Endpoints are where most security incidents begin. Compromises often start with phishing, software vulnerabilities, or simple misconfigurations on individual laptops and servers. Modern security teams rely on endpoint telemetry for detection, investigation, and response. But for many engineers, this part of the stack remains opaque and difficult to reason about.

This talk presents a practical, open-source blueprint for building an endpoint telemetry pipeline that engineers can actually understand and evolve. We start with osquery, a Linux Foundation project that exposes endpoint state as structured, queryable data. On top of that, we build a layered system with clear responsibilities. This includes a control layer for intent and coordination, a data layer responsible for ingestion, buffering, streaming, and storage, a detection and intelligence layer with inspectable logic, and a correlation and response layer designed for humans in the loop.

Rather than pitching a product, this talk focuses on boundaries, contracts, and tradeoffs. We walk through real-world design decisions and common failure modes. We also explore why ownership of telemetry matters more than any single tool. Attendees will leave with a mental model they can adapt, a stack they can run locally, and the confidence to build endpoint security systems that are transparent, flexible, and defensible without relying on closed platforms.