Overview
Citrix is a global leader in secure digital workspaces, enabling 400,000+ customers worldwide to deliver applications, data, and desktops securely from anywhere. By empowering distributed workforces, Citrix helps enterprises provide flexibility without sacrificing security, performance, or user experience.
Challenge
Work is no longer bound to an office, device, or network. Citrix enables over 400,000 customers worldwide to deliver secure digital workspaces accessible from anywhere. But this distributed environment also brings new risks: insider threats, impossible travel logins, suspicious downloads, and data exfiltration attempts.
Traditional SQL databases and Spark jobs couldn’t keep up with the billions of daily telemetry events Citrix needed to ingest, correlate, and analyze. Scaling pipelines was costly and slow, and queries on high-cardinality data often stalled — leaving security teams without the timely insights needed to act.
Solution
Using Druid, Citrix built its analytics product, Citrix Analytics Service, to deliver real-time observability into user behavior, networking events, and application activity. The system ingests 3 billion events per day with sub-minute latency, enabling proactive risk scoring and insider threat detection.
Every user within an organization is assigned a dynamic risk score based on behaviors such as:
- Logins from new devices
- Impossible travel logins (e.g., San Francisco to New York in 10 minutes)
- Data exfiltration attempts
- Excessive failed logins
Security teams can also define custom risk indicators tailored to their environment. These insights trigger automated actions such as logging off a user, recording their session, or adding them to a watchlist.
“Our internal SLA is one minute from event arrival to insight. That speed is critical for detecting and acting on security risks in real time.”
— Arun Janarthnam, Senior Principal Architect | Citrix
Results
- Real-time threat detection: Analysts detect anomalies in under one minute, stopping insider threats before they escalate
- Scalable ingestion: From 2B to an expected 20B events per day without compromising latency
- High availability: 99.9% uptime with multi-region hot standby architecture
- Operational efficiency: Simplified ingestion pipelines and dimension lookups improved data quality and reduced engineering overhead
- Customer empowerment: Thousands of tenants gain self-service search and visualization for faster investigations
“Two years ago, we were building Citrix Analytics Service with Druid from scratch. Now, Druid has become one of the most critical components in the Citrix Analytics infrastructure.”
— Jungang Wei, Director, Product Development | Citrix
Why It Matters
By delivering real-time observability at global scale, Citrix helps enterprises secure distributed work environments against modern threats. Security teams can act quickly, reduce risk, and protect sensitive data — all without waiting hours for pipelines or batch jobs to complete.
Citrix protects global enterprises with real-time observability built on Apache Druid. That same Druid query engine powers Imply Lumi, the industry’s first Observability Warehouse—delivering the performance, scalability, and efficiency your security teams need to detect and stop threats in real time.
See how Imply Lumi can transform fraud detection and security analytics.