Why this matters

If you are scoping, buying, or building a surveillance system, you are really making seven decisions at once, and they interact: the camera you pick sets the bandwidth, the bandwidth sets the network, the network and retention set the storage bill, and where you put analytics changes all three. Treat the system as one box labeled "cameras and software" and you will discover the missing stage the expensive way — a switch that browns out under load, a disk array that fills in three weeks, an analytic that floods operators with false alarms, or a face-recognition feature shipped without the legal review it needed. This article gives you a precise, plain-language model of the whole pipeline so you can talk to engineers and vendors stage by stage, know which question belongs to which hop, and spot the under-sized link before it fails. It is the foundation the rest of this course builds on, and every later article zooms into one of these stages.

The whole system on one page

Here is the entire pipeline before we walk it slowly. Video starts as light hitting a camera sensor and ends as an action a person or another system takes — an operator dispatching a guard, a door staying locked, an alert landing on a phone. Between those two points it passes through seven stages, and a privacy-and-retention layer governs all of them at once.

End-to-end video surveillance architecture: camera, network, VMS ingest, storage, analytics, client, and integration, wrapped by a privacy and retention layer. Figure 1. The end-to-end map. Seven stages from camera to action, with the privacy and retention layer wrapping every hop. The rest of this article walks each stage left to right, naming the typical technology and the typical failure mode at each one.

The trick to reading the map is to notice that video gets smaller and more meaningful as it moves right. At the camera it is a heavy raw stream; by the analytics stage it has become a light piece of structured information ("a person crossed this line at 14:02"); by the integration stage it is an action. Bandwidth and storage cost the most on the left; intelligence and decisions live on the right. Keep that gradient in mind and the whole system makes sense.

We will take the stages in order: camera, network, ingest, storage, analytics, client, integration, and then the privacy layer that wraps them.

Stage 1 — The camera: capture and compression

Typical technology: an IP camera with an image sensor, a lens, and an on-board encoder running H.264 or H.265.

Everything starts at the camera, and a modern surveillance camera is a small networked computer, not just an eye. It captures light on a sensor, then immediately encodes the image — compresses the raw pixels into a manageable digital stream using a video codec, most commonly H.264 or the newer, more efficient H.265 (also called HEVC). This compression is the single most important thing the camera does for the rest of the system, because it sets the size of everything downstream.

How big is "raw"? Uncompressed high-definition video is enormous — gigabits per second — which is why no surveillance system ships raw video. The codec shrinks it by 100× or more. A useful rule of thumb in 2026: a 4-megapixel camera at 30 frames per second produces roughly 6 megabits per second (Mbps) in H.264, and about 3 Mbps in H.265 — roughly half the size for the same picture (CCTV Camera World; PVR). That one codec choice, made at the camera, ripples all the way to the storage bill at Stage 4.

The reason cameras differ so much in price is that the task differs. The security industry talks about DORI — Detection, Observation, Recognition, Identification — four levels of how much detail you need at a given distance. Counting that "a person is there" needs far fewer pixels-on-target than reading a face or a license plate. Picking the camera by the task at each location, rather than buying the same model everywhere, is the difference between a system that works and one that records useless blur. We cover the camera layer in depth in IP cameras vs analog cameras, and the codec mechanics live in the Video Encoding section.

Typical failure mode: the wrong camera for the task — a wide-angle camera asked to identify faces 30 meters away — or a camera left at a needlessly high bitrate, quietly tripling the storage cost of the whole system before a single frame is stored.

Stage 2 — The network: getting the stream off the camera

Typical technology: a Power-over-Ethernet (PoE) switch, structured Ethernet cabling, and usually a dedicated VLAN.

The camera's compressed stream now has to travel, and in a modern IP system it travels over the same kind of Ethernet network your office uses. The elegant part is Power over Ethernet (PoE): a single Cat5e or Cat6 cable carries both the video data and the electricity to run the camera, so there is no separate power outlet at each camera position. The switch that does this is the quiet backbone of the whole system.

PoE is standardized by the IEEE, and the standard matters because cameras draw different amounts of power. IEEE 802.3af (2003) supplies up to 15.4 watts from the switch port (about 12.95 W reaching the camera) — enough for a basic fixed camera. IEEE 802.3at, or PoE+ (2009), raises that to 30 watts at the port, which covers cameras with heaters, infrared illuminators, or pan-tilt-zoom (PTZ) motors. IEEE 802.3bt, or PoE++ (2018), goes further: Type 3 delivers about 51 W and Type 4 about 71.3 W to the device, for the most demanding PTZ and multi-sensor units (IEEE 802.3 standards; FS.com). The lesson: the switch must have enough power budget for the sum of all its cameras, not just enough ports.

The second job of the network is isolation. Surveillance cameras are notoriously weak points on a network, so the common practice is to put them on their own virtual LAN (VLAN) — a logically separate network segment — so a compromised camera cannot reach the rest of the business, and so the steady flood of video traffic does not collide with everyday office data. Bandwidth is the budget here, measured in Mbps per camera and summed across the system.

Typical failure mode: an under-provisioned switch — enough ports but not enough total PoE wattage, so cameras reboot under load — or an uplink too thin to carry every camera's stream at once, so video stutters and drops exactly when an incident floods the network.

Stage 3 — Ingest: how the VMS finds and pulls the stream

Typical technology: ONVIF for discovery and configuration, RTSP and RTP for the streaming handshake and transport.

Now the software enters. The Video Management System (VMS) — the software platform that records and manages many cameras at once — has to do two things before it can record anything: find the camera on the network, and pull its stream. Two standards make this work across cameras from different manufacturers.

The first is ONVIF (Open Network Video Interface Forum), the industry standard, created in 2008, that lets cameras and software from different makers understand each other (onvif.org). Think of ONVIF as the common language at the loading dock: it lets the VMS discover a new camera on the network, ask what it can do, and configure it without a hand-written driver for that exact model. ONVIF is organized into profiles, each covering a function — Profile S for basic video streaming, Profile T for advanced streaming including H.265 and tamper events, Profile G for on-device recording and retrieval, and Profile M for analytics metadata, which matters at Stage 5 (onvif.org/profiles). A single device can conform to several profiles at once.

The detail that saves projects is this: "ONVIF-conformant" guarantees a baseline, not every feature. A camera and VMS that share Profile S will reliably stream; a vendor's special analytic or a proprietary control often still needs that manufacturer's own software kit. Treat ONVIF as the floor both devices stand on, not the full ceiling of what the camera can do. For the engineering detail, see ONVIF explained for engineers and the commercial overview of ONVIF profiles in security systems.

Once the camera is found, the actual video moves with two more standards. RTSP (Real-Time Streaming Protocol, IETF RFC 7826) is the remote control — it carries the "play", "pause", and "teardown" commands but not the video itself. RTP (Real-Time Transport Protocol, IETF RFC 3550) is the courier that carries the actual compressed video packets, usually over UDP for speed (rfc-editor.org). The ingest path in plain terms — discovery, the RTSP handshake, the codec on the wire — gets its own article in how a camera stream gets into the VMS, and the streaming-transport depth lives in the Video Streaming section.

Typical failure mode: the "ONVIF just works" assumption — a team buys a mixed camera fleet expecting every feature to appear in the VMS, then finds only the baseline streams and the premium analytics they paid for are locked behind the vendor SDK.

Stage 4 — Storage: the stage everyone under-budgets

Typical technology: a recording server writing to surveillance-grade hard drives, often in a RAID array, with a recording mode chosen per camera.

The stream is now arriving, and it has to be written somewhere — for days, weeks, or months. Storage is the stage that quietly dominates the cost of a surveillance system, and the good news is that it is pure arithmetic, so you can size it before you buy anything.

The formula is the bitrate times the number of cameras times the recording hours times the retention days. Walk a single camera first. One camera streaming continuously at 4 Mbps produces, in one hour:

4 Mbit/s × 3,600 s = 14,400 megabits = 1,800 megabytes ≈ 1.8 GB per hour.

Over a full day that is about 43 GB per camera. A handy shortcut that gives the same answer: storage per day in GB ≈ bitrate in Mbps × 10.8 (so 4 × 10.8 = 43.2 GB/day). Now scale to a 40-camera site kept for 30 days, recording continuously:

43 GB × 40 cameras × 30 days ≈ 51,600 GB ≈ 51.6 TB.

That is the number that surprises buyers. And it is full of levers, every one of which you control. Switch those cameras from H.264 to H.265 and the bitrate roughly halves, taking the 51.6 TB toward 26 TB. Record on motion instead of continuously and a typically quiet scene falls further; record only on events (an analytic trigger) and it falls further still. The recording mode is so decisive that quoting a storage number without it is meaningless — continuous, motion, event, and scheduled recording produce wildly different footprints for the same cameras.

Bar chart of surveillance storage falling from 51.6 TB continuous H.264 to about 26 TB in H.265, then less again on motion and event recording. Figure 2. The storage levers in one picture. The same 40 cameras over 30 days swing from 51.6 TB down to a few TB depending on codec and recording mode — math you control before buying a single disk.

Two hardware notes matter here. Surveillance writes are relentless and round-the-clock, so the drives are surveillance-grade (Seagate SkyHawk, WD Purple) tuned for continuous writing, not desktop drives. And because a dead disk in a 50 TB array means lost evidence, the disks are usually arranged in RAID so the system survives a drive failure without losing footage. The full model — tiers, RAID levels, retention policy — is the subject of how surveillance storage works: the retention math.

Typical failure mode: storage sized for the demo, not the retention policy — a system specified at "30 days" on paper that actually holds nine, because someone used the H.265 bitrate in the spreadsheet but the cameras shipped in H.264, or budgeted continuous recording as if it were motion.

Stage 5 — Analytics: turning video into information

Typical technology: computer-vision models running on the camera (edge), on a local server (edge server), or in the cloud — surfaced to the VMS as metadata, often over ONVIF Profile M.

This is the stage that turns hours of footage nobody watches into events worth acting on. Video analytics is software that looks at the video and reports what it sees: a person, a vehicle, a crossed line, a left-behind bag, a license plate. The detection itself is a computer-vision model; what the surveillance system cares about is where that model runs, because the choice reshapes latency, bandwidth, cost, and privacy.

There are three places to run it, and they are not interchangeable:

  • On the camera (edge AI): a chip inside the camera runs the model. Results come back in tens of milliseconds — modern edge inference routinely lands in the 10–100 ms range — and almost no video has to leave the camera, which saves bandwidth and keeps raw images local for privacy (Fora Soft; industry benchmarks).
  • On a local server (edge server): a more powerful on-site machine runs heavier models across many cameras, balancing capability against the cost of dedicated hardware.
  • In the cloud: video or clips travel up to a data center for analysis. The cloud wins on heavy, cross-camera reasoning and on models that improve over time, but it adds a network round-trip — commonly 200–2,000 ms or more — and a continuous bandwidth and compute bill that grows with every camera.

A practical 2026 pattern is hybrid: the edge raises the fast alert, the cloud does the slow, deep analysis. One rule of thumb worth remembering: above roughly 20 always-on cameras, the bandwidth and cloud-GPU bill of sending everything up tends to overtake the cost of edge hardware within a year. The deployment decision gets its own treatment in edge vs cloud video analytics; the model internals — how detection and recognition are actually engineered — belong to the AI for Video Engineering section, which this surveillance course links to rather than repeats.

Three columns comparing on-camera edge, edge-server, and cloud analytics by latency, bandwidth, and best use, with the ~20-camera cost crossover noted. Figure 3. The three places analytics can run. Latency, bandwidth, and best fit differ at every tier — and above roughly 20 always-on cameras the cloud bill tends to overtake edge hardware.

One honest word on accuracy, because the industry oversells it. No analytic is 100% accurate. A well-tuned person- or vehicle-detector in good lighting can be excellent, but accuracy is a precision-and-recall range that drops with darkness, rain, odd angles, crowding, and occlusion. The right question to a vendor is never "is it accurate?" but "what precision and recall, under what conditions, and how do we tune the false alarms down?" Lead with how the analytic behaves under real load, not the demo number.

Typical failure mode: blurring the three tiers into one word "AI", then either drowning operators in false alarms from an untuned model or signing up for a cloud bandwidth bill that no one modeled at full camera count.

Stage 6 — The client: where people actually watch

Typical technology: a VMS client — a desktop video wall, a browser, or a mobile app — gated by role-based access control.

Video that no one can act on is wasted, so the sixth stage is the human one: the client, the application where operators watch live feeds, scrub back through recordings, and respond to alerts. It might be a wall of monitors in a security operations center, a web browser for an occasional viewer, or a phone for a manager on the move. The VMS feeds all of them from the same recordings.

The quiet but critical technology here is role-based access control (RBAC) — making sure each user sees only the cameras and functions their job requires. A front-desk guard, a regional manager, and a maintenance contractor should not have the same view, both for security and, increasingly, for privacy law. There is also a human-factors limit that no software fixes: an operator can meaningfully watch only a handful of live feeds at once, which is precisely why Stage 5 analytics exist — to point human attention at the few feeds that matter right now.

Typical failure mode: too many cameras per operator with no analytics to triage them, so incidents are missed in a wall of motion; or flat access where everyone can see everything, which fails the first privacy audit.

Stage 7 — Integration and alerting: from event to action

Typical technology: the VMS event engine wired to access control, alarms, and other systems through APIs and SDKs; alerts delivered to people and systems.

The last stage is where surveillance stops being a recording and becomes part of how a building or city actually responds. The VMS sits at the center of a web of other systems: access control (door locks and badge readers), intrusion alarms, building management, and notification channels. When an analytic at Stage 5 fires, the integration layer decides what happens — lock a door, raise an alarm, push a notification, escalate to a guard, or simply log it for later forensic search.

These connections are made through APIs (the documented request-and-response interface a system exposes) and vendor SDKs (software development kits). ONVIF carries some of this — Profile M moves analytics metadata and events in a standard form — but deeper, product-specific integrations usually ride a vendor SDK or REST API. This is also where surveillance meets the rest of the security stack, and where a custom-built VMS earns its keep, because off-the-shelf platforms integrate what their vendor chose to integrate and nothing more.

Integration map with the VMS at the center linked to cameras, storage, access control, alarms, analytics, and client apps, each link labeled with its standard. Figure 4. The VMS as the hub. Cameras, storage, analytics, and the security stack all connect through it over ONVIF, RTSP, APIs, and SDKs — which is how an event becomes an action.

Typical failure mode: alert fatigue — every event treated as urgent until operators mute the system — or an island deployment where the cameras record but nothing is wired to act, so footage is only ever reviewed after the incident, never during it.

The layer that wraps everything: privacy and retention

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

The seven stages sit inside a privacy and retention layer, because surveillance video is personal data the moment it shows a recognizable person, and the law treats it that way. This is not a stage you bolt on at the end; it touches every hop, from the camera that should not capture the neighbor's garden to the storage that must delete footage on schedule.

Two principles drive most of it. The first is purpose and minimization: you must record for a specific, stated reason, and capture no more than that reason needs. European Data Protection Board guidance is explicit that a vague purpose like "safety" is not specific enough, and that if you do not need audio or face recognition, those functions should be off (EDPB Guidelines 3/2019). The second is storage limitation: footage should be kept only as long as the purpose requires — often just a few days for routine cases — which means privacy law sets a maximum retention that sits on top of any operational minimum. Those two limits are different numbers and people constantly conflate them.

Then there is the biometric gate, which is sharper than most teams expect. The moment an analytic recognizes a specific face or reads a license plate tied to a person, it is processing biometric or personal data under heightened rules — special-category data under the EU's GDPR (Reg. (EU) 2016/679, Art. 9), and, in Illinois, the Biometric Information Privacy Act (BIPA, 740 ILCS 14), which carries a private right of action and statutory damages. The engineering consequence is concrete: face recognition and license-plate recognition are a legal decision before they are a technical one, and shipping them without that review is the most dangerous failure mode in this whole article. Large public-area monitoring may also require a formal Data Protection Impact Assessment (DPIA) under GDPR Art. 35. We are engineers, not lawyers, and the privacy block of this course — starting with GDPR for video surveillance — exists to make this layer concrete.

Data-flow view of the same system with the privacy boundary drawn around storage and analytics, and the biometric path highlighted as the legally gated one. Figure 5. The same system as a data-flow. Video and metadata move left to right; the privacy boundary wraps storage and analytics, and the biometric path (face, plate) is the legally gated one that needs review before it ships.

The whole pipeline as a table

Here is every stage with its technology and its characteristic failure mode, the version to keep beside you while scoping a project.

Stage What it does Typical technology Typical failure mode
1. Camera Capture + compress IP camera, H.264 / H.265, sensor + lens Wrong camera for the task; bitrate too high
2. Network Carry the stream + power PoE switch (802.3af/at/bt), VLAN PoE budget or uplink under-provisioned
3. Ingest Find + pull the stream ONVIF discovery, RTSP/RTP "ONVIF just works" — only the baseline streams
4. Storage Retain the footage Recording server, surveillance drives, RAID Sized for the demo, not the retention policy
5. Analytics Turn video into events Edge / edge-server / cloud CV, ONVIF Profile M Blurred tiers; false-alarm flood; cloud bill
6. Client Let people watch + respond VMS desktop / browser / mobile, RBAC Too many feeds per operator; flat access
7. Integration Turn events into action APIs, SDKs, access control, alarms Alert fatigue; island deployment
Wrapper Govern all of it GDPR/EDPB, BIPA, encryption, retention rules Biometrics shipped without legal review

Table 1. The system on one row per stage. Most failures are a single under-sized or wrong-chosen stage, not a broken system — which is why naming the stages is the whole point.

A common mistake to avoid

The costliest pattern we see is optimizing one stage in isolation. A team picks beautiful 4K cameras (Stage 1) without recomputing storage (Stage 4), and the array fills in a fortnight. Or they buy a powerful cloud analytic (Stage 5) without modeling the uplink (Stage 2), and the network chokes the moment every camera streams up at once. The stages are a chain, and the chain is only as strong — and only as affordable — as the link someone forgot to resize. The fix is the discipline this article is built around: when you change any stage, walk the map left and right and ask what just changed two hops away.

Where Fora Soft fits in

Fora Soft has built real-time video, streaming, and computer-vision software since 2005, across 625+ shipped projects, and surveillance is the exact intersection of those three. Teams come to us when an off-the-shelf platform runs out of road at one of these stages — ingest that has to absorb a mixed, multi-vendor camera fleet; analytics that must hit a realistic precision and recall at full camera count rather than in a demo; storage and retention modeled realistically against a privacy policy; or an integration layer that has to talk to systems the VMS vendor never anticipated. We build that custom VMS layer end to end, and the framing we lead with is always how the system behaves under real load first, capability second. A realistic accuracy range beats an impressive demo number every time.

What to read next

Call to action

References

  1. ONVIF — "ONVIF Profiles" (Profiles S, T, G, M and what each standardizes; a device may conform to several; conformance is the only guarantee of interoperability). Primary (tier 1). https://www.onvif.org/profiles/
  2. ONVIF — "Our Mission" (ONVIF founded 2008 by Axis, Bosch, Sony; 33,000+ profile-conformant products; relationship to IEC 62676). Primary (tier 1). https://www.onvif.org/about/mission/
  3. IETF — RFC 7826, "Real-Time Streaming Protocol Version 2.0" (RTSP session control: play/pause/teardown; does not transport media). Primary (tier 1). https://www.rfc-editor.org/rfc/rfc7826.html
  4. IETF — RFC 3550, "RTP: A Transport Protocol for Real-Time Applications" (RTP carries the media packets, typically over UDP). Primary (tier 1). https://www.rfc-editor.org/rfc/rfc3550
  5. IEEE 802.3 — Power over Ethernet standards (802.3af 15.4 W, 802.3at/PoE+ 30 W, 802.3bt/PoE++ Type 3 ~51 W, Type 4 ~71.3 W). Primary (tier 1). https://standards.ieee.org/ieee/802.3/7071/
  6. European Data Protection Board — "Guidelines 3/2019 on processing of personal data through video devices" (purpose specificity, data minimization, storage limitation, DPIA for large public areas, security at rest/in transit/in use). Primary (tier 1/2). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en
  7. IEC 62676 series — "Video surveillance systems for use in security applications" (the international VSS standard; Part 2-3 references ONVIF for video transmission). Primary (tier 1). https://standards.globalspec.com/std/1640982/iec-62676-1-1
  8. CCTV Camera World — "Difference between H.264 and H.265 codecs" (4 MP camera ≈ 6 Mbps H.264 vs ≈ 3 Mbps H.265; up to ~50% storage savings). Vendor engineering (tier 4). https://www.cctvcameraworld.com/security-cameras/difference-between-h264-and-h265-codecs/
  9. Fora Soft — "Edge AI vs Cloud AI for Video Surveillance: 2026 Latency, Cost & Privacy" (edge inference latency, the ~20-camera cloud-cost crossover, hybrid pattern). First-party engineering (tier 3). https://www.forasoft.com/blog/article/edge-ai-vs-cloud-ai-video-surveillance
  10. Reolink — "CCTV Storage Calculation: Formula & Storage Saving Tips" (storage-per-day ≈ bitrate Mbps × 10.8; recording-mode impact on footprint). Vendor engineering (tier 4). https://reolink.com/blog/cctv-storage-calculation-formula/