What do a spreadsheet and a love of building with LEGO bricks have to do with each other? Not much, unless you do security operations work, such as incident response, threat hunting, or SOC work. Like everything, there is a backstory that will provide a bit of context.
The Spreadsheet – Security Operations Reboot
When we started LogSeam, we started with a simple question: why was everyone so unhappy with their SIEM and SOC? We spoke with thousands of customers to dig deep into their concerns. Agentic AI, SOC alert overload, IR challenges, Threat Hunting issues, and Detection Engineering were all big concerns. But one core theme came up repeatedly: the cost of SIEM and by extension the SOC was by far their greatest concern. Quite simply, the cost does not justify the premium that customers are seeing. We can dig into the thousands of technical and operational issues seen in current SIEM architecture, but there is something more going on.
So, we fired up a spreadsheet and did the math. Once we ran the numbers with hundreds of tabs, with inputs from customers and partners, analyzing all the vendors, we determined that the per GB price was anywhere between $2-8GB.
Insane right... Object Storage was $0.02 a GB per month, compute is $0.044 per CPU/GB per hour – something is very off. Sure, a SIEM does way more than just store things and compute things, but the core math of the core architecture was off.
So why is this SIEM/log thing costing anywhere between $2-8GB? Well because at the end of the day these architectures of storing, indexing, analyzing logs cost a ton in compute, storage and whatever data indexing thing you want to use. The majority of these solutions have to support an architecture that just can't be easily transferred to using commodity storage and compute. They have sunk costs of thousands of hours of R&D which at the time were great and revolutionary. But time has a way of equalizing the technology.
This cost leaves a giant dilemma for customers – let's save the most important logs (most of the time EDR data) and let everything else just fall to the side and hope for the best, to save on costs. As you would guess this leaves you with a massive blind spot. Not a single case over the thousands we have worked as IR/MDR analysts had the necessary logging architecture to fully analyze a threat. This means thousands of hours of manual work using – you guessed it – Excel to manage the data.
Crazy right? As an analyst it's a core frustration – for the AI world it limits us from seeing the world clearly. We need a cost-effective way to grab whatever data we want from wherever at as close to infinite scale as we can get.
So, we set a goal to get the price per GB to as low as you can get and not sacrifice capability.
One massive LEGO set
Over the last 30 years of doing security operations, it was clear nothing was really a right fit for every case. How could a single tool or a single platform handle the insane variances in cases? One day an email phish over O365, another day a ransomware, another day another VPN compromise and so on. Each investigation another tool. Another way to analyze. Developing a process for investigations is fine, but analysts just want a way to work that allows them the freedom to work within the system but also allows them to be as creative as they want to be.
I have always loved the ability to build whatever I wanted with LEGO bricks. The ability to build basically anything you want. What really amazes me is the creativity that it affords you. You start with a solid foundation and iterate, quickly. If you have a failure you start over again. If you want to create a new world, start over.
This is how we have built LogSeam – using a building blocks approach and ensuring we kept the architecture as simple as possible without any additional "blocks" to gum up the system. We started with very simple blocks – object storage, raw compute, common elements and flexible engines that don't lock you in. LogSeam's architecture ensures that all elements from the core system architecture to the work management system, to the user interface all provide the ability to build the system you want.
For example, LogSeam allows customers to build the logging solution they want, from storage that scales infinitely using common object storage to dynamic compute that can be allocated for every core function, giving users the ability to work with logs however an analyst might want—without any limits.
We went even further – logs take up a ton of space if they are just text (mostly JSON these days), and we wanted to ensure that we could cut costs by using massive compression without sacrificing search, while providing a standard building block for data analysis. So, we developed a log processing engine that scales with your needs and creates commonly formatted Parquet files that you can search with thousands of different tools.
And finally, when we built an interface into LogSeam we wanted the same building block approach to analytics allowing an analyst to build exactly what they want. Want a graph, add a block. Want a timeline, add a block. Want to do advanced ML analytics, add a block. And so on. But what's even cooler with LogSeam Spaces is that you can share your work with others at the same time.
Then we built one more amazing capability – let's wire this whole thing up to LLMs and the whole agentic world into LogSeam to get even more power from analytics. Want a dashboard in Claude? Connect via MCP and away you go.
Building blocks your way at every layer at a price point that is sane
We built LogSeam for the bean counters. We built LogSeam for analysts on the front line. We built LogSeam for the AI world. We built LogSeam to change the way we interface with logs and data—to seam all these disjointed pieces together to form a new collaborative world.
And we are just getting started – you should see what's next…
Daniel and Billy
