ILLUSTRATIVE LARGE-SCALE EXAMPLE — 2026 ARCHITECTURE

Vantage Platform in Production
A Fortune-100 Global Packet Fabric

3,900 nodes. Four regions + classified air-gap. Continuous 800 Gbps capture. Unified threat hunting, fraud detection, and compliance — all from a single Vantage Query session.

Request Demo Download Full Playbook
Global deployment map showing 4 regions, 3900 nodes, and central Vantage Query control

This example shows how a Fortune-100 e-commerce and travel conglomerate deployed the Vantage Platform across 120+ countries to achieve full packet visibility without data movement — enforcing strict zero-trust and data-sovereignty policies using only Vantage Query for management and analysis, and the Virtual Filesystem for seamless tool integration.

Customer Profile

Fortune-100 Global Enterprise

Industry

E-commerce & travel conglomerate

Scale

120+ countries, thousands of web properties, millions of daily transactions

Requirements

Fraud detection, performance monitoring, PCI/GDPR compliance, threat hunting

Constraints

Strict data sovereignty, air-gapped classified zones, zero-trust enforcement across all regions

3,900
Sentinel Nodes
4 Regions + Classified
Geographic & Secure Clusters
800 Gbps+
Aggregate Capture
Single Vantage Query Session
Central Management
Step-by-Step Deployment

How It Was Built

Complete Vantage Query command sequence — from control plane to capture, indexing, security, and analytics. Virtual Filesystem mounted via quarry mount.

1
Global federation setup 
-- Global federation (one-time)
quarry> CREATE FEDERATION "acme-global" OWNER "admin@acme.corp"

-- Central control plane (hosted in secure VPC)
quarry> CREATE CONTROLPLANE "vantage-control.acme.corp"
     WITH AUTH oidc "https://auth.acme.corp"
     WITH CERTIFICATE "acme-root-ca.pem"
     WITH AUDIT LOG "s3://acme-audit/global"

-- Security roles (mapped to Acme Active Directory groups)
quarry> CREATE ROLE "noc-global"   LEVEL 12
quarry> CREATE ROLE "noc-regional" LEVEL 10
quarry> CREATE ROLE "analyst"      LEVEL 8
quarry> CREATE ROLE "soc"          LEVEL 15
quarry> CREATE ROLE "ciso"         LEVEL 20

-- Role assignments
quarry> GRANT ROLE "noc-global" TO GROUP "noc@acme.corp"
quarry> GRANT ROLE "soc"        TO GROUP "soc@acme.corp"
quarry> GRANT ROLE "ciso"       TO USER  "ciso@acme.corp"
2
Create geographic regions 
-- Geographic regions
quarry> CREATE REGION "americas"   LOCATION "US-VA"
quarry> CREATE REGION "europe"     LOCATION "IE"
quarry> CREATE REGION "apac"       LOCATION "SG"
quarry> CREATE REGION "classified" LOCATION "US-SCIF" SECURITY airgap

-- Production clusters (per region)
quarry> CREATE CLUSTER "us-east-prod"   IN REGION "americas" NODES 1800
quarry> CREATE CLUSTER "eu-west-prod"   IN REGION "europe"   NODES 1200
quarry> CREATE CLUSTER "apac-syd-prod"  IN REGION "apac"     NODES 900

-- Classified / air-gapped cluster
quarry> CREATE CLUSTER "classified-core" IN REGION "classified"
     NODES 300
     SECURITY airgap
3
Provision nodes 
-- Provision 3900 nodes worldwide
quarry> PROVISION NODES 3900
     TYPE "800g-capture-pro"
     ASSIGN TO CLUSTERS "us-east-prod", "eu-west-prod", "apac-syd-prod", "classified-core"

-- Physical installation complete (hardware team)
quarry> MARK NODE "node-0001..node-3900" STATUS installed

-- Auto-join when nodes come online
quarry> ON NODE online DO JOIN CLUSTER auto
4
Define macros 
quarry> DEFINE MACRO customer-traffic AS
     (ip.src == 10.0.0.0/8 OR ip.dst == 10.0.0.0/8)
     AND NOT ip.src == 10.99.0.0/16

quarry> DEFINE MACRO booking-flow AS
     http.host CONTAINS "acme.com"
     AND http.request.uri CONTAINS "/book/"

quarry> DEFINE MACRO fraud-pattern AS
     meta.stats.requests > 50
     AND meta.stats.duration < 30s
     AND http.status == 200
5
Capture configuration 
-- Capture everything (background + customer)
quarry> CAPTURE ALL TRAFFIC
     ON CLUSTERS "us-east-prod", "eu-west-prod", "apac-syd-prod"
     STORE AS "acme-global-2025"
     ENCRYPT LEVEL 12
     INDEX WITH six INTERVAL 1_000_000
     OBFUSCATE pii LEVEL 10

-- High-value customer journeys
quarry> CAPTURE booking-flow
     TAG AS "customer-journey"
     ENCRYPT LEVEL 15
     STORE AS "journeys-2025"
     INDEX WITH mspib
6
Create views and mount 
-- Lean view for analysts (99% size reduction)
quarry> CREATE VIEW "lean-customer-journeys" AS
     FROM STORAGE "acme-global-2025"
     WHERE customer-traffic
     REASSEMBLED tcp
     STRIP tunnel
     SLICE payload 128
     HEADERS ONLY
     ENCRYPT LEVEL 12

-- Synthetic load test from real sample
quarry> CREATE VIEW "synth-fraud-test" AS
     FROM TEMPLATE "real-booking-attack.pcapng"
     SCALE TO 10PB
     APPLY traffic-mix { fraud-pattern: 5%, customer-traffic: 95% }

-- Mount globally via Virtual Filesystem
$ quarry mount --cluster global /silos
7
Query flows and DNS 
-- Top fraud flows (last 24h)
quarry> FIND FLOWS WHERE fraud-pattern
     DURING LAST 24h
     GROUP BY meta.tuple
     ORDER BY count(*) DESC
     LIMIT 100

-- Slow customer experience (>10s booking)
quarry> SHOW FLOWS WHERE booking-flow
     AND meta.stats.duration > 10s
     DURING LAST 7 DAYS
     LIMIT 1000

-- DNS exfiltration detection
quarry> SHOW DNS WHERE meta.stats.bytes > 10MB
     OR dns.qry.name LENGTH > 100
     DURING LAST 30 DAYS
8
Events and schedules 
-- Auto-escalate PII exposure
quarry> ON PACKET WHERE meta.tuple CONTAINS "creditcard|ssn|passport"
     DO ENCRYPT LEVEL 18
     AND NOTIFY security@acme.corp

-- Daily GDPR report
quarry> SCHEDULE DAILY AT 03:00
     REPORT "gdpr-exposure"
     WHERE meta.tuple CONTAINS "IMSI|IMEI|passport"
     EXPORT TO "s3://acme-compliance/gdpr-{{date}}.csv"
9
Status and monitoring 
-- Overloaded nodes
quarry> SHOW NODES WHERE cpu > 80% DURING LAST 1h

-- Storage usage by cluster
quarry> SHOW STORAGE USAGE BY CLUSTER

-- License status
quarry> SHOW LICENSES

Key Outcomes

Single Vantage Query session controls 3,900 nodes across 4 global regions

No data movement — analysis runs where packets live, enforcing data sovereignty

Inline PII obfuscation and tokens eliminate petabyte re-processing

Continuous edge-based fraud detection at 800 Gbps+ aggregate capture

Full chain-of-custody compliance exports with ExaLedger audit trails

Air-gapped classified region isolated yet centrally managed via Vantage Query

This illustrates a realistic large-scale deployment using the Vantage Platform architecture targeted for 2026. Node counts, macros, security levels, and exact policies are customer-specific. Global federation features become generally available H2 2026.

Ready to Build Your Deployment?

See how Vantage scales to your environment.

Request Tailored Workshop Download Full Playbook Schedule Architecture Review