On the cyber battlefield, where a state-sponsored attacker can compromise credentials and move laterally through a military network in just 18 minutes and 49 seconds, every second of detection delay can mean the difference between defending critical infrastructure or losing it. Yet for years, the cybersecurity industry accepted as normal that its analytics tools took up to 15 minutes to process a single security log.
This is the story of Devo, the chronicle of how a self-taught chemist from Madrid identified that absurd gap in the trenches of a Spanish bank, founded a startup that investors tried to wrestle away from him, and ended up building the real-time data engine that today protects the networks of the United States Air Force. A journey from the operational chokepoints of the financial sector to unicorn status at a $1.9 billion valuation.
The Origin: A Phishing Attack and an Obsession with Speed
Devo’s seed didn’t germinate in a Silicon Valley garage, but in the crisis room of Bankinter in 2003. Pedro Castillo doesn’t fit the mold of the conventional tech entrepreneur. A graduate in Chemical Sciences from the Universidad Complutense de Madrid, he discovered his true calling by chance when he stumbled upon a Silicon Graphics computer in his faculty, sparking a fascination that led him to learn programming entirely on his own.
In the mid-1990s, when the internet was still the exclusive domain of universities and government agencies, Castillo was already providing advanced IT services to corporations like El Corte Inglés, Spain’s largest department store chain. That early experience culminated in the founding of Webline in 1996, his first cybersecurity company, which opened the doors to Spain’s financial sector. Bankinter, one of the country’s most innovative banks, recruited him and eventually elevated him to Director of Technology Security.
It was precisely in those banking trenches where everything changed. In 2003, a sophisticated phishing attack struck Bankinter. Castillo and his team hit a paralyzing obstacle: the tools of the era were incapable of ingesting and correlating the massive volumes of data generated by servers, firewalls, and network traffic fast enough to stop the attack before fraud was committed. Existing solutions imposed an impossible choice: pay exorbitant costs to store everything, or filter the data and create “blind spots” that attackers would inevitably exploit.
Obsessed with unlocking the value of raw data, Castillo left his comfortable executive position and founded Logtrust in Madrid in 2011. His philosophy was radical: while other startups rushed to conferences and press coverage, he and his team entrenched themselves in software development, building a database engine from scratch. A product that was, in his own words, “absolutely differential.”
The Technological Revolution: HyperStream and Zero Latency
Why did Devo manage to dethrone giants like Splunk in multiple bids? The answer lies in a radical reengineering of security data processing.
The industry standard, dominated by Splunk, relied on index-on-ingest: data had to be parsed, normalized, and structured into a massive index before being stored. This design created three critical weaknesses:
- Lethal delay: In high-volume environments, events took over 15 minutes to become available to the analyst.
- Resource contention: Index reading and writing shared CPU resources, degrading performance precisely when speed was most urgent.
- Prohibitive costs: Maintaining petabyte-scale indexes forced executives to create “blind spots,” leaving up to a third of their systems unmonitored.
Devo completely discarded traditional indexing and built HyperStream, a proprietary streaming analytics technology based on opposing principles:
- Ingest without normalization: Data is stored in its original format. The platform applies the schema at query time (schema-on-read), not at ingestion.
- Immutable micro-indexes: Instead of a global index, HyperStream creates a daily micro-index per data source that, once generated, is never rewritten. The result: 10:1 compression and massive parallelization.
- Zero latency: Telemetry is available for alerts and searches at the exact millisecond it hits disk.
The convergence of these innovations enabled an unprecedented achievement: maintaining 400 days of “always-hot” data, queryable in sub-seconds. While competitors archived old data in cold, inaccessible storage, a forensic analyst using Devo could investigate a year-old intrusion with the same speed as if it had occurred five minutes ago.
The Trial by Fire: Defending U.S. Air Force Networks
HyperStream’s definitive validation came in July 2020, when Devo was awarded a $9.5 million contract with the United States Air Force to deploy its technology as the central SIEM for the Enterprise Cyberspace Security & Defense program.
The situation was critical: cyber squadrons operated on a SIEM dating back to 1999 that aggregated up to 70 disconnected applications, generating over 8 million daily alerts with no automated correlation capability. The operational environment was, as senior commanders described it, analogous to a cockpit where the pilot had to press 40 different buttons just to fire a single missile. The military’s “12N12” initiative demanded a drastic but necessary consolidation: replacing those 70 chaotic applications with approximately 12 functional tools within 12 months.
The results of Devo’s deployment were transformative:
- A single pane of glass that eliminated operational fragmentation.
- Over 20,000 human hours saved in manual threat triage.
- Reorientation of cyber analysts from repetitive tasks to proactive threat hunting against state-sponsored actors.
The Venture Capital Crucible: From Boardroom Battles to Unicorn Status
Devo’s financial journey was as intense as its engineering. In early 2017, the first $11 million round brought what Castillo described as a “terrible situation”: investors attempted to force his removal as CEO to install an external corporate profile. The intervention of Insight Partners, which led a $35 million Series B, stabilized governance and backed the founder’s technical vision.
In 2018, coinciding with the Series C, Logtrust was rebranded as Devo (a contraction of “Data Evolution”) and relocated its headquarters to Cambridge/Boston, Massachusetts—establishing its commercial epicenter in the world’s most competitive tech market—while keeping its engineering heart in Madrid. The name change was no mere marketing exercise: Devo was no longer just a log repository but a true data operations platform capable of unifying historical and streaming data from applications, IT operations, security, IoT, and industrial machines. The hypergrowth that followed was explosive: 80% year-over-year revenue growth and an astonishing 136% client growth by 2021.
| Round | Date | Capital | Lead Investor(s) | Milestone |
|---|---|---|---|---|
| Venture Round | Jan 2017 | $11M | Kibo Ventures, Atlantic Bridge | Initial expansion |
| Series B | Sep 2017 | $35M | Insight Partners | Leadership stabilization |
| Series C | Jun 2018 | $25M | Insight Partners, Kibo Ventures | Devo rebrand; HQ to Boston |
| Series D | Sep 2020 | $60M | Georgian, Bessemer Venture | Marc van Zadelhoff, new CEO |
| Series E | Oct 2021 | $250M | TCV, General Atlantic, Eurazeo | Unicorn: $1.5B |
| Series F | Jun 2022 | $100M | TCV, Insight, Bessemer | Valuation: $1.9B |
The Future: Agentic AI and Strike48
But massive ingestion isn’t enough if the organization cannot respond to findings with equal speed. The contemporary Security Operations Center (SOC) suffers from a systemic ailment: alert fatigue. An average corporate SOC receives over 4,400 daily alerts from more than 28 different security tools, and 53% of those alerts are false positives that consume irretrievable time. With a global shortage estimated at 4.8 million cybersecurity professionals, automation has ceased to be a luxury and become an existential necessity.
In 2026, Devo leaped forward into Agentic Artificial Intelligence with the launch of Strike48. Instead of copilots that passively assist the analyst, Strike48 deploys a squadron of autonomous micro-agents that execute complex investigations: correlating alerts, identifying “patient zero,” collecting forensic evidence, and building visual evidence trees, stopping only for human approval of irreversible actions.
The architecture also solves a devastating problem: companies monitor only 66% of their systems due to budget constraints imposed by legacy SIEMs. Strike48’s connectors query data directly where it resides—AWS buckets, data lakes, existing Splunk installations—without duplicating storage, granting the AI agents the omniscient visibility needed to detect what previously lurked in the shadows. In early trial deployments, this model reduced Mean Time to Detection (MTTD) to under eight minutes, uncovering stealthy campaigns that legacy tools had completely missed.
As a final note in this trajectory: having consolidated Devo as an undisputed titan, Pedro Castillo proved his serial-entrepreneur credentials by founding Onum in 2023, a platform to reduce data pipeline noise by 80%. The validation was swift: in August 2025, it was acquired by CrowdStrike.
Conclusion: Engineering Against Dogma
The story of Devo demonstrates that transformational change doesn’t spring from bold commercial strategies, but from the stubborn engineering conviction to question accepted dogma. While the entire industry kept building bigger indexes, a self-taught chemist from Madrid asked: “What if the index is the problem?”
That question, answered through a decade of obsessive engineering and the resilience to survive venture capital power plays, produced an engine capable of protecting everything from a Spanish bank to the most demanding military cyberspace on the planet. Pedro Castillo’s journey—from a chemistry lab at the Complutense to the innovation hubs of Massachusetts, through the banking trenches of Madrid—is a powerful reminder that, in the age of Big Data, battles aren’t won with more ammunition, but with faster weapons. And in that arena, the machine-speed processing that Devo has mastered may well be the only reliable defense against threats that operate at that very same speed.
Sources of Interest:
- Devo: Official Website — Security Data Platform
- The Objective: Pedro Castillo, founder of a $1.3 billion ‘unicorn’: “I’ve always been self-taught” (in Spanish)
- YouTube: Pedro Castillo — My adventures and misadventures with Silicon Valley investors (in Spanish)
- YouTube: How Devo built Strike48 to kill the SOC alert
- GlobeNewsWire: Devo Awarded $9.5M U.S. Air Force Contract for Next-Generation SIEM Technology
- Emprendedores: Logtrust, the Spanish technology that raised $71 million (in Spanish)
- Strike48: Agentic Log Intelligence Platform
- CRN: CrowdStrike To Acquire Onum For Next-Gen SIEM Expansion
- Insight Partners: How Devo built agentic Strike48