Frequently asked questions.

LogSeam is a security operations platform built on two products. The AI Security Lake stores, normalizes, and enriches all your security logs in open formats at a fraction of traditional SIEM costs. Vision is the SOC platform that sits on top — providing detection-as-code, AI-powered alert triage, structured incident response, and real-time dashboards.

LogSeam is built for security teams of all sizes — from lean two-person SOCs to enterprise security operations centers. If you're drowning in SIEM costs, struggling with alert fatigue, or running incident response on spreadsheets and Slack, LogSeam was built for you.

Most teams are ingesting data within hours. Connect your first source, and you'll see logs flowing into the lake immediately. Vision's detection rules can be deployed the same day. A broader rollout — tuning rules, building dashboards, and training your team — typically takes one to two weeks.

Yes. The AI Security Lake works as a standalone security data platform — use it to replace expensive SIEM log storage while keeping your existing tools. Vision requires the AI Security Lake as its data backend, but the lake doesn't require Vision.

LogSeam supports 100+ integrations across SIEMs (Splunk, Sentinel, QRadar), EDR (CrowdStrike, SentinelOne, Carbon Black), identity (Okta, Azure AD, Duo), cloud (AWS, Azure, GCP), firewalls, DNS, email gateways, and more.

Common formats include JSON, Syslog, CEF, LEEF, CSV, and custom formats. The ingestion pipeline automatically detects and parses most standard formats.

LogSeam typically costs 80-90% less than traditional SIEMs for log storage and analysis. We use object storage (S3) instead of hot compute clusters, which dramatically reduces infrastructure costs. You keep all your data — no more choosing which logs to drop because of budget constraints.

Your data is stored on your own object storage in an open, queryable format. If you ever leave LogSeam, your data stays with you in a format standard tools can read. No vendor lock-in and no export fees.

Log events can be enriched during ingestion with threat intelligence, geolocation, ASN data, and entity classification. The AI layer adds behavioral context — identifying anomalous patterns, correlating events across sources, and tagging entities for investigation.

Detection-as-Code means your detection rules are written in Sigma/YAML — the open, vendor-agnostic standard — not locked in a proprietary format. You can version control them, test them against real data before deploying, and share them across teams. Vision supports five rule types: Sigma, behavioral, statistical, graph analysis, and ML/AI.

When a detection rule fires, AI pre-assesses the alert with a verdict (benign, suspicious, or malicious), a confidence score, risk assessment, and extracted IOCs. It can enrich indicators against sources like VirusTotal, AbuseIPDB, IPinfo, and URLScan — in parallel — so analysts start with context instead of a blank alert.

Absolutely. Author rules in Sigma/YAML or write SQL directly. The editor shows a live SQL preview of your Sigma rule so you see exactly what will execute. Classify by MITRE ATT&CK, set severity, and add metadata. Test rules against real data before promoting them to production, with quality gates for precision and false-positive targets.

Five report types, all AI-assisted: executive reports for your CISO and board, compliance reports mapped to SOC 2/ISO 27001/HIPAA, incident reports with full timelines and IOC inventories, technical reports with rule performance and ATT&CK coverage, and custom reports that mix sections from any type.

Spaces are infinite, zoomable investigation canvases. Drag widgets onto the canvas: search results, timelines, MITRE ATT&CK matrix, entity cards, enrichment data, and correlation maps. An AI copilot sees your entire canvas, suggests next queries, enriches IOCs, and generates investigation findings. Multiple analysts collaborate in real time with live cursor tracking.

LogSeam doesn't replace your SIEM — it complements it. Export your SIEM logs to object storage (S3, Azure Blob, GCS) in JSON format, and LogSeam ingests them automatically. Pre-built connectors for Splunk, Sentinel, and QRadar make setup straightforward. Most integrations take under 30 minutes.

LogSeam includes an MCP (Model Context Protocol) server for AI agent integration. The MCP server lets AI agents like Claude, Cursor, and custom tools query your security data directly.

As long as you need it. Because LogSeam uses object storage, retention is limited by your storage policy and budget — not by hot compute costs. Many teams use this model to retain years of full-fidelity data at a lower cost than keeping short hot-retention windows in a traditional SIEM.

Yes. AES-256 encryption at rest and TLS 1.3 in transit. Role-based access control with SSO/SAML support. Full audit trails for every action. Your data lives in your own object storage — LogSeam processes it but never takes custody of it.

Vision generates compliance reports mapped to SOC 2, ISO 27001, and HIPAA. Detection coverage is mapped to MITRE ATT&CK tactics and techniques. The platform captures analyst action audit trails for compliance evidence, reducing the manual prep needed for recurring reports.

Cloud (fully managed), hybrid (compute in our cloud, storage in yours), or on-premises for organizations with strict data residency requirements. All deployment options provide the same feature set.

Core Support includes 8x5 response, software updates, email or chat support, and standard triage. Critical Support includes 24x7 response, software updates, priority communication, and incident bridge support.

Yes. Contact us for a guided demo with your own data, or request a proof-of-concept deployment. We'll help you connect a data source and see results before you make any commitment.