BrickStor SP vs Dell PowerScale: native Cyberstorage vs scale-out NAS with add-on security
Dell PowerScale (formerly Isilon) is the incumbent scale-out NAS, proven over two decades at streaming large files across very large namespaces. The question for buyers is not whether OneFS can scale. It is where the security lives: PowerScale's threat detection is separately purchased add-on software running outside the array, while BrickStor SP builds detection, response, and recovery into the storage itself. This page compares the two across storage, security, and performance.
A data platform with security around it vs a platform where security is the storage
Dell PowerScale runs OneFS, a clustered file system engineered to present one namespace across many nodes and move large files fast. Its security model reflects that lineage: the platform provides hardening and audit plumbing, and the actual threat detection is delivered by add-on software. Dell's own OneFS security documentation directs customers to Superna for behavioral detection, and in August 2025 Dell began selling that Superna stack directly as the PowerScale Cybersecurity Suite, a set of separately purchased bundles. Cyber vaulting is another separate product line, PowerProtect Cyber Recovery.
BrickStor SP was engineered from the first line of code as storage that defends itself. Patented Active Defense evaluates every read, write, and delete inline in the data path. ABAC governs every SMB, NFS, S3, and Web Drive operation. ImmutaVault provides a virtual air gap inside the platform, per-dataset encryption keys enable true cryptoshred, and patented Intelligent Bulk Remediation rolls back only the files an attack touched. All of it runs on the controller, in one license, with no separate security infrastructure to buy, deploy, or defend.
Why this matters: with PowerScale you assemble data defense from licensed modules, add-on bundles, and a separate vault product. With BrickStor SP, the defense is the platform.
Credit where it's due
Proven scale-out. OneFS has two decades of production history presenting a single namespace across large clusters. For media and entertainment, genomics, and research archives with big files and big footprints, it is a mature, well-understood choice.
Broad protocol coverage. SMB, NFS, S3, HDFS, HTTP, and FTP against one namespace, with S3 maturing steadily (Object Lock landed in OneFS 9.12).
A large ecosystem. Dell's install base, channel, and validated-design library are real advantages for organizations standardized on Dell infrastructure.
If the problem you are solving is petabyte-scale streaming of large files, PowerScale belongs on your shortlist. The comparison below is about a different problem: defending live unstructured data against ransomware, insider misuse, and data theft, at the layer where those attacks actually execute.
Storage capabilities side by side
| Capability | RackTop BrickStor SP | Dell PowerScale (OneFS) |
|---|---|---|
| Platform design center | Purpose-built primary Cyberstorage NAS. Serving and defending live unstructured data is the same system. | Scale-out clustered NAS (OneFS) built for large namespaces and streaming throughput. Security is added around it. |
| Protocols | SMB, NFS, S3, and Web Drive from the same dataset, governed by one ABAC policy framework. | SMB, NFS, S3, HDFS, HTTP, and FTP in a single namespace. No browser-based file access. |
| Snapshots and replication | Policy-driven immutable snapshots with sub-minute RPO and asynchronous replication, built into the platform. | SnapshotIQ and SyncIQ, each a separately licensed module. S3 Object Lock arrived in OneFS 9.12 (August 2025). |
| Tiering | Patented Transparent Data Movement: policy tiering to S3, NFS, or another BrickStor while files stay accessible at the original path. Tiering to external storage or cloud S3 is licensed separately per GB. | SmartPools (within the cluster) and CloudPools (to cloud object), each separately licensed. |
| Encryption granularity | Per-dataset AES-256 encryption keys with true cryptoshred, plus a FIPS 140-3 validated hardware layer. Destroy one dataset’s keys without touching anything else. | Self-encrypting drives only. Encryption is a whole-drive property decided at hardware purchase; no per-dataset or per-share encryption is documented. |
| Licensing model | One platform license. Active Defense, ImmutaVault, Intelligent Bulk Remediation, ABAC, and audit are included. TDM to external storage or cloud S3 adds a per-GB license. | Roughly ten separately licensed modules (SnapshotIQ, SyncIQ, SmartPools, CloudPools, SmartLock, SmartQuotas, SmartDedupe, SmartConnect Advanced, HDFS, Hardening), plus the add-on Cybersecurity Suite bundles. |
| Migration onto the platform | Seamless migration from any NAS or NFS/SMB file share. With GHOST, users cut over first, in hours, and data migrates in the background with Cyberstorage protections active from the cutover line. | Traditional copy-based migration: copy the files with host-side or partner tooling, run incremental syncs to catch up with changes, then take a planned outage window to cut users over. |
| Entry point and deployment | Physical appliance, SAN gateway (iSCSI / Fibre Channel), or virtual appliance on KVM, Hyper-V, ESXi, AWS, Azure, and Google Cloud. | Minimum three-node cluster on Dell hardware; APEX file services in cloud. |
Security capabilities side by side
The decisive difference is structural: on PowerScale, detection and vaulting are products you add and operate around the storage. On BrickStor SP, they are properties of the storage.
| Capability | RackTop BrickStor SP | Dell PowerScale + Cybersecurity Suite / PowerProtect |
|---|---|---|
| Detection model | Patented Active Defense: behavioral evaluation of every read, write, and delete, inline in the storage data path. No training or learning period is required, and because the analysis is behavioral rather than signature-based, it detects and stops zero-day attacks. | Nothing native in OneFS. Dell’s own OneFS Security Considerations paper points to Superna for behavioral detection; the PowerScale Cybersecurity Suite (August 2025) packages Superna software as add-on bundles. |
| Response model | Offending session terminated in under a second, before mass encryption or exfiltration spreads. | The add-on layer consumes audit events in a separate VM cluster, then issues lockout calls back to the array after processing. |
| Data theft and exfiltration | Active Defense analyzes read behavior, not just writes. Bulk copying, abnormal access patterns, and staged exfiltration are detected and stopped live. | No native capability. Exfiltration visibility requires the Superna-powered add-on or third-party analytics consuming the audit feed, out of band. |
| Access control | Full Active Directory and LDAP integration with POSIX permissions and fine-grained ACLs. Native ABAC enforced across all protocols, including NFS 4.2 context security labels, with per-dataset integration with external ABAC policy engines. | POSIX and AD ACLs with RBAC for administration. No attribute-based policy in the data path. |
| Immutability and cyber vaulting | Patented ImmutaVault: a virtual air gap inside the platform, no second environment to license or operate. | SmartLock WORM (licensed) on-cluster; vaulting is a separate purchase, either the Airgap Vault bundle or the separate PowerProtect Cyber Recovery product and infrastructure. |
| Encryption and cryptoshred | Per-dataset keys enable instant cryptoshred for spillage response and secure decommissioning. | Drive-level SED cryptoshred only. There is no way to cryptographically destroy one share or dataset. |
| Forensics and audit | Immutable, tamper-evident record of every file operation with user, session, and client context, streamed to SIEM and SOAR. | Protocol audit is a raw feed shipped over the Common Event Enabler to external tools. Analysis and detection are entirely external. |
| The defense as an attack surface | None separate. The defense is the storage system; it cannot be disabled without disabling the storage itself. | The detection layer runs as a separate multi-VM cluster that is discoverable on the network and depends on a continuous audit stream. Disabling it reverts PowerScale to storage without active defense. |
| Cyber recovery | Patented Intelligent Bulk Remediation: surgical, file-level rollback driven by the platform’s own forensic record. Sub-minute RPO. | Snapshot rollback or vault restore. Recovery granularity is the snapshot, not the attack. |
Performance architecture side by side
Neither vendor publishes audited head-to-head benchmarks, so honest performance comparison starts with what each data path was engineered to optimize, and what each vendor documents about its own limits.
| Capability | RackTop BrickStor SP | Dell PowerScale (OneFS) |
|---|---|---|
| Workload design point | Primary, latency-sensitive mixed workloads: user shares, project data, engineering, media, and analytics pipelines. | Scale-out streaming throughput for large files and large namespaces: media, genomics, archives. A genuine strength at that job. |
| Small-file and metadata-heavy workloads | Variable record sizes and RAM-based caching tuned per dataset, sized for mixed enterprise file activity. | A documented weak spot. OneFS’s large stripe unit penalizes small files, and Dell’s own guidance prescribes SSD metadata acceleration to mitigate slow directory and small-file operations. |
| Where the security work happens | On-controller, per-operation, with no external hop in the I/O path. RAM is the primary caching layer, which gives the platform the headroom to run its behavioral security functions without impacting user experience or application performance. | In a separate analytics tier after audit events are generated, shipped, and processed. No inline cost, but no inline protection either. |
| High-performance configurations | All-flash and hybrid appliances; SAN gateway pairs BrickStor with high-performance block arrays for HA secure NAS. | All-flash (F-series) through archive (A-series) node pools; performance scales with node count and cluster balance. |
Comparison based on publicly available product documentation, license guides, and peer reviews as of mid-2026. Vendor capabilities evolve; contact us if you believe any entry is out of date and we will validate against the current release. For workload-specific performance, run a proof of concept against your real data profile.
What the public record says about PowerScale
To be clear about what the record shows: PowerScale reviews are broadly positive for scale-out file serving, and the platform's maturity is not in dispute. The public critiques are specific, and several of them are documented by Dell itself.
Security is a dependency, not a property. Dell's own OneFS Security Considerations white paper points to Superna for behavioral threat detection, and the PowerScale Cybersecurity Suite that Dell launched in August 2025 is Superna software sold as add-on bundles, documented as compatible with new deployments only. The vault story requires either that suite's Airgap bundle or the separate PowerProtect Cyber Recovery product. None of this is hidden; it is Dell's published architecture.
Small-file and metadata workloads are a documented weak spot. OneFS's stripe architecture penalizes small files, Dell's own best-practice guidance prescribes SSD metadata acceleration as the mitigation, and user communities report slow directory operations on small-file datasets. For primary enterprise shares, small files and heavy metadata are the daily workload, not the exception.
Cost and operational texture. The most repeated reviewer theme across PeerSpot and Gartner Peer Insights is price, and in particular renewal and expansion cost escalation. Reviewers and Dell's own documentation also describe roughly ten separately licensed feature modules, long major-version upgrades (a pain trail Dell has been fixing release by release, culminating in 9.12's one-click upgrades), and monitoring limitations: InsightIQ documents a snapshot ceiling and does not support FIPS or STIG-hardened clusters at all, which is a hard problem for the hardened federal sites that need analytics most.
BrickStor SP is the other side of each of those boundaries: detection, vaulting, recovery, ABAC, and audit are native properties of one platform under one license, small-file behavior is tuned per dataset with variable record sizes and RAM caching, and the platform is engineered to run fully capable in FIPS and STIG-hardened, air-gapped environments.
Add-on defense can be removed. Built-in defense cannot.
PowerScale's detection layer runs as a separate cluster of virtual machines that consumes audit events off the array and issues lockout calls back to it. That design has two consequences buyers should weigh.
First, the loop is reactive: events must be generated by OneFS, shipped over the network, and processed before any response can begin. Second, and more important, the defense itself is a discoverable network resource. Disabling backup infrastructure and security tooling before the main attack is now standard adversary tradecraft. If the add-on cluster is compromised, isolated, or simply powered off, PowerScale reverts to what OneFS is natively: storage with audit plumbing and no active defense.
BrickStor SP does not have a defense that can be found and switched off.
Active Defense, ABAC, ImmutaVault, and the forensic record are the storage operating environment. Every read and write passes through the defense because the defense is the system serving the I/O. An attacker cannot disable it without disabling the storage, and disabling the storage prevents the theft or destruction the attacker came for in the first place.
Pick the platform that matches the job
Choose PowerScale if
Your problem is petabyte-scale streaming of large files: media production, genomics pipelines, or research archives where namespace scale and sequential throughput dominate. You are standardized on Dell infrastructure, your team already operates OneFS, and you are comfortable assembling security from licensed modules, the add-on Cybersecurity Suite, and a separate vault product, and operating that stack alongside the storage.
Choose BrickStor SP if
Your problem is the live data itself: primary unstructured data that must be served fast and defended in real time against ransomware, insider misuse, and data theft. You need ABAC on SMB, NFS, S3, and Web Drive for federal, regulated, or coalition workloads; per-dataset encryption with cryptoshred for spillage response; sub-minute recovery points with surgical rollback; and a platform that stays fully capable in FIPS and STIG-hardened, air-gapped environments. Many organizations run both, keeping PowerScale for bulk scale-out workloads while BrickStor SP defends the highest-risk shares.
Two companies, two missions
- 2001
Isilon Systems founded, pioneering scale-out clustered NAS.
- 2010
RackTop founded by veterans of the U.S. Intelligence Community. EMC acquires Isilon in November for $2.25B.
- 2018
RackTop coins CyberConverged™ Storage and ships the first NAS with security built into the storage layer.
- 2020
Dell rebrands Isilon as PowerScale (June). RackTop ships Active Defense (October), the first inline threat detection in a NAS data path.
- 2021
Gartner introduces the term “Cyberstorage.”
- 2024
Active Defense patent issued: U.S. Patent No. 11,868,495 B2 (Jan 9, 2024).
- 2025
ImmutaVault patent issued (Feb 4) and Transparent Data Movement patent issued (Jun 17). Dell launches the PowerScale Cybersecurity Suite in August: Superna-powered security sold as add-on bundles.
- 2026
Intelligent Bulk Remediation patent issued: U.S. Patent No. 12,561,437 B2 (Feb 24, 2026).
BrickStor SP vs. Dell PowerScale, answered
- No. OneFS provides platform hardening (MFA, firewall, STIG profiles) and audit plumbing, but Dell’s own OneFS Security Considerations white paper directs customers to Superna for behavioral threat detection. In August 2025 Dell productized that dependency as the PowerScale Cybersecurity Suite, a set of separately purchased bundles powered by Superna software, documented as compatible with new deployments only. BrickStor SP’s patented Active Defense is native to the platform: it ships in the product, runs inline in the data path, and cannot be unbundled from the storage.
- Not natively. OneFS generates protocol audit events and forwards them through the Common Event Enabler to external tools; any exfiltration analytics happen in that external layer, after the fact. BrickStor SP’s Active Defense analyzes read behavior live, inline, and terminates a bulk-copy or staged-exfiltration session while the data is still in your possession. With double extortion now leading with theft rather than encryption, defense that only exists as an out-of-band add-on misses the half of the attack that restore can never fix.
- No. PowerScale data-at-rest encryption is delivered by self-encrypting drives: AES-256 at the drive level, chosen at hardware purchase time. There is no documented per-dataset, per-share, or per-file encryption granularity, so there is no way to cryptographically shred one project’s data without affecting everything on the drives. BrickStor SP encrypts per dataset with independent keys, layered on a FIPS 140-3 validated hardware module, which makes spillage response and secure decommissioning a key-deletion operation instead of a data-destruction project.
- The detection layer runs outside the storage system, as a separate cluster of virtual machines consuming PowerScale audit data over the network. That makes the defense itself a discoverable, attackable network resource. Modern intruders routinely fingerprint and disable defensive tooling before the main attack; if the add-on cluster is compromised, isolated, or simply taken offline, PowerScale reverts to storage with no active defense. BrickStor SP has no separate defense to target: Active Defense is the storage operating environment, and an attacker cannot disable it without disabling the storage itself.
- No. Many organizations keep PowerScale for general-purpose scale-out workloads and put the highest-risk data, such as regulated PII, high-value IP, and federal or classified shares, on BrickStor SP first. GHOST migration moves users in hours with data following in the background, so Cyberstorage protection starts at cutover rather than after a long copy. From there you can migrate additional shares on your own schedule.
- PowerScale’s strength is streaming throughput on large files at scale. Small-file and metadata-heavy workloads are a documented weak spot: OneFS’s stripe architecture penalizes files smaller than its stripe unit, and Dell’s own best-practice guidance prescribes SSD metadata acceleration to mitigate slow directory listings and small-file operations. BrickStor SP uses variable record sizes and RAM-based caching tuned per dataset, which suits the mixed, metadata-heavy file activity of primary enterprise shares. For your specific profile, run a proof of concept; neither vendor publishes audited head-to-head benchmarks.
- Two public facts are worth weighing. First, PowerScale’s monitoring tool InsightIQ documents that it does not support FIPS or STIG-hardened clusters, which means the hardened configuration federal sites require gives up the platform’s own performance analytics. Second, the security stack that matters most (behavioral detection, vaulting) is add-on software with its own infrastructure to accredit. BrickStor SP was engineered for hardened environments: Active Defense, ABAC, ImmutaVault, and the forensic audit record all run on the controller, in air-gapped and disconnected sites, with compliance evidence built in.
- Neither vendor publishes audited head-to-head benchmarks against the other, so treat specific numbers in any comparison with suspicion. What can be compared honestly is architecture and documented behavior: PowerScale is engineered for scale-out large-file throughput and has a documented small-file penalty; BrickStor SP is engineered for latency-sensitive primary shares with security evaluated inline. For your workloads, the right answer is a proof of concept against your real data profile.
Go deeper
BrickStor SP →
The flagship Cyberstorage NAS: full architecture, capabilities, and use cases.
BrickStor SP vs. Superna →
A deep dive on the overlay that powers PowerScale's add-on security bundles.
BrickStor SP vs. the field →
Twelve-capability grid covering NetApp, Dell PowerScale, VAST Data, and Pure FlashBlade.
See Built-In Defense Next to Your PowerScale Estate
In a 30-minute demo, we'll show Active Defense stopping an attack inline, per-dataset cryptoshred, and Intelligent Bulk Remediation, and map a phased migration path that starts with your highest-risk shares.
