The engine that runs the SOC.
Scale. Workflow. Rules & Patterns.
Three primary capabilities that power every SOC operation — elastic per-query compute, fully composable workflows, and detection that goes well beyond a single SIGMA rule.
One engine. Every SOC workflow.
Replaces SIEM, SOAR, UEBA, detection engine.
Detection, response, hunt, and intelligence run on one runtime. Stop paying four vendors and stitching their APIs together to get one outcome.
Pay for the nodes you run. Not per event.
Predictable per-compute-node pricing — no per-GB ingest tax, no per-query meter, no surprise bill when alert volume spikes. You size the cluster; the platform uses every node automatically.
Your bucket. Open Parquet. No retention tax.
Apache Parquet on object storage you already own. No per-GB ingest fees, no cold-tier surprises, no egress charge when you leave. Storage is yours.
Workflows · rules · patterns · agents — same primitive.
A workflow can call a workflow. An agent can call a workflow. A pattern can feed a rule. One runtime, one audit trail, infinite combinations. Build once, reuse everywhere.
Per-query compute. Two nodes or two hundred.
A small query gets a small footprint. A petabyte hunt gets a fleet. LogSeam adapts the compute envelope to the request — automatically, per query — and accelerates everything with distributed SQL, smart caching, and entity tables.
Per-query elastic compute means the engine right-sizes itself to the work. One analyst's quick search runs cheap. The same lake hosting a petabyte hunt runs the same query plan across hundreds of nodes — automatically, with no operator intervention.
Underneath: an advanced distributed SQL planner, smart result caching, and pre-computed entity tables that fold repeated joins into sub-second answers.
- per-query node allocation — 2 to 200+, automatic
- distributed SQL with cost-based planning
- result and intermediate-stage caching
- entity tables for users, hosts, IPs, sessions
- sub-second median search across billions of rows
The right shape of compute for each query.
An entity search across billions of rows isn't the same shape of work as a complex CTE with window functions. The platform composes compute for each query — fanning out across many small nodes, aggregating partial results, or crunching it all on a single heavy node — whichever pattern fits the job.
Many small nodes.
Best for entity scans across billions of rows. Each node sweeps its slice of the lake; results merge cheaply. Throughput beats depth.
Workers feed an aggregator.
Best for multi-stage joins and group-by rollups. Workers handle their shards; an aggregator stitches the partial results into the final answer.
One big compute.
Best for complex CTEs, window functions, and large analytical joins. A single heavy node keeps state local — no shuffle tax across the cluster.
Composable workflows. Triggered by anything.
A workflow is how repeatable work moves through the platform. Anything can start one — an event, a schedule, an alert or incident, a rule or pattern match, or an agent. Every workflow scales across the cluster and composes freely with every other.
Workflows are how the platform moves work. They live as code, run distributed across the cluster, and chain freely. A workflow can spawn other workflows. An agent can launch a workflow. A workflow can call an agent. Same engine, same audit trail.
Anything that's repeatable belongs in a workflow — scheduled threat assessments, daily rule reviews, threat-model application against new alerts, intelligence refreshes, evidence packaging at incident close.
- triggers: event · schedule · alert/incident · rule · agent
- composable — workflows call workflows or agents
- distributed execution across the cluster
- full audit trail for every step
- versioned in code — diffable, reviewable, reusable
Rules for what's known. Patterns for what isn't.
Detection-as-code in two complementary forms. Rules cover known TTPs in a single SIGMA / SQL match. Patterns chain SQL and analytics steps to model behavior, statistics, and outliers across the entire lake.
SIGMA, backed by SQL.
Author in Sigma — the open, vendor-agnostic standard — or write SQL directly. Every rule shows a live SQL preview of exactly what will execute. Single-shot match, MITRE-classified, instantly testable.
# sigma rule — admin login from new country title: Admin Auth from Unseen Country logsource: product: okta detection: selection: eventType: user.session.start user.role: admin filter: geo.country: in known_admin_countries condition: selection and not filter
- SIGMA in, SQL out — open standard
- live SQL preview in the editor
- quality gates: precision, FP rate, latency
- MITRE ATT&CK classification per rule
Composed analytics. Behavior, baselines, outliers.
Patterns chain multiple SQL or analytics steps into one detection. Use them for behavioral sequences, statistical baselines, user / host profiling, or outlier hunts across petabyte-scale data.
- chain SQL + analytics steps · share state between
- behavioral sequences over time
- statistical baselines · z-scores · percentiles
- user / host / session profiling via entity tables
- outlier hunts across the full lake
Wired into the rest of your stack.
The platform isn't an island. Pull context in, push outcomes out, and read from any data source you already run — without standing up a parallel pipeline.
Context on every event.
Threat intel and reputation feeds attach to events the moment they land — IOCs, ASN, geo, MITRE TTPs, recent campaigns.
Push outcomes where the team works.
Findings, alerts, and case updates flow into the tools your team already lives in. Bi-directional where it matters — ticket comments sync back to the case.
Read from anything you already run.
Lakes, warehouses, SIEMs, databases, object storage — query in place or land a copy in the lake. No forced migration.
Your analysts. Amplified.
Send your ingest profile and retention targets — we'll size it.