Introduction to nano
Introduction to nano
nano is a modern, AI-powered SIEM platform built for security teams that want fast log analytics without the complexity of legacy tools.
Whether you're ingesting 2 GB/day on the Hobby tier or 50+ TB/day on Enterprise, nano provides full SIEM functionality — detection, alerting, investigation, and response — backed by ClickHouse for fast queries and pivt AI for intelligent assistance.
Why nano?
Fast
- Sub-second queries across billions of events using ClickHouse
- Real-time detection with sub-30s latency via materialized views
- High-performance ingestion with Vector — HTTP, Syslog, HEC, and native Vector protocol
AI-Powered
- pivt AI generates parsers, queries, detection rules, and investigation summaries from natural language
- Auto-tuning reduces false positives by analyzing historical detection matches
- Shadow Investigation autonomously hunts for threats when cases are created
- Multi-provider — Anthropic, OpenAI, Google via Cloudflare AI Gateway
Powerful Query Language
- nPL (nano Pipe Language) — piped syntax:
source_type="cloudtrail" | stats count by user | sort -count - 50+ eval functions including security-specific:
cidr_match,is_private_ip,base64_decode,defang - Advanced analytics with timecharts, window functions, and statistical analysis
Security-First
- Risk-based alerting with per-entity risk scoring
- Prevalence tracking — detect rare/first-seen indicators automatically
- MITRE ATT&CK mapping for all detection rules
- Unified Data Model — 75+ normalized fields for cross-source correlation
- Case management with AI-powered investigation timelines
Architecture
Key Components
| Component | Technology | Purpose |
|---|---|---|
| Log Collector | Vector | High-performance ingestion, parsing, and routing |
| Log Storage | ClickHouse | Time-series log storage with sub-second analytics |
| Metadata Store | PostgreSQL | Rules, alerts, dashboards, users, configuration |
| API | Rust (Axum) | Management API — rules, alerts, settings, ingestion |
| Search | Rust (Axum) | Query execution, field stats, async jobs |
| Frontend | React | Web interface with lazy-loaded components |
| AI Assistant | pivt (via Cloudflare AI Gateway) | Parser creation, query building, detection tuning, investigation |
| Marketplace | Built-in | Enrichments, threat intel feeds, and community integrations |
Deployment Options
nano deploys as a managed service or into your own cloud (BYOC):
| Tier | Capacity | Infrastructure |
|---|---|---|
| Hobby / Startup | 2-5 GB/day | Single VPS (Docker Compose) |
| Growth | 10 GB/day | Kubernetes (single pool) |
| Team / Business | 15-25 GB/day | Kubernetes with HA |
| Pro | 100 GB/day | Multi-pool Kubernetes |
| Enterprise | Unlimited | ClickHouse Cloud + managed PostgreSQL |
See Deployment Architecture for full details on each tier.
Get Started
- Set Up Your First Feed — import a pre-built parser or create one with the AI wizard
- Search Your Data — learn nPL to hunt through your logs
- Create Detection Rules — automate threat detection
- Configure pivt AI — set up providers, models, and organizational guidance
- Deploy On-Prem Collection — collect Windows, Linux, and network logs