy stuff — parallel reads, many nodes at once models/llama-70b/ ← 40-140 GB in safetensors shards models/embedding/ ← small but constantly accessed# RAG — millions of small files, mixed access rag/raw/ ← PDFs, emails, images, audio rag/parsed/ ← Docling/OCR output rag/chunks/ ← fragments, JSONL, parquet rag/embeddings/ ← vectors# Operations — batch, logs, adapters batch-jobs/ ← batch inference input/output checkpoints/ ← LoRA adapters, fine-tuning logs/ ← traceability, evaluation

And all of that gets consumed by a zoo of processes: GPU nodes running vLLM or TGI, CPU nodes, Spark or Ray preprocessing, Docling and OCR pipelines, vector databases, legacy apps coming in over NFS, and someone from compliance who needs to see a PDF from Windows via SMB.

If your setup looks like this — many consumers, many protocols, shared data — that pattern should drive the decision. Not the price per TB or the vendor logo.

02 · Storage Scale

Where Storage Scale wins for AI inference

Native POSIX: your frameworks expect a directory, not a bucket

This seems obvious until you have to set it up. Look at how the tools you'll actually use load models:

How real frameworks load models
# HuggingFace Transformers model = AutoModel.from_pretrained("/models/mistral-7b")# vLLM vllm serve /models/Meta-Llama-3-8B-Instruct# Triton Inference Server model_repository: /models/triton-repo/

They want a path. A directory. Not an S3 endpoint. Storage Scale (formerly GPFS) is a native parallel POSIX filesystem. That /models is a shared directory that all nodes read concurrently, with real concurrent access, no intermediate copies. Nothing to invent.

IBM Storage Scale — official docs

Zero copies between layers: the argument we find most convincing

With Ceph S3, the typical pattern for serving a model goes: download from bucket → write to local disk or PVC → start the inference engine → serve. That's three steps before the first query lands. And if you have 16 nodes, all 16 download their own copy.

With Storage Scale, the inference engine points to /gpfs/models/llama-70b/ and starts. Done. No download, no cache, no "does this node have the latest version?". When you update the model, you update it once and every node sees it.

This matters most when you're iterating — swapping models, testing LoRA adapters, rotating configurations. With local cache you end up maintaining sync scripts, invalidation logic and disk cleanup. With a parallel filesystem there's nothing to maintain.

Multi-protocol on the same file

This is what solves the enterprise headache. A single file in Storage Scale can be consumed via POSIX (GPU node), S3 (modern app), NFS (data team), SMB (someone on Windows) and CSI (Kubernetes pod). The same file. Not a copy per protocol. Not a different namespace per interface.

IBM implements this through Cluster Export Services (CES), which exposes S3, NFS and SMB access over the same data in the parallel filesystem.

In an environment where modern containers coexist with legacy applications nobody dares touch, this is what lets you build an AI factory without breaking what already works.

Metadata: when you have millions of small files

Enterprise RAG isn't "three PDFs in a bucket". It's millions of documents, millions of chunks, millions of embeddings, config files, auxiliary indices, shards, logs. Heavy operations on large directories with many small files. Storage Scale has been solving this in HPC environments for decades — Summit, Sierra and other supercomputers ran on GPFS. CephFS can handle this, but in our experience it takes significantly more design effort to keep it from struggling.

03 · Ceph

Where Ceph wins for AI inference storage

Massive object storage: real S3, not S3 as an afterthought

Ceph was built as distributed storage for objects, blocks and files. Its RGW (RADOS Gateway) provides a full S3 API with lifecycle policies, versioning, multi-tenancy, IAM — everything you need to run a proper object store. It's not a bolt-on. It's the core.

If your inference pipeline is S3-native — models downloaded from a bucket, datasets read via API, results written as objects — Ceph handles it well. A well-designed Ceph cluster scales horizontally to hundreds of PB by adding commodity nodes.

Cost per TB: Ceph wins this one outright

Let's be direct: Storage Scale costs more. It needs IBM licences, hardware with specific requirements, and people who know how to run it (there aren't many). Ceph runs on commodity hardware, has no software licence cost, and a team with solid Linux experience can operate it.

For a client with petabytes of data where most of it is cold — training datasets, historical archives, model backups — there's no reason to pay Storage Scale prices for TBs that get read once a month. Ceph with well-configured erasure coding is the right answer there.

Kubernetes: Rook makes everything trivial

For teams that live in Kubernetes or OpenShift, Ceph with Rook is hard to beat. A single operator that gives you RBD (ReadWriteOnce), CephFS (ReadWriteMany) and RGW (S3) from one cluster. OpenShift Data Foundation (ODF) is literally Ceph packaged by Red Hat — we cover this in detail in our Ceph vs MinIO 2026 guide.

Storage Scale has CSI too, but Rook/Ceph has been in the Kubernetes ecosystem longer and the community is much larger. If your team thinks in operators, Helm charts and GitOps, Ceph speaks their language.

Block storage for VMs and databases

If you also run OpenStack, virtualisation, or need block volumes for databases alongside inference, Ceph's RBD is best-in-class. Storage Scale doesn't compete here — it's not its territory.

Scale

CERN runs over 60 PB on Ceph in production, underpinning its OpenStack infrastructure. They've gone from a few PB to exabyte scale in a decade, adding nodes without architectural disruption. We cover this in more depth in our article on open source storage for AI and HPC.

04 · The downsides

What each gets wrong — and nobody likes talking about

This is where most articles get vague. We won't. We deploy both, and both have things we don't like.

What we don't like about Storage Scale

  • It's expensive. IBM licences, specific hardware requirements, and a rack with Storage Scale ECE plus GPUs isn't a small investment. For an AI pilot or a startup, it doesn't make sense.
  • Running it requires HPC expertise. It's not that it's difficult — it's a different world from cloud-native. If your team lives in Kubernetes and has never touched a parallel filesystem, the learning curve is real.
  • S3 isn't its strong suit. Storage Scale has S3 access via CES, and it works. But if you compare it with Ceph's RGW on pure S3 features — lifecycle, multi-tenancy, advanced versioning — Ceph has the edge.
  • Block storage: essentially absent. If you need RBD or block volumes for VMs, Storage Scale is not your tool.

What we don't like about Ceph

  • CephFS is not GPFS. CephFS works, but for many concurrent clients doing parallel I/O across millions of files (the classic AI/HPC pattern), Storage Scale has considerably more mileage. We explained this in our 2023 comparison.
  • Local cache adds complexity. If your models live in S3, every inference node downloads its copy. With 4 nodes that's trivial. With 32, you're maintaining sync scripts, tracking cache versions, and hoping local disks don't fill up.
  • Multi-protocol isn't clean. Ceph speaks RGW (S3), RBD (block), CephFS (file) and NFS (via Ganesha). But each protocol operates on its own pool or namespace. You can't transparently read the same file via S3 and NFS the way Storage Scale lets you.
  • Metadata under pressure. Intensive operations on directories with millions of small files (the RAG use case) can bottleneck in CephFS if the design isn't right. Ceph doesn't forgive improvisation.
Common trap

Mounting s3fs or goofys to give POSIX semantics to Ceph S3 so you can use from_pretrained() directly. Technically works. In production, the POSIX semantics are partial, performance is unpredictable, and the errors get creative. We don't recommend it as a permanent solution.

05 · The comparison

Storage Scale vs Ceph for AI storage: summary

Criteria Storage Scale Ceph
POSIX for AI
Native
CephFS
Object store S3
Via CES
Native
Block storage
No
RBD
Shared model loading
Direct
Via cache
RAG / many files
Strong
If S3
Multi-protocol / same file
Yes
Not clean
Kubernetes
CSI
Rook
Cost per TB
High
Low
Operations
HPC
SRE
AI/HPC heritage
Decades
Growing

The short version: Storage Scale wins when data is "alive" — many processes reading shared models, POSIX pipelines, mixed environments where Kubernetes and legacy apps coexist. Ceph wins when data is objects — S3 as the primary interface, models cached locally, cloud-native teams, tight budget.

Using Storage Scale as a cheap object store is a waste of money. Trying to make CephFS behave like an HPC parallel filesystem is asking for trouble. Each is very good at what it does.

06 · Our take

What we'd tell a client asking today

If pushed: for AI inference in enterprise environments with shared data and RAG, Storage Scale causes fewer headaches. Models are alive, shared, accessible via whatever protocol each consumer needs. No sync scripts, no cache prayers.

But if your pattern is genuinely cloud-native — stateless pods, S3 as source of truth, an SRE team that knows how to run Ceph — then Ceph is the right call and it'll cost you considerably less. We're not saying that to be polite: we've seen it work this way in production many times.

And if your environment runs sensitive data on IBM Power, integrates with DB2 or Oracle, and inference will coexist with HPC or analytics workloads — Storage Scale has no real competitor there. It's its natural territory. Storage Scale combined with Content-Aware Storage in IBM Fusion is starting to turn storage into an active data preparation engine for RAG.

Storage Scale or Ceph?

It depends. Tell us your use case and we'll tell you which.

We run both in production. Tell us about your workload and we'll point you in the right direction.

Storage Scale Talk to the team
Ceph consulting IBM Fusion AI Factory Ceph for AI/HPC

IBM Fusion & NVIDIA Blackwell: storage for AI on-premises

/in
IBM Storage · NVIDIA · AI

IBM Fusion & NVIDIA Blackwell: storage now processes data for AI.

GTC 2026 brought an IBM-NVIDIA collaboration far deeper than it appears. Fusion is no longer just storage for containers: with Content-Aware Storage and Blackwell GPUs, storage becomes an active AI data preparation engine — the critical layer for enterprise RAG at scale.

8 min readStorage · AI · Infrastructure

On 16 March, IBM took the stage at GTC 2026 in San José with an announcement that passed largely unnoticed outside storage circles: an expanded collaboration with NVIDIA spanning Blackwell Ultra GPUs in IBM Cloud, GPU-native data analytics, intelligent document processing, and on-premises deployments for regulated industries.

Three weeks later, IBM published a technical Redbook detailing how to integrate Storage Scale, Fusion and Content-Aware Storage (CAS) with the NVIDIA AI Data Platform. And recently, IBM, NVIDIA and Samsung demonstrated a CAS system capable of managing 100 billion vectors on a single server — the kind of scale that breaks traditional RAG pipelines.

What does this actually mean in practice? Is it a real architectural shift or keynote marketing? Here's our analysis.

The announcement

GTC 2026: IBM and NVIDIA get serious about enterprise AI

What IBM announced at GTC is not a generic partnership. These are five concrete workstreams that directly affect how enterprises deploy AI on-premises — and all of them connect back to storage for AI:

  • NVIDIA Blackwell Ultra GPUs on IBM Cloud — available from Q2 2026 for large-scale training, high-throughput inference and AI reasoning.
  • Content-Aware Storage (CAS) integrated into the next Fusion release — storage stops being passive and starts processing data for AI.
  • Red Hat AI Factory with NVIDIA — OpenShift + NVIDIA GPUs as the standardised platform for deploying AI in production.
  • IBM Consulting + NVIDIA Blueprints — integration services to move AI from pilot to production.
  • NVIDIA AI Data Platform (AIDP) support — a reference design integrating compute, networking and storage into a unified AI system.
Fuente: IBM Newsroom, 16 marzo 2026

The most impactful data point for on-premises infrastructure: Fusion HCI already includes GPU servers with NVIDIA H200 and RTX Pro 6000 Blackwell Edition. This is not a roadmap — the hardware is available today. Each system supports up to 4 GPU servers with 8 cards each.

To understand how all the pieces fit together, here is the full stack IBM has defined as the AIDP reference architecture on Fusion:

Rob Davis, VP of Storage Networking Technology at NVIDIA, was direct: AI agents need to access, retrieve and process data at scale, and today those steps happen in separate silos. The integration of CAS with NVIDIA orchestrates data and compute across an optimised network fabric to overcome those silos.

The technology

Content-Aware Storage: when storage understands what it holds

This is the most interesting part of the announcement and the least covered. Until now, enterprise storage was a passive repository: it stored files and served them on request. To run RAG (Retrieval-Augmented Generation) or feed AI models with corporate data, you needed a separate pipeline that extracted documents, chunked them, vectorised them and pushed them into a vector database.

CAS eliminates that external pipeline. It operates in two phases — visualised below:

Phase 1: Continuous ingestion and preparation

CAS monitors folders in Storage Scale (or external storage via AFM) and detects changes in real time. When a document is modified or added, CAS processes it automatically: content extraction from text, tables, charts and images using NVIDIA NeMo Retriever, semantic chunking, and conversion into high-dimensional embeddings. Vectors are indexed in a CAS-managed vector database on Storage Scale ECE.

Phase 2: Query and retrieval

When a user or AI agent asks a question, CAS performs semantic search, keyword (BM25) or hybrid retrieval. Results pass through an NVIDIA-optimised reranker for maximum relevance. Critically: vectors inherit the access controls (ACLs) from the original documents. If a user cannot read a file, they cannot see its vectors in RAG results either.

Fuente: IBM Redbook MD248598 — Enabling AI Inference at Scale, abril 2026
Why this matters

Most enterprise RAG deployments fail at two points: data goes stale because nobody updates the vector database, and there is no access control on the vectors. CAS solves both problems at the infrastructure layer, not the application layer. That is a genuine paradigm shift.

IBM + NVIDIA + Samsung demo
100mil millones
vectors on a single server with decoupled compute and storage, GPU-accelerated hierarchical indexing. At that scale, traditional RAG indices become unmanageable.
Fuente: SDxCentral, abril 2026
The hardware

H200, RTX Pro 6000 and Blackwell Ultra: which GPU goes where

There are three NVIDIA GPU lines in the IBM ecosystem that are worth keeping straight. Each has a distinct role — click each tab to see where it deploys and what it's for:

NVIDIA Blackwell Ultra
GTC 2026 · Cloud-first
IBM Cloud
AvailabilityIBM Cloud · Q2 2026
Use caseLarge-scale training, high-throughput inference, AI reasoning
DeploymentCloud only · no on-prem option in Fusion
IntegrationRed Hat AI Factory + VPC servers with compliance controls
If your workload can go to cloud and you have no data residency restrictions, Blackwell Ultra on IBM Cloud is the most powerful option in the catalogue. But if your data cannot leave the perimeter, check the other two tabs.
NVIDIA H200
Hopper · Extended HBM3e memory
Fusion HCI on-prem
AvailabilityFusion HCI · May 2026
Use caseTraining, fine-tuning and heavy LLM inference
Memory141 GB HBM3e · 4.8 TB/s bandwidth
Configuration2 GPUs per server · Up to 4 servers per rack
Maximum total32 GPUs per Fusion system
The H200 is the option for serious on-premises training. If you've read our article on vLLM inference on IBM Power, this is the x86 equivalent for Fusion HCI. Its extended HBM3e memory versus the H100 makes it ideal for large models that previously required aggressive sharding. In Fusion HCI it accesses Storage Scale ECE directly over a 200 GbE fabric.
NVIDIA RTX Pro 6000
Blackwell Edition · Inference + visualisation
Fusion + AIDP
AvailabilityFusion HCI · May 2026
Use caseInference, RAG, CAS vectorisation, professional visualisation
ArchitectureBlackwell Server Edition · 96 GB GDDR7
Configuration2 GPUs per server · Up to 4 servers per rack
AIDP stack+ BlueField-3 DPU · ConnectX-7/8 SuperNICs
The RTX Pro 6000 Blackwell is the GPU in the AIDP reference stack. It accelerates CAS semantic chunking and vectorisation, and combined with the BlueField-3 DPU it offloads network and storage processing from the main CPU. It is the critical piece for production CAS-RAG.
Fuente: IBM Redbook MD248598 — Reference AIDP stack
What is not obvious

BlueField-3 is not just a fast NIC. It is a DPU (Data Processing Unit) that offloads network, storage and security operations from the main CPU. In an AIDP system, the BlueField-3s accelerate communication between Storage Scale and the GPUs, reducing data access latency for real-time inference. It is a critical piece that does not appear in keynotes but makes the difference in real-world performance.

The analysis

What this means for on-premises AI

Putting all the pieces together, the IBM message is clear: Fusion is no longer a container storage product. It is an on-premises AI platform integrating compute (OpenShift), acceleration (NVIDIA GPUs), intelligent storage (Storage Scale + CAS) and optimised networking (Spectrum-X + BlueField-3) in a unified appliance.

For organisations that cannot — or choose not to — send their data to the cloud, this is significant. Especially in three scenarios:

Regulated industries

Banking, healthcare, public sector. Data cannot leave the perimeter. With Fusion HCI + CAS + NVIDIA GPUs you can run corporate RAG on internal documents without anything leaving the rack. And ACLs are enforced at the vector level — compliance built-in, not bolted-on.

AI on proprietary data at scale

IBM estimates 80-90% of enterprise data is unstructured. CAS converts that volume into AI-consumable data continuously and automatically. This is not a one-off ETL project — it is a permanent infrastructure capability.

Alternative to cloud when TCO does not add up

IBM keeps repeating the figure of Databricks-equivalent performance at 60% of the cost. This is an internal benchmark on selected operations, so it deserves some scepticism. But the economic logic of on-premises for predictable, high-volume workloads remains solid. If you know you'll have 30 GPUs running 24/7, on-premises TCO usually wins.

Our take

Real or marketing?

A bit of both, as always. What is unambiguously real:

  • The hardware existe y se puede comprar. Las H200 y RTX Pro 6000 están disponibles como servidores GPU para Fusion HCI. No es un roadmap.
  • CAS works. The 100-billion-vector demo is verifiable. The Redbook details the architecture step by step.
  • NVIDIA AIDP is a real reference design with early adoption in healthcare (UT Southwestern Medical Center) and finance.
  • Red Hat AI Factory standardises OpenShift + GPU deployment as an AI platform — exactly what Fusion HCI delivers as an appliance.

What deserves some nuance:

  • CAS is not yet in Fusion GA. IBM said Q2 2025, then Q2 2026. It's been integrated in Storage Scale since March 2025, but the embedded Fusion version is still landing.
  • The 60% cost vs Databricks figure is an internal benchmark under controlled conditions. In real production, the benefit will depend on your workload.
  • Fusion HCI is not cheap. A rack with H200 GPUs, 16 storage nodes and OpenShift licences is a significant investment. It makes sense for organisations with sensitive data and predictable workloads — not for an AI pilot.
SIXE take

The most significant part of this wave is not the GPUs — everyone has those. It is CAS. Storage that semantically understands what it holds and maintains a real-time vector database with inherited ACLs is a genuine architectural shift. If it works as promised (and the demos suggest it does), it resolves the two main problems with enterprise RAG: data freshness and access security.

That said, not everyone needs Fusion HCI to benefit. CAS lives in Storage Scale, which can also be deployed as software-defined on your own hardware. And if your data volume does not justify Storage Scale, Ceph with a conventional RAG pipeline remains a viable and more cost-effective alternative.

As always, the answer depends on volume, data sensitivity and budget. We'll help you evaluate it.

Evaluating on-premises AI?

Tell us your use case. We help you size the right solution.

Fusion HCI, Fusion Software, standalone Storage Scale or Ceph — it depends on what you need. We do not sell a single solution; we help you choose the right one.

View IBM Fusion Talk to the team
IBM Storage — hub Ceph FlashSystem

Still on Informix 12.10? You need to read this

/in
IBM Informix · Migration

Still on Informix 12.10? You need to read this.

12.10 support is over. But while you weren't looking, Informix changed quite a bit: standalone containers for Kubernetes, a rebuilt engine under the hood, native S3 backup, and a certification that's switching versions.

6 min readDatabases · Cloud-native

In March, Anup Nair — Principal Technical Product Manager for Informix — published the Informix Standalone Container announcement on IBM TechXchange. Enterprise-grade images for Kubernetes and OpenShift, with full support, no Cloud Pak for Data required. The post has 13 views and zero comments. Almost nobody noticed.

And yet, it's probably the most significant change in how Informix is deployed since IBM acquired it. Combined with the end of 12.10 support, the new capabilities in Informix 15 and the v15 certification transition, the landscape has shifted. Here's the summary.

Informix updates — standalone containers, 12.10 migration and official training
The news

Standalone containers: what's changed

Until recently, running Informix in containers with enterprise support in production required Cloud Pak for Data (CP4D). The Docker Hub images — which have since moved to the IBM Container Registry (ICR) — were Developer Edition only: fine for dev and test, no IBM support for production.

The Informix Standalone Container removes that dependency:

  • Production-grade images for Informix v14 and v15 on IBM Container Registry.
  • Direct deployment on Kubernetes and OpenShift without CP4D.
  • Full enterprise support under existing entitlement — not a separate product.
  • Developer to Enterprise Edition upgrade by swapping the image and applying the installer.
  • CASE bundles on GitHub: ibm-informix-standalone.
Source: Anup Nair, IBM TechXchange Community, March 2026

In practice, this means integrating Informix into CI/CD pipelines, spinning up instances for automated tests, deploying with Helm Charts across hybrid-cloud environments, and having dev environments identical to production. Daniel Weber, Informix Container Dev Lead, demonstrated the process at the April IIUG Tech Talk.

It's the kind of announcement that doesn't make headlines but changes how you operate a product day to day.

The cut-off

Informix 12.10 has lost support

On 30 April, IBM completed the transition of Informix 12.10 to Extended Support. Three direct consequences:

  • No more security patches. Any vulnerability discovered from now on stays unresolved.
  • No more bug fixes. The current fixpack is the last one.
  • Technical support only at extra cost under Extended Support, until 2030.
Source: IBM Product Lifecycle — Informix 12.10

The CSDK 4.10 (Client SDK) also transitions to Extended Support on the same date, which affects legacy ESQL/C, ODBC, and JDBC drivers.

12.10 was released in 2013. Thirteen years is a reasonable lifecycle. But many production environments are still running it because "it works" and there was never enough pressure to migrate. Now there is — and it coincides with a genuine modernisation path: containers, native encryption, S3 backup.

The decision

14.10 or 15: which one for migration

Informix 15 (November 2024) is the first major release in over five years, with deep internal engine changes: drastically expanded limits (a single partition can now hold 140 trillion pages), native dbspace encryption, improved Wire Listener (MongoDB 3.2–4.2), native S3/Azure/IBM COS backup via ON-Bar, official Helm Charts, and mandatory Java 11.

Informix 14.10xC13 (January 2026) is the latest release on the 14.10 branch: archecker improvements for SmartLOBs, Direct I/O for 2K/4K blocks, and accumulated fixes. Mature, battle-tested, conservative.

Stable · Proven
Informix 14.10xC13
January 2026 · Mature release
RiskLow
UpgradeIn-place from 12.10
DriversHigh compatibility
Dbspace encryptionNo
S3 backupNot native
ContainersStandalone ✓
New engine
Informix 15.0.1
Nov 2024 · Current release
RiskMedium
UpgradeIn-place from 12.10
DriversRequires validation
Dbspace encryptionYes — native
S3 backupON-Bar native
ContainersStandalone + Helm ✓

Our recommendation: if the environment is stable and you don't need the features in 15, the 12.10 → 14.10 path is the safest. It gives Informix 15 time to accumulate fixpacks. If it's a new project or you need native encryption, cloud backup, or Kubernetes-native deployment, go straight to 15.

What we don't recommend

Staying on 12.10 under Extended Support "until there's no other option". Extended Support has an end date and the longer you wait, the less flexibility you'll have. Rushing a migration is expensive. Planning one is a manageable project.

The team

Why training your team matters as much as migrating

We see it project after project. A team upgrades Informix and keeps operating with the same procedures from eight years ago. The server is on the new version; the knowledge isn't.

14.10 introduced AUTO_TUNE, which makes many manual adjustments unnecessary. 15 changes the approach to encryption, backup, and deployment. And with standalone containers there's a brand new operational model that requires Kubernetes skills a traditional DBA may not have. The official documentation is in the Informix 15 containerised deployment guide, but documentation doesn't replace hands-on training.

Our Informix courses

At SIXE, we've been delivering official IBM training for over 15 years. We've updated the entire Informix curriculum to v15 with new labs and custom documentation.

Informix 15 & 14.10 System Administration (SIFMX819G) — 3 days / 24 hours. From server architecture to production troubleshooting, with a 12.10→14.10/15 migration module and container deployment. Delivered by practising DBAs on a live Informix 15 instance.

The full Informix catalogue includes system administration, database administration, and custom migration courses. In English, Spanishand French — online, on-site, open or in-company.

View all Informix courses →

Migration, containers, or training?

Tell us what Informix you're running and we'll tell you where to start.

Current version, whether you're considering containers, whether your team needs training before moving production. No sales pitch.

Informix 15 Course Talk to the team
All Informix courses Full catalogue →

Ceph Object Storage vs IBM COS: Migration Guide (2026)

/in
Object Storage · April 2026

Ceph object storage vs IBM COS: when to migrate, and which way.

Three realistic paths for enterprise object storage at petabyte scale — and how we reach the right recommendation in each case. Fifteen years of production deployments and three live client cases on the table.

April 202611 min readInfrastructure · Open Source

In 2026, if you're running a multi-petabyte object storage deployment and thinking about the next five years, you have three realistic options: IBM Cloud Object Storage (the Cleversafe successor), upstream Ceph backed by a support partner, or commercially packaged Ceph — typically IBM Storage Ceph.

We prefer open source and say so upfront. But we've also recommended IBM COS to specific clients knowing it was the right call — and talked clients out of migrations that would have padded our invoice but complicated their operations without real gain. This article explains when and why, with real cases.

Comparativa IBM COS vs IBM Storage Ceph vs Ceph upstream — criterios de elección para migración de object storage
The landscape

The 2026 landscape, plainly

The on-premise object storage market has been reshuffling for three years. IBM has repositioned COS multiple times since acquiring Cleversafe in 2015: first as a standalone product, then pushed toward IBM Storage Ready Nodes, then folded into the "cyber vault" narrative inside the Storage Defender portfolio. Legacy Cleversafe customers — many running decade-old deployments on Cisco UCS hardware now at end of life — are asking what the next five years look like before IBM changes the message again.

Ceph, meanwhile, has done the opposite. It has consolidated. The current release, Tentacle (20.2.1, April 2026), closes a maturity cycle that started with Reef and Squid. Active contributors include CERN, DigitalOcean, Bloomberg, OVH, Clyso, Red Hat/IBM, and SUSE. It is hard to find an infrastructure open source project with more sustained momentum.

Between them sits IBM Storage Ceph: upstream Ceph packaged and commercially supported by IBM, the direct successor to Red Hat Ceph Storage. Technically the same Ceph. Commercially, a per-capacity subscription with a vendor tier-1 SLA. It exists because some clients' procurement policies mandate a named enterprise vendor, and bare upstream Ceph doesn't pass that filter — even if it is technically identical.

Three products, three business models, three distinct client profiles.

The options

The three options at a glance

IBM COS
Patented IDA (SecureSlice), closed three-tier architecture, certified hardware list. Strongest in advanced regulatory compliance environments.
Proprietary
IBM Cloud Object Storage
Cleversafe successor · ClevOS
LicenseIBM proprietary
HardwareClosed certified list
ProtocolsObject S3 / Swift
5-yr costHigh
Lock-inHigh
Ops complexityLow
IBM Storage Ceph
Upstream Ceph with IBM subscription. Same codebase, tier-1 contractual SLA. For clients who need a named vendor in the contract.
Ceph + IBM
IBM Storage Ceph
Red Hat Ceph successor · ppc64le
LicenseIBM subscription
HardwareAny x86 / ARM
ProtocolsS3 · RBD · CephFS · NVMe-oF
5-yr costMedium-high
Lock-inMedium
Ops complexityMedium
Ceph upstream + partner
Maximum control, lowest cost, zero lock-in. Requires technical maturity — in-house or through a partner acting as team extension.
Open Source
Ceph upstream
Tentacle 20.2.1 · Apache 2.0
LicenseApache 2.0 · free
HardwareAny commodity hardware
ProtocolsS3 · RBD · CephFS · NVMe-oF
5-yr costLow
Lock-inNone
Ops complexityHigh (team required)

Hover each card for detail · The right option depends entirely on each client's operational reality

All three work. The differences that matter are not about what they do, but how they are operated and what they cost over five years. IBM Storage Ceph and IBM COS do not compete — they serve fundamentally different client profiles. For a deeper comparison of Ceph against Storage Scale, GPFS, or NFS, see our dedicated article: IBM Storage Ceph vs Storage Scale, GPFS, GFS2, NFS and SMB.

Our position

Why we prefer open source

It's not ideology. It's the result of seeing, project after project, that a client with a competent in-house team or a capable partner gets the same operational stability on upstream Ceph as on any commercial alternative — with significantly more freedom and at lower cost.

Proprietary lock-in is not just about hardware — it's about roadmap. If IBM repositions COS again — and it has happened multiple times since 2015 — the client watches the change from the sidelines. With Ceph, if your commercial distributor changes strategy or raises prices, you move to upstream or another distributor without migrating data. The portability is real, not marketing.

Community continuity is a guarantee no single vendor can match. A proprietary product depends ultimately on a spreadsheet at the vendor's headquarters. Ceph has enough institutional contributors that when one leaves — which has happened — the project continues. For infrastructure you plan to run for fifteen or twenty years, that matters.

Architectural versatility pays for itself. Object storage today, block tomorrow for virtualisation, file when needed, NVMe-oF when it becomes relevant. All on the same hardware, maintained by the same team. COS only does object well. Separating platforms by protocol doubles teams, procedures, and support contracts. For cases where Ceph runs as an NFS high-availability backend, we've documented the process: NFS high availability with Ceph Ganesha.

Operational transparency is its own kind of security. When something breaks in Ceph, you have the code. When something breaks in COS, you open a ticket and wait. For serious technical teams, the first is worth more than it appears in a feature comparison.

The important nuance

Open source is not free. It is different. What you save in licensing you spend in team hours — in-house or contracted. If you have neither the team nor a partner acting as its extension, the equation can reverse. That's why the operational question matters as much as the philosophical one: who operates this day to day?

Technical honesty

When IBM COS is the right answer

If we were open source absolutists we'd be selling smoke — and there's enough in this market already. COS is the correct choice for a fairly specific client profile.

Small operational teams with no deep SDS skills and no budget to hire them or outsource continuously. Ceph's learning curve is real. If the organisation can't absorb it, a packaged product like COS reduces the operational problem surface.

Regulated sectors with very specific compliance requirements — audited WORM, SEC 17a-4 retention, Compliance Enabled Vaults, NENR. IBM's ecosystem is very mature here and audits move faster when the entire stack is from one vendor with existing certifications.

Corporate "single throat to choke" policy with explicit preference for vendor tier-1. Some organisations — conservative banking, public sector, defence — where the CISO won't accept an architecture without a contractual SLA. Arguing with that policy from outside is a waste of time; the right move is helping the client choose the packaged product that fits best.

IBM ecosystem already deployed. If the client already has Spectrum Protect, Storage Defender, Fusion, Power, or Z, consolidating object storage within the same vendor makes operational and commercial sense.

Very large scale (high petabytes or exabytes) with predictable, stable workloads, where the operational simplicity of a mature product offsets the licensing cost. We've seen clients with more than an exabyte under IBM support for whom migration would be a three-year project worth tens of millions; in those cases the answer is to stay and optimise.

What doesn't justify staying on COS

Inertia, uninformed fear of open source, or taking the annual licensing line as a given without questioning it. Those we always question.

Most of the market

When upstream Ceph with a good partner is the answer

This is the scenario where we believe most of the market sits — even if it doesn't always know it.

Profiles where upstream Ceph wins clearly:

  • Client with a competent technical team in Linux and infrastructure, or willing to engage a continuous support partner.
  • Medium to large scale, from hundreds of TB to tens of PB, where commercial subscription starts to hurt the budget.
  • Need or intent to unify object, block, and file storage on the same platform.
  • Hardware refresh underway with no appetite for tying to a single vendor's certified list.
  • Native Kubernetes integration via Rook, if a cloud-native platform is on the roadmap.
  • A preference, simply, for being able to see what's under the hood.

Here we need to address a myth that has circulated for years: that Ceph is hard. It's half true. Ceph is complex — as any serious distributed system is — but it's not chaotic or unstable. The difference between a Ceph cluster that causes problems and one that runs for years without incidents is not in the software. It's in deployment design, placement group and balancer tuning, coherent hardware selection, monitoring, and having someone experienced who knows what to do when something unusual appears in ceph health detail. We have a dedicated article on the most common Ceph error and how to fix it.

The problem is not Ceph. The problem is deploying Ceph without expertise. That's a problem for any complex infrastructure, not a product defect.

The honest question. Not "can I handle Ceph on my own?" — but "do I have someone, in-house or contracted, who has my back?" If yes, upstream Ceph delivers the best cost-to-result ratio in the market. If no, find that someone before signing anything.

A well-operated Ceph cluster performs just as well with upstream support plus a competent partner as with an enterprise subscription. The real difference is who picks up the phone at three in the morning. If you're evaluating Ceph against lighter object storage alternatives, our Ceph vs MinIO 2026 article covers that in detail.

The middle option

IBM Storage Ceph: the middle option

We'll be more direct here, because this product gets written about with surprisingly little clarity.

IBM Storage Ceph is, technically, Ceph. The same Ceph you download from the project website. Packaged, tested, integrated with IBM-specific tooling, commercially supported with an SLA, and certified in several regulated environments. That is what you pay for. Technically you get nothing you couldn't have with upstream.

When it makes sense to pay for it:

  • Public or private procurement contracts that require a tier-1 vendor with contractual support, with no room for negotiation.
  • Organisations where internal purchasing policy mandates enterprise support without exception, and there is no way to qualify an external partner as a substitute.
  • Clients who already have an IBM ELA where adding Storage Ceph to the package is reasonable against list price.
  • Sectors with audits where the manufacturer's name on the invoice shortens the process.

When it's not worth it: in practically every other case. If your compliance doesn't require it and you have a decent partner, paying a subscription for upstream is an avoidable overhead. At tens of petabytes scale, the difference between a commercial subscription and a partner supporting upstream can be hundreds of thousands of euros per year. At exabyte scale, it moves to millions. For most clients, that money is better reinvested in team, hardware, or anything else.

Plain summary. IBM COS = complete product, single vendor, high cost, high lock-in, low operational complexity. IBM Storage Ceph = community Ceph with an IBM invoice, contractual reassurance, medium-high cost. Upstream Ceph with a partner = maximum control, low cost, requires maturity — in-house or borrowed.

If your reality pushes you toward the first or second, we'll be there to help you operate it well. But most clients we work with discover, after an honest assessment, that the third fits them better than they thought.

Real cases

Three real client cases

Anonymised, because NDAs are NDAs. The lesson is always the same: the right question is not "which is better in the abstract" but "which fits this specific operational reality".

Real-world cases · Three profiles, three different decisions
A
European telco operator · 50 PB · IBM COS → Ceph upstream
Cisco UCS M4 hardware at end of life; refresh on IBM-certified hardware was prohibitively expensive. COS licensing cost had been questioned internally for years. Strategic intent to consolidate object and block on a single stack for the internal Kubernetes platform. 18-month phased migration with dual-running for critical data. Outcome: significantly reduced total operational cost, client team fully autonomous, SIXE as second-level support. Three years on, the cluster remains stable.
Hardware EoLLicensing costK8s consolidation
B
Regulated financial institution · 8 PB · Stayed on IBM COS
Called us to evaluate a potential migration motivated by licensing cost. We ran the full assessment. Our recommendation was not to migrate: small operational team with no budget or culture to absorb Ceph autonomously, SEC 17a-4 Compliance Enabled Vault requirements deeply embedded in annual audits, and legitimately high aversion to operational risk. We earned less than a migration would have generated — and gained a long-term client. We continued working with them optimising the existing deployment and planning the next hardware refresh.
SEC 17a-4Small teamAnswer: stay
C
Public sector organisation · 3 PB · Self-managed Ceph → IBM Storage Ceph
Ceph deployed internally without sufficient expertise: unstable cluster, recurring incidents that had worn out the operational team. A new tender requirement mandated tier-1 vendor contractual support — upstream was off the table. We accompanied them through the migration to IBM Storage Ceph, environment stabilisation, and team training. They ended with a healthy cluster and peace of mind. Not the cheapest path, but the only viable one given the external constraints.
Tender: vendor tier-1Unstable cluster→ IBM Storage Ceph
What nobody tells you

What most comparisons don't tell you

Four things that never appear in vendor whitepapers and that we have seen trip up many technical teams.

Migrating at petabyte scale is not copying data

It's migrating configuration: lifecycle policies, retention, legal holds, ACLs, CORS, bucket policies, versioning, event notifications, tagging, replication. You migrate context as much as bytes. A poorly scoped migration project discovers this halfway through and finds its timeline has doubled.

The S3 dialect is not uniform

Between AWS S3, Ceph RGW, and IBM COS there are subtle differences in headers, LIST behaviour with large object counts, multipart upload edge cases, and versioning semantics. Client applications sometimes need adjustment. Test — don't assume.

Data protection philosophy changes between products

COS's IDA, Ceph's erasure coding, and traditional triple replication are not interchangeable in terms of durability guarantees or the failure profiles they tolerate. Translating a COS IDA 10/8/7 to a Ceph erasure coding profile requires judgment, not arithmetic.

Day-to-day operations are radically different

In COS you diagnose with storagectl list and the Manager administration shell. In Ceph with ceph -s, ceph osd tree, ceph health detail, placement groups, OSDs, CRUSH maps. Retraining a team takes six to twelve months of effective transition. Budget for it — it cannot be a project footnote.

How we work

How we work at SIXE

The approach is straightforward and has been working for years. First an assessment: we review the current architecture, actual workloads, the operational team's profile, regulatory constraints, the three-to-five-year budget, and the technically viable options. The output is a reasoned recommendation with alternatives — and sometimes it is "stay where you are". We have said that more than once.

Then a design, if there is migration or substantial change. Target architecture, phased plan, operational windows, risk matrix, runbooks. No two migrations are alike.

Then execution. Phased migration with dual-running where possible, data validation, functional QA with client applications, post-cutover tuning.

And finally handover with mentoring to the client team, plus ongoing Ceph technical support if they want us at the other end of the line going forward. Many clients prefer this model — SIXE as a team extension — over a commercial subscription. It is exactly what makes upstream Ceph viable in serious production environments. For teams that want to build internal capability, we offer a Ceph administration course and a practical IBM Storage Ceph course.

Our team diagnoses a DONT-START-DAEMON on a ClevOS slicestor with the same ease as a placement group inactive+incomplete on Ceph. We are not an "IBM partner" or a "Ceph partner". We are an object storage partner, and we know all three options well enough to recommend whichever one actually fits.

Further reading

IBM Storage Ceph vs Storage Scale, GPFS, GFS2, NFS and SMB · Ceph vs MinIO 2026 · NFS high availability with Ceph Ganesha · How to fix the most common Ceph error

Running object storage that needs a review?

An honest technical conversation. No sales pitch.

Tell us about your current deployment — capacity, workloads, team, regulatory constraints. We'll tell you what makes sense. If the answer is "stay where you are", we'll say that too.

Talk to the team Ceph technical support →
Ceph admin course IBM Storage Ceph course Ceph Tentacle →

IBM DataStage: What It Is, How It Works and Why It Still Matters in 2026

/in
Data Integration · April 2026

What is IBM DataStage and why it remains the enterprise ETL benchmark in 2026.

While the data integration market fragments between cloud-native tools, notebooks and trendy orchestrators, DataStage has been moving the data that matters for three decades — banking, healthcare, telecoms and government. Here's what it is, how it works and when it makes sense in 2026.

April 20269 min read

If you work with data in a large organisation, you've probably heard of DataStage — even if you're not entirely sure what it does beyond "that IBM thing for moving data". It's quite a bit more than that.

IBM DataStage is the ETL (Extract, Transform, Load) tool from the IBM InfoSphere suite. It has been in production for over 25 years, survived multiple acquisitions and rebrandings, and in 2026 it remains one of the centrepieces of IBM's data ecosystem — now also available as a service within IBM Cloud Pak for Data.

The fundamentals

What is DataStage and where does it come from

IBM DataStage is a data integration tool that lets you design, deploy and run pipelines that extract information from multiple sources, transform it according to business rules, and load it into target systems. In data engineering, this is known as ETL — Extract, Transform, Load — and DataStage is one of the most established and robust implementations on the market.

The history is worth knowing because it explains a lot about what DataStage is today. It started in the 1990s as a product from Ardent Software, was acquired by Informix, which was then bought by IBM in 2001. Since then it has been part of the IBM InfoSphere family — a suite of tools for data integration, quality and governance.

What sets DataStage apart from a Python script or an Apache Airflow flow isn't what it does (moving data from A to B) but how it does it: with a visual job design interface, a distributed parallel processing engine, native connectors for virtually any database or system, and an integrated metadata system that traces where every piece of data came from and what transformations it underwent.

In plain English: DataStage is what organisations use when they move millions of records nightly between dozens of systems, and they need it to work every time, be auditable, and not require a 15-person team to maintain.

The architecture

How it works: the parallel processing engine

The core component of DataStage is its Parallel Framework. Unlike ETL tools that process data sequentially — one record after another — DataStage distributes work across multiple partitions running simultaneously. It's the same idea as MapReduce or Spark, but implemented before those technologies existed.

┌──────────────────────────────────────────────────────┐ DataStage Parallel Engine └───────┬──────────────┬────────────────┬───────────────┘ ┌────▼────┐ ┌─────▼──────┐ ┌──────▼──────┐ Extract │ │ Transform │ │ Load │ │ │ │ Db2 │ │ Rules │ │ DWH Oracle │ │ Cleansing │ │ Data Lake SAP │ │ Enrichment │ │ Cloud APIs │ │ → parallel │ │ → batch/RT CSV │ │ → N nodes │ │ └─────────┘ └────────────┘ └─────────────┘

The clever part is that the developer doesn't have to think about parallelism. You design the job as if it were sequential — dragging stages in the Designer — and the engine decides how to partition the data, how many nodes to use and how to redistribute the load. You can force manual partitioning when you need fine control, but most of the time the engine handles it.

The stack components

  • DataStage Designer. The visual interface where jobs are designed. You drag stages (sources, transformations, targets), connect them with links, define column metadata and compile. Behind the scenes it generates OSH (Orchestrate Shell), which is the language the parallel engine executes.
  • DataStage Director. The monitoring console. You see which jobs are running, which have failed, logs, performance stats, and can relaunch or abort executions.
  • Information Server. The wrapper layer: security, shared metadata with other InfoSphere tools (QualityStage, Information Analyzer, IGC), REST API for automation, and the central job definitions repository.
  • Connectors. DataStage has native connectors for a huge catalogue: Db2, Oracle, SQL Server, PostgreSQL, MySQL, SAP, Teradata, Snowflake, Amazon Redshift, S3, Azure Blob, Kafka, flat files, XML, JSON, REST APIs — the list goes on. These are not generic ODBC wrappers — they are optimised connectors with bulk load support, pushdown optimisation and fine-grained session control.
Use cases

What DataStage is used for in practice

The real question isn't "what can it do" (moving any data between any systems) but "where does it make sense versus cheaper or more modern alternatives". Because DataStage isn't the simplest tool on the market, and the licensing cost is non-trivial. What justifies that cost are very specific scenarios.

Data warehouse loading

This is the classic case and it's still the most common. Organisations with a DWH — whether IBM Db2 Warehouse, Teradata, Snowflake or Redshift — that need clean, transformed, enriched data loaded nightly (or hourly) from dozens of source systems. DataStage shines here because of parallel processing: where a Python script takes hours, a well-designed DataStage job processes the same volume in minutes.

Data migration

When an organisation changes its ERP, core banking system or hospital information system, there's a data migration project that can last months. DataStage maps old schemas to new ones, applies conversion rules, validates referential integrity and executes massive loads with rollback. Metadata lineage is crucial here — you need to prove to audit that every migrated record has a known origin.

Real-time integration with CDC

With IBM CDC (Change Data Capture) integrated, DataStage can replicate database changes with millisecond latencies. This is used where operational data needs to be synchronised between systems in near-real-time — for example between a core banking platform and an anti-money-laundering system.

Data quality and governance

DataStage integrates natively with the rest of the InfoSphere suite: QualityStage for cleansing, Information Analyzer for profiling, and IBM Knowledge Catalog for governance and lineage. This means data governance projects that require end-to-end traceability have everything under one umbrella.

Where DataStage fits best

Banking, insurance, telecoms, healthcare, government and utilities. Industries with massive volumes, strict regulation (NIS2, PCI DSS, GDPR), and IBM Power environments where DataStage runs natively. If your infrastructure is already IBM — Power11, AIX, Db2 — DataStage is a natural fit.

The evolution

DataStage on Cloud Pak for Data: the 2025-2026 evolution

The recent history of DataStage has one clear protagonist: IBM Cloud Pak for Data. It's IBM's unified data platform built on Red Hat OpenShift, grouping all data services (DataStage, Watson Studio, Knowledge Catalog, Db2, etc.) under a common interface.

The most significant change came in June 2025 with Cloud Pak for Data version 5.2: DataStage is now available on OpenShift on IBM Power (ppc64le). This means organisations with Power servers that previously ran DataStage on the classic InfoSphere stack can now containerise it and manage it with the same orchestration as the rest of their cloud-native workloads.

The current version — Cloud Pak for Data 5.3 — brings DataStage with full ETL and ELT support, remote execution, and the new DataStage Flow Designer integrated into the Cloud Pak for Data web UI.

A note on security. In February and March 2026, IBM published several security patches for DataStage on Cloud Pak for Data 5.1.2 to 5.3.0, including command injection and sensitive information leakage vulnerabilities. If you're running DataStage on Cloud Pak for Data, make sure you're on version 5.3.1 or later.
The competitive landscape

DataStage vs the alternatives in 2026

It would be dishonest to discuss DataStage without acknowledging that the data integration market in 2026 looks very different from 2015. There are serious alternatives, and the decision depends heavily on context.

ToolModelStrong inWeak in
IBM DataStageIBM licenceParallel processing, IBM environments, regulationCost, learning curve, closed ecosystem
Informatica IDMCSaaS / on-premMarket share, connector catalogueEven more expensive than DataStage
Apache Spark / dbtOpen sourceCloud-native, flexibility, communityNot turnkey ETL, requires engineering
Talend (Qlik)CommercialEase of use, open source coreAcquired by Qlik in 2023, uncertain roadmap
Azure Data FactorySaaS AzureNative Azure integrationCloud lock-in, limited outside Azure
AWS GlueSaaS AWSServerless, low cost for small volumesCloud lock-in, limited outside AWS

When does DataStage make sense? When you already have investment in the IBM ecosystem (Power, Db2, InfoSphere), when you need on-premise parallel processing at volumes others can't handle, when regulation requires end-to-end metadata lineage, or when your team already knows DataStage and retraining costs exceed the licence.

When doesn't it? When your stack is pure cloud-native (AWS/Azure/GCP with no IBM), volumes are small, you prefer code over visual interfaces, or the budget doesn't stretch to IBM licensing and you'd rather invest in engineering with open source tools.

Getting trained

Official IBM DataStage training in Europe

If DataStage is part of your current stack or it's going to be, proper training is the difference between a team that designs efficient jobs and one that produces pipelines that take hours to run and nobody can debug.

SIXE is an IBM Authorized Training Partner and offers the following DataStage courses delivered by IBM-accredited instructors:

Both courses include official IBM materials and hands-on labs. Available on-site across Europe, remotely, or as in-company training tailored to your team. Delivered in English, Spanish and French.

Custom training

If you need a tailored course — for example, focused on migrating classic jobs to Cloud Pak for Data, or on performance tuning for a specific environment — we design it using official materials supplemented with content from our own deployments. See the full IBM training catalogue or contact us directly via WhatsApp.

Further reading

Working with IBM DataStage?

Official training. In Europe. By people who deploy it.

Whether you're starting with DataStage or want to take your team to the next level, official IBM courses delivered by SIXE cover everything from fundamentals to advanced parallel engine administration.

Enquire about training Full IBM catalogue →
KM204G — Essentials KM520G — Administration IBM DataStage →

OpenStack Gazpacho 2026.1: VMware Replacement for Private Cloud

/in
Private Cloud · April 2026

OpenStack Gazpacho: the release that makes the VMware exit real and your private cloud ready for what's next.

OpenStack 2026.1 Gazpacho shipped on April 1st. Over 9,000 changes, 500 contributors, parallel live migrations, intelligent bare metal automation with Ironic, and the steady elimination of Eventlet. It's the SLURP release of the year — and the most relevant one for organisations rethinking their virtualisation stack.

April 202614 min read
OpenStack 2026.1 Gazpacho release logo — the 33rd version of the world's most widely deployed open source cloud infrastructure software, the leading VMware alternative for private cloud

OpenStack just shipped its 33rd release. A few years ago, this would have been inside-baseball for private cloud operators. But 2026 is not a normal year for infrastructure. Broadcom has been reshaping the VMware landscape for over a year. European organisations are measuring the real cost of vendor dependency. And the open source private cloud has gone from an ideological stance to an economic one.

Gazpacho arrives at the exact moment when more organisations than ever are actively looking for serious alternatives to vSphere. And this release, for the first time in a while, has concrete answers to the questions those organisations are asking.

To understand what's actually new, it helps to start with something unglamorous but critical: whether you can even upgrade without disrupting production.

The release model

What SLURP releases are and why Gazpacho is the one that matters

OpenStack publishes two releases per year. Since 2022, alternating releases are marked as SLURP (Skip Level Upgrade Release Process): they allow operators to upgrade once a year, jumping directly from one SLURP to the next without touching the intermediate version.

Here's the current landscape:

ReleaseDateStatus
2026.1 Gazpacho1 April 2026Current release. SLURP. Recommended for new deployments and upgrades.
2025.2 Flamingo1 October 2025Supported. Non-SLURP (intermediate).
2025.1 EpoxyApril 2025Previous SLURP. Direct upgrade to Gazpacho supported.
2026.2 HibiscusSeptember 2026 (planned)Next release. Non-SLURP.

The official Gazpacho cycle schedule details all milestones, feature freeze dates, and responsible teams. The official release page collects the highlights selected by the community.

The practical consequence: if your environment runs Epoxy (2025.1), you can jump straight to Gazpacho without touching Flamingo. That halves your mandatory upgrades and simplifies maintenance window planning in production.

And if you're on Flamingo, it's a standard one-step upgrade.

Context

Gazpacho is the 33rd OpenStack release. Around 500 contributors from 100 organisations — Ericsson, Rackspace, Red Hat, Samsung SDS, SAP, NVIDIA, Walmart, among others — contributed over 9,000 changes during a six-month cycle. The CI/CD system (OpenDev Zuul) processed over one million jobs to validate this release. And a relevant data point for Europe: 40% of contributions came from European developers, driven by the continent's digital sovereignty initiatives. Full details are in the official OpenInfra Foundation blog post.

With the upgrade calendar clear, let's look at what actually justifies moving — beyond just closing a support window.

The headline feature

Parallel live migrations in Nova: the game changer

If we had to pick a single feature from Gazpacho to explain why this release matters to enterprises, it would be this: Nova now supports parallel live migrations.

Until now, live migration of instances processed memory transfers sequentially: one connection after another. Gazpacho introduces multiple simultaneous connections, significantly accelerating workload transfers between hosts or availability zones.

Why does this matter so much? Because migration speed is, in practice, the factor that determines how long a maintenance window lasts. For an organisation with hundreds of VMs — or one evaluating a move from VMware — the difference between serial and parallel migration is the difference between a single maintenance night and an entire weekend.

Live migration — maintenance window ↕ hover for detail
t=0 t=T t=2T t=3T t=4T

And that's not all that changes in Nova

Parallel migrations are the headline, but Nova brings three more changes that stack on the same principle: less operational friction.

Live migration with vTPM

Another feature that pairs with parallel migrations: Nova now allows live migration of instances using vTPM (virtual Trusted Platform Module) without shutting them down. Workloads with disk encryption or secure boot requirements — common in regulated environments — can now be moved between nodes without service interruption. Previously, migrating a VM with vTPM required a full shutdown-move-restart cycle. That's over.

Default IOThread per QEMU instance

A subtler change with real impact: Nova now activates a default IOThread per QEMU instance, offloading disk I/O processing from vCPUs. In high-density environments — many VMs per host — this translates to more consistent storage performance under load, without touching any configuration.

Full OpenAPI coverage in Nova

Nova achieves complete OpenAPI schema coverage: every API endpoint now has a machine-readable specification. For teams automating with Terraform, Ansible, or custom tooling, this means validating requests before sending them and reducing errors in infrastructure-as-code deployments.

Nova handles the VMs. But VMs need to live somewhere. And if that somewhere is physical hardware that hasn't gone through OpenStack before — which is exactly the situation in most VMware migrations — Ironic enters the picture.

Intelligent bare metal

Ironic: intelligent automation that cuts manual work

Ironic is OpenStack's service for provisioning physical servers — bare metal — as if they were virtual machines. In Gazpacho, Ironic receives a package of improvements that together represent a step change in day-to-day operations:

  • Autodetect deploy interface. Ironic automatically determines the right deployment method for each server, eliminating manual selection. It doesn't sound dramatic, but in a datacentre with heterogeneous hardware (different generations, different vendors) it saves hours of per-node configuration.
  • Automatic protocol detection (NFS/CIFS) for Redfish. Virtual media boot configuration is simplified: Ironic determines the correct protocol without operator intervention.
  • Trait-based port scheduling. Network assignment is automated based on real infrastructure attributes — NIC type, speed, capabilities — instead of depending on manual mappings.
  • Noop deploy interface. Perhaps the most interesting for migration projects: it allows you to register and monitor servers that are already deployed and running, without needing to reprovision them. The typical use case: onboarding existing hardware into OpenStack's inventory during a gradual migration from VMware or another platform.
In practice

The noop interface is particularly useful in the VMware-to-OpenStack migration projects we run at SIXE. It allows you to register existing ESXi hosts in OpenStack, monitor them, and plan workload migration without needing to reinstall the host OS until the time comes. It's the difference between "migrate everything over a weekend" and "migrate in phases with control".

Cyborg driver guide

Cyborg, OpenStack's accelerator service, publishes for the first time a unified driver configuration guide covering all supported types: FPGA, GPU, NIC, QAT, SSD, and PCI passthrough. For organisations incorporating AI accelerators or HPC workloads into their private cloud, having tested, unified documentation significantly lowers the barrier to entry.

VMs migrated with Nova, existing hardware onboarded with Ironic. Now for the part that always ends up more complex than expected: the network.

Networking, storage, security

What changed inside: OVN, Manila, OpenBao

Networking: native BGP and OVN improvements in Neutron

The Neutron OVN controller gains features that have been long requested in enterprise environments:

  • Native BGP support for advertising routes directly from the network controller, without external tooling.
  • North-South routing for external ports, simplifying connectivity with physical networks.
  • Allowed address pairs with virtual MACs, enabling multi-tenant scenarios and hybrid connectivity architectures.

Historically, these were scenarios where OpenStack required workarounds or third-party tools. Gazpacho solves them natively.

Storage: QoS in Manila and asynchronous volume attachments

Manila introduces QoS types and specifications that allow applying per-workload performance policies to shared storage. If you have a storage pool for databases and another for cold files, you can now set limits and priorities at the platform level, not just at the hardware level. Cinder advances asynchronous volume attachments, improving responsiveness in high-density environments.

Security: PKI with OpenBao

Integration with OpenBao — an open fork of HashiCorp Vault — for PKI certificate management in OpenStack-Ansible allows aligning OpenStack's certificate infrastructure with existing enterprise security tooling. Especially relevant in regulated environments where certificate lifecycle management is audited and where administration already uses Vault as a standard.

Watcher: cross-zone migration strategies

Watcher, the resource optimisation service, improves its workload redistribution strategies across zones with enhanced testing. For operators managing multi-site clouds or differentiated availability zones, this improves the reliability of automated redistributions during maintenance or failures.

All of the above — migrations, automation, networking — are visible features you can justify in a budget conversation. But there's work Gazpacho does silently, more important in the long run than any single feature: cleaning house.

Technical debt

Eventlet: the beginning of the end for legacy concurrency

One of the most important background stories in OpenStack over the past three years is the progressive elimination of Eventlet, a cooperative concurrency library adopted in the project's early days when Python 2 lacked a native alternative. Python 3 does have one: asyncio. But migrating a project the size of OpenStack from one concurrency model to another is a monumental effort.

In Flamingo (2025.2), four services completed the migration: Ironic, Mistral, Barbican, and Heat. In Gazpacho, Nova makes significant progress towards native threading, with measurable performance and stability improvements. Neutron also advances. And nine more projects are in active migration.

Why should an organisation that doesn't contribute code to OpenStack care? Because Eventlet is a known source of subtle bugs, debugging difficulties, and incompatibilities with modern Python libraries. Its removal makes OpenStack more stable, more maintainable, and more predictable in production over the long term. It's the kind of invisible improvement that doesn't appear in demos but makes a real difference at 3 AM when something fails and needs diagnosing.

Eventlet migration progress
● Complete ◐ In progress ○ Pending
0
Complete
0
In progress
0
Pending
0%
Complete
Overall project progress Goal: native asyncio across all services
Market context

Gazpacho as a VMware replacement: why the timing matters

We're back to where we started. We said 2026 is not a normal year for infrastructure — that Broadcom has forced organisations to rethink their virtualisation stack. The question those organisations ask is no longer "is OpenStack technically capable?" That was settled a long time ago. The question is: "does it have answers to my specific problems?" With Gazpacho, that answer has improved substantially.

Since Broadcom restructured the VMware licensing model — significant price increases, end of perpetual licences, shift to subscription bundles — the concerns we hear most often from customers are always the same. Gazpacho has a direct answer for each one, and each answer connects back to what we've just covered:

Common concernGazpacho's answer
Migration speedParallel live migrations rivalling vMotion. vTPM without downtime.
Existing hardwareIronic noop lets you register hosts without reprovisioning. Gradual migration.
Complex networkingNative BGP in OVN, N-S routing, virtual MACs. No external tooling needed.
Accelerators (GPU, FPGA)Unified Cyborg driver guide. Improved PCI passthrough.
Predictable upgradesSLURP model: one major upgrade per year, tested upgrade path.
Sovereignty / lock-inOpen project, 100 contributing organisations, 40% European.

On top of this, OpenStack now exceeds 55 million cores in production worldwide. It's not a niche project or a future promise: it's infrastructure running in production at Walmart, CERN, NTT, Deutsche Telekom, and thousands of smaller organisations that don't publish their numbers. The project has been running for 15 years and the contributor base is growing, not shrinking.

The European angle

40% of Gazpacho contributions came from European developers. This is no accident: the EU's digital sovereignty initiatives are driving adoption of open infrastructure in public administrations and regulated enterprises. For organisations that need to demonstrate technological independence in their procurement or audit processes, OpenStack is one of the few options that combines technical maturity with genuinely open governance.

Next steps

How this fits your infrastructure

Release model, parallel live migrations, intelligent bare metal, networking without workarounds, legacy debt winding down, favourable market context. Everything converges on the same practical question: what do you do now? The answer depends on where you are.

There are three common situations, and the right diagnosis differs for each:

  • You have OpenStack in production and need to plan the upgrade to Gazpacho. If you're on Epoxy, the direct SLURP-to-SLURP upgrade is your path. If you're on Flamingo, it's a standard one-step jump. In both cases, the recommendation is to validate in a test environment, especially if you use features that have changed between versions (migrations, OVN, Ironic).
  • You have VMware and the renewal cost has you looking at alternatives. The question here is one of design: which workloads move first, what OpenStack architecture fits (on what hardware, with what storage — Ceph is the natural choice), and how to migrate data without stopping the service.
  • You're starting a new project — private cloud, data platform, AI infrastructure — and OpenStack is on the table. Gazpacho is the right version to start with, using Ceph for storage and, if you need containers, Kubernetes integrated via Magnum.

In all three cases, the sensible order is the same: a short technical conversation to understand the situation, an architecture proposal with clear options and trade-offs, and a validation lab before touching production. What changes with Gazpacho is not the process — it's that there are more mature pieces to work with.

Further reading

Evaluating OpenStack or planning an upgrade?

Let's talk about your infrastructure.

Tell us where you are — pending upgrade, VMware exit, new project — and we'll come out of the call with a clear picture of architecture, effort, and next steps. No generic quotes. Directly with engineers who've had their hands inside projects like yours for years.

Book a technical session WhatsApp
Private cloud Urgent support OpenStack.org

What is Wazuh? The Open Source SIEM Alternative to Splunk and QRadar

/in
SIEM & XDR · April 2026

What is Wazuh and why it's the real alternative to Splunk and QRadar in 2026.

In two years, Cisco bought Splunk for $28 billion and Palo Alto Networks bought IBM's QRadar SaaS assets. Meanwhile, Wazuh kept publishing releases, launched threat hunting with a local LLM, and crossed 10 million annual downloads. Here's why that changes the SIEM conversation in 2026.

April 202612 min read

There's a conversation we've been having several times a month at SIXE since late 2024. A head of IT or a CISO calls us, usually with a bit of fatigue in their voice, and says some version of the same thing: "our Splunk contract is up and next year's budget won't cover it", or "we're on QRadar SaaS and IBM just told us we need to migrate to Cortex XSIAM, but we're not sure that's what we want".

It's not a coincidence. The commercial SIEM market has changed more in 24 months than it had in the decade before. And in the middle of all that movement, there's one piece still standing exactly where it was. It isn't listed on any stock exchange, nobody has acquired it, and in the meantime it just keeps growing. It's called Wazuh.

Context 2024-2026

The SIEM map that changed in 24 months

If you've been in defensive security for a while, you know the commercial SIEM market has always been conservative. The big players moved slowly. Customers put up with painful contracts because migrating a SIEM is a serious project, and nobody does it for fun. And then, between the spring of 2024 and the summer of 2025, three things happened that broke that equilibrium.

March 2024 — Cisco buys Splunk for $28 billion

The most expensive move in the history of SIEM. Cisco paid $157 per share, well above what Splunk had been trading at earlier in the year. Before closing the deal, Splunk laid off 7% of its workforce — around 560 people — in a global restructuring. Analyst surveys right before the acquisition already suggested that 22% of customers were considering switching vendors if prices went up after the deal. Those of us who've watched this kind of acquisition play out before know what usually comes next: internal pressure to justify the high purchase price, roadmap shifts, and increasingly tense renewal cycles.

May-September 2024 — Palo Alto Networks buys QRadar SaaS assets

This is the one nobody saw coming. In May 2024, IBM and Palo Alto Networks announced that Palo Alto was acquiring IBM's QRadar SaaS assets for around $500 million, with closing confirmed in September. Forrester summed up the implication in a sentence that QRadar customers are still digesting: when contracts expire, QRadar SaaS customers have to migrate to Cortex XSIAM or move to another vendor. It isn't an opinion, it's the official transition plan.

IBM keeps supporting QRadar on-premise — bug fixes, critical updates, new connectors — so customers with their own installations aren't left stranded overnight. But the underlying message that security committees are reading is clear: the heavy investment is no longer going toward QRadar, it's going toward XSIAM and Precision AI. Many are using that signal to rethink their entire SOC strategy for the medium term.

Meanwhile — Wazuh crosses 10 million downloads a year

This didn't make headlines, because Wazuh doesn't have a PR machine anywhere near the scale of Cisco or Palo Alto. But the numbers are there. According to figures the project publishes itself, Wazuh crosses 10 million annual downloads, maintains one of the largest open source security communities in the world, and in June 2025 rolled out a feature none of its commercial competitors yet offers without a separate licence fee: threat hunting powered by a large language model running locally. We'll come back to that.

An important note on QRadar. At SIXE we still provide official IBM QRadar support and training, and we'll keep doing it as long as there are customers with active deployments. QRadar on-prem is still a solid tool for teams that already have it running and want to get the most out of it. But if you're kicking off a new SIEM project in 2026, or you have QRadar SaaS and the contract is coming up for renewal, the conversation that makes sense right now is a different one. And it runs through Wazuh a lot more often than it did two years ago.
The product

What is Wazuh (beyond the "it's free" line)

If Wazuh were just a cheap log collector, this would be a different conversation. It isn't. Wazuh is a platform that unifies, inside a single agent and a single stack, a long list of functions that the rest of the market sells as separate boxes: SIEM, XDR, endpoint detection, file integrity monitoring, CVE vulnerability scanning, configuration assessment against CIS benchmarks, regulatory compliance and active response. All from the same agent running on Linux, Windows, macOS, Docker containers or virtual machines.

Here's what actually happens, in practice, when a Wazuh agent is deployed on one of your servers:

  • Collects and correlates logs in real time. Syslog, auditd, Windows Event Log, application logs — all with native decoders. Ships them encrypted to the central manager, where rules are evaluated, events are correlated across hosts, and alerts fire when they should.
  • Monitors file and configuration integrity. Any change in /etc, the Windows registry, system binaries or files you've marked as sensitive triggers an immediate alert. This is tamper detection, and it's one of the things you used to have to buy separately.
  • Scans for vulnerabilities against updated CVE databases. Wazuh cross-references the installed package inventory with vendor feeds and official CVE sources, and tells you which machines need patching and at what priority. No need to pay for Tenable or Qualys on top.
  • Audits configuration against CIS Benchmarks. Each agent runs periodic hardening evaluations against CIS policies or your own internal policies, and produces compliance reports ready to present to an auditor.
  • Responds actively. Automatic IP blocking, process kills, host isolation, custom script execution. No one touches the keyboard at three in the morning.
  • Maps everything to MITRE ATT&CK. Every fired rule is tagged with the corresponding ATT&CK technique and tactic, which makes SOC analyst dashboards far more useful than the generic panels most tools ship with.
┌──────────────────────────────────────────────┐ Wazuh Manager (analysis engine · rules · response) └──────┬──────────────┬──────────────┬─────────┘ ┌────▼─────┐ ┌─────▼─────┐ ┌────▼──────┐ Agents │ │ Indexer │ │ Dashboard linux │ │ cluster │ │ windows │ │ OpenSearch│ │ MITRE macos │ │ │ │ compliance docker │ │ → shards │ │ SOC view k8s │ │ → HA │ │ └──────────┘ └───────────┘ └───────────┘

The stack is solid and battle-tested in production. An academic paper published by Springer in April 2026 evaluated distributed Wazuh architectures with high availability and sustained ingestion rates well above the average EPS baseline, and concluded — with the usual careful wording academic papers use — that well-designed open source SIEM solutions can match and in certain aspects surpass commercial platforms. Put in plain English: when somebody who isn't selling Wazuh evaluates Wazuh methodically, the results hold up.

The 2025 headline feature

The ace up the sleeve: threat hunting with a local LLM

In June 2025, almost without fanfare, Wazuh rolled out a capability that changes the way a SOC analyst can work: threat hunting assisted by a large language model running locally. Not in OpenAI's cloud. Locally. In your own infrastructure.

Why does it matter? Because all of the "SIEM with AI" options the commercial market has launched — Cortex XSIAM with Precision AI, Splunk's own AI suite, QRadar's late innovations before the sale — work by sending your logs to the vendor's models. And in many cases, that's precisely the thing the customer legally can't do. If your logs contain patient records, banking data, or classified information from a public administration, shipping them off to a third-party LLM in somebody else's cloud is not a conversation — you just can't.

Wazuh's approach sidesteps that problem entirely. You choose the model. You deploy it where you want. Your data stays where it is. And the queries look exactly like what an analyst would phrase naturally: "show me all privilege escalation attempts from the last month correlated with service accounts", "summarise the events on this host in the last 24 hours and prioritise anything anomalous", "is there anything in these logs that looks like MITRE T1078?".

Our take at SIXE

This is exactly the line we've been working on from the infrastructure side for a while — LLMs running on-premise, never shipping anything to someone else's cloud, for environments that handle sensitive data. We've applied it on IBM Power, on AIX, and on Ceph-plus-Kubernetes clusters built for private inference. When we saw Wazuh moving in the same direction from the SOC side, it was one of the things that made us double down on the platform. If you want the infrastructure side of that story, we cover it in detail on our on-premise AI inference page.

The comparison

Wazuh vs Splunk vs QRadar vs XSIAM in 2026

Cutting through the marketing noise, here's the current state of the four players that come up in most of the conversations we have. All figures and statuses are verifiable as of the publication date of this post.

PlatformStatus 2026Commercial model
WazuhIndependent. No acquisitions, no funding rounds, growing downloads and community.AGPLv3 open source. No licence cost. Wazuh Cloud optional.
SplunkOwned by Cisco since March 2024. 7% workforce reduction pre-close. Integration in progress.Per GB ingested per day. High cost, renewal pressure rising.
QRadar SaaSSold to Palo Alto Networks in 2024. Mandatory migration to Cortex XSIAM when contracts expire.Destination is Cortex XSIAM. Free migration for "qualified customers".
QRadar on-premMaintained by IBM. Bug fixes, connectors, no major new features.IBM licence per EPS. Official support still active.
Cortex XSIAMPalo Alto Networks' strategic product. Integrated AI (Precision AI).Per capacity and features. Positioned at the top of the price range.
Pure ELK / OpenSearchFree, but you build it yourself: rules, decoders, FIM, compliance.Free stack. The real cost is in your own engineering time.

The interesting thing about this table isn't in any single column — it's in what reading the whole thing implies. Four of the six commercial players are in transition, in maintenance mode, or in mandatory migration. Wazuh and ELK are the only ones sitting exactly where they were three years ago, with communities intact and public roadmaps. And of those two, only one ships with SIEM, XDR, FIM, vulnerability scanning, active response and compliance out of the box: Wazuh.

A note on cost. When we compare Wazuh to Splunk in technical sessions with clients, the discussion almost never ends up being about the licence cost — which, yes, is much cheaper. It usually ends up being about predictability. Splunk grows with you: more data ingested, more you pay. Wazuh doesn't. And in an environment where logs grow 30-40% a year — because you're adding new services, because GDPR or NIS2 is forcing you to retain more, because you're running more containers — that difference translates into a bill CFOs read very clearly.

The regulatory angle

Compliance without the pain: GDPR, HIPAA, PCI DSS, NIS2, ISO 27001

There's a very practical reason Wazuh is growing fast in regulated sectors: compliance pressure. GDPR has been in effect for years and keeps getting enforced harder. The EU's NIS2 directive is now being actively transposed across European member states, widening the perimeter of organisations legally required to demonstrate detection, response and resilience. On the other side of the Atlantic, HIPAA audits are taking file integrity monitoring and continuous configuration assessment much more seriously than they used to. And PCI DSS is still PCI DSS. For a lot of mid-sized organisations — hospitals, universities, essential-service operators, financial services — the question isn't whether they need a SIEM anymore. It's which one they can afford without the finance committee raising an eyebrow.

Wazuh ships with dashboards and reports mapped directly to the major regulatory frameworks:

  • GDPR. Event logging controls, data access tracking, incident detection and response, evidence for the breach notification clock.
  • HIPAA. Security rule controls for audit logging, access tracking, integrity of protected health information, incident reporting.
  • PCI DSS. Logging, file integrity, vulnerability management and retention controls — the standard's checklist, mapped requirement by requirement.
  • NIS2. Detection controls, incident traceability, reporting to competent authorities, evidence of risk management measures for essential and important entities.
  • ISO/IEC 27001. Evidence for Annex A controls around operations, communications, compliance and security incident management.
  • CIS Benchmarks. Continuous hardening audits for operating systems and services, with historical drift reporting.

That said — and we say this with affection because we come from this world — dashboards alone don't pass an audit. What passes an audit is that somebody has designed the architecture properly, that the rules are tuned to the client's context, that exceptions are documented, and that the evidence trail gets to the person who has to sign it off in a shape they can actually use. That part isn't the product. It's the team deploying it. And it's probably 70% of the value of a Wazuh project done well.

What we do at SIXE

We've been deploying Wazuh in organisations subject to GDPR, NIS2, PCI DSS and sector-specific regulations for years, across Europe and internationally. The full service page — architecture, deployment cycle, SLAs and use cases — is here: Wazuh implementation and support. If compliance is what's pressing you the most right now, that's the conversation to start with.

The migration

Migrating from Splunk, QRadar or pure ELK without blinding the SOC

Migrating a SIEM is a scary project, and rightly so. A badly migrated SIEM leaves your detection controls blind at exactly the wrong moment. That's why the way we do it has to be boring and predictable, with three principles we don't negotiate on:

  1. Never turn off the old SIEM before the new one is actually working. The old one keeps swallowing logs and firing alerts while Wazuh starts running in parallel. For a few weeks you have double coverage and zero risk. That period is expensive in resources, sure, but a lot cheaper than a month of SOC running blind.
  2. Convert the critical rules first, not the whole catalog. Big SIEMs tend to have thousands of accumulated rules, and a significant fraction of them are rules nobody looks at or that fire false positives. The first pass identifies the 50-150 critical rules that actually produce useful detections, rewrites them in Wazuh's format, and validates them against real events. The rest comes later — or doesn't, because a lot of the time it isn't worth it.
  3. Validate with events that actually hurt, not with synthetic tests. Before we consider Wazuh operational, we reproduce a set of real scenarios — privilege escalation, exfiltration attempts, early-stage ransomware behaviour, account compromise — and check that alerts fire, correlate and reach the SOC with the right context. If they don't, it isn't considered operational. It's that simple.

The part that changes depending on where you're coming from is the conversion work:

  • From Splunk. The most interesting work. SPL (Search Processing Language) doesn't translate automatically into Wazuh rules, but the detection pattern is usually reproducible with custom decoders and rules on top of OpenSearch. We've done several of these migrations and the bulk of the work is in dashboards and rules, not ingestion.
  • From QRadar. The good news is that QRadar and Wazuh share a lot of philosophy around events and offenses. The bad news is that QRadar's DSMs are proprietary and you need to rebuild the parsers. If you're on QRadar SaaS with the XSIAM migration looming, this is a reasonable window to seriously evaluate the third option.
  • From pure ELK. The easiest of the three — Wazuh already uses OpenSearch as its indexer, so you already know a lot of the data stack. The jump is in adding rules, compliance and active response, which in pure ELK you would have had to build by hand.
Next steps

Where to start

If you've read this far and you're thinking "this applies to me more than I'd like", you're probably right. You don't need a huge project to take the first step. The most useful starting point is usually a short conversation around three questions:

  • Where exactly are you right now? On Splunk with renewal coming up? On QRadar SaaS with the XSIAM migration on the horizon? Nothing yet, and GDPR or NIS2 starting to press?
  • What regulation is actually forcing you? GDPR, HIPAA, PCI DSS, NIS2, ISO 27001 — covering one isn't the same as covering all four, and Wazuh's architecture scales differently depending on which ones genuinely apply.
  • How many endpoints, which operating systems, which logs do you already have, which integrations do you need? With those data points we can already sketch a concrete design and a realistic effort estimate.

When you have a clearer idea of what to look at, the full service page — with the architecture, modules, detailed comparison with commercial alternatives, and deployment cycle — is here: Wazuh implementation and support by SIXE. And if you'd rather just talk to somebody who's had their hands inside projects like yours, the 30-minute technical session is free and no-strings. You walk out with a rough architecture, a realistic effort estimate, and the next steps. If Wazuh fits, we'll say so. If it doesn't, we'll say that too.

Further reading

Rethinking your SIEM?

Book a technical session. No commitment.

Tell us where you are, what regulation applies, and what's keeping you up at night. You'll walk out of the call with a rough architecture, an effort estimate, and clear next steps. No generic quotes, no sales pitch — just someone from the engineering team.

Wazuh service — SIXE → WhatsApp
Book a technical session Emergency support Wazuh.com
SIXE