Get started
Features

A SIEM you can read. And one that runs.

Open-core engine in Rust. Sub-second search over billions of events. AI woven through every surface. And settings deep enough to make it actually yours.

See the engine Or skip to getting started
The engine

Fast on purpose. Reliable by design.

Rust at the core, ClickHouse for storage, Vector for ingest. No JVM warmups, no garbage-collection pauses, no surprise memory limits. The whole stack picked for one job, which is getting your team to an answer.

Query p99
<100ms
Over billion-row tables, including year-long aggregations and joins.
Ingest peak
1.5kEPS
On a single Pro-tier node. Scales horizontally for bigger pipes.
Uptime SLA
99%
Contractual on managed plans. Self-host hits whatever your infra hits.
Rust Memory-safe core. Detection, query planner, ingest pipeline. All Rust.
ClickHouse Columnar storage. Sub-second over billions of rows, compression baked in.
Vector High-throughput ingest. Parses, normalizes, and routes events at line rate.
Open core

Read the source. Run it yourself.

The engine, the detection rules, the parsers, the docs. All in the open. The platform you can audit, fork, and self-host, managed cloud is for convenience, not control.

github.com/nano-rs/nano
Engine, query planner, parsers. AGPL-3.0.
Roadmap & RFCs
Public. Read what's coming and why.
Search

Queries that make sense.

Pipe-based, left-to-right. Familiar if you've used Splunk. Stricter, faster, and the autocomplete actually knows your schema.

Brute force detection
1source_type=auth action=login status=failure
2| stats count as attempts by src_ip, user
3| where attempts > 10
4| sort -attempts
5...
Rare domain hunting
1source_type=proxy earliest=-7d
2| prevalence window=7d enrich=true
3| where host_count < 3 AND is_rare=true
4| table dest_host, first_seen, host_count
5...
Process tree analysis
1source_type=sysmon action=process_create
2| tree process root="*powershell*"
3| prevalence enrich=true
4| where depth > 3
5...
Beaconing detection
1source_type=proxy
2| bin span=10m
3| stats count by dest_host, _time
4| streamstats window=6 stdev(count) as jitter by dest_host
5...
Detection

Rules in nPL. Not YAML hellscapes.

YAML frontmatter for metadata, pipe-language for the actual hunt. MITRE mapping, risk scoring, and prevalence enrichment are first-class, not glued on with a script.

beacon_interval.yml ··· 
1---
2title: regular_beacon_interval_detection
3severity: high
4mode: staging
5schedule: "*/10 * * * *"
6mitre_tactics: TA0011
7mitre_techniques: T1095
8---
9source_type = squid_proxy
10| where dest_ip != /^(10\.|192\.168\.)/
11| stats count, dc(timestamp) as unique_times by src_host, dest_ip
12| where count > 20 AND unique_times > 15
13| prevalence enrich=true window=30d
14| risk score=70 entity=src_host factor="Regular beacon pattern"
15| table timestamp, src_host, dest_ip, count, host_count, risk_score
Investigation

From alert to closed ticket.

Cases bundle the alert, the evidence, the timeline, and the analyst's notes in one place. Notebooks for ad-hoc hunting. Process trees and identity resolution for the messy parts.

CASE-2026-0421 In progress
PowerShell process tree off jsmith-pc
SeverityHigh · 87/100 Assigneemira@acme.io Entityjsmith-pc · jsmith@acme.io Detectionsuspicious_powershell_chain
10:42AlertDetection fired, severity high
10:43pivtPulled process tree, identity, asset context
10:46Notemira: "looks like a phishing payload"
10:51ActionHost quarantined via EDR integration
Process tree · jsmith-pc
explorer.exe PID 1234
outlook.exe PID 2345
  └ powershell.exe PID 3456
    └ cmd.exe /c whoami PID 4567
      └ certutil.exe -decode PID 5678
        └ payload.exe PID 6789
Common Uncommon Rare
Identity resolution resolved in 84ms
192.168.1.50
───►
jsmith-pc
DHCP · Infoblox
EDR · Sysmon
Proxy logs
NAT detected 10.0.0.1 → 47 hosts/hour
AI agents

Agents that do the boring parts.

pivt, nano's AI assistant, is woven into every surface. Triage alerts, build parsers, follow playbooks, draft case notes. Configurable, auditable, and never the one closing the ticket without you.

01 Detection Alert fires
02 pivt Auto-triage & pull context
03 pivt Run playbook steps
04 pivt Draft case summary
05 Analyst Review & close
01 · Workflows

Full agent workflows.

Define steps in YAML. pivt runs them on every alert: pull EDR context, check threat intel, query identity, draft a summary. Stop a step for human approval whenever you want.

02 · Parsers

AI-built parsers.

Drop a sample log, get a working parser. pivt reads the format, writes the grok, validates against your data. The 80% case in two minutes, not two days.

03 · Playbooks

Playbooks agents follow.

Write incident response runbooks once. pivt executes them on the right alerts, asking for human confirmation on the steps that need it. Auditable trail of every action.

Enrichment & marketplace

Context without the clicks.

IPs enriched with GeoIP and ASN. Domains checked against threat intel. Hashes matched to known malware. All automatic, all on ingest. And when our defaults aren't enough, you ship a custom enrichment in a few lines.

GeoIP
ip 185.220.101.1
country Russia
city Moscow
Auto · on ingest✓ 42ms
ASN Lookup
asn AS12345
org DigitalOcean
type Hosting
Auto · on ingest✓ 28ms
Hash Lookup
sha256 abc123…
family #Cobalt Strike
first_seen 2023-08-14
Auto · on ingest✓ 119ms
Threat Intel
domain evil-c2.ru
verdict Known C2
confidence 95%
Auto · on ingest✓ 67ms
Asset Context
host 192.168.1.50
owner J. Smith
dept Finance
From CMDB · auto✓ 12ms
Your Custom
badge_id EMP-4729
location SF · Floor 3
on_call false
Custom · 40 lines✓ 23ms
Marketplace

The community brings the parsers.

1,200+ parsers, detection rules, dashboards, and enrichments. Curated, versioned, one-click install. Or fork them and make them yours.

Parserv2.1.0

Palo Alto PAN-OS

Full traffic, threat, and config log parsing for PAN-OS 10+ firewalls. 47 source types.

@nano-rs★ 412
Detection packv1.4.2

Atomic Red Team, Windows

78 nPL detections mapped to the Atomic Red Team library. MITRE-tagged and tested.

@redteam-ops★ 1.2k
Dashboardv3.0.1

SOC analyst home

Open cases, fresh detections, top entities by risk, fleet health. The default Tier-1 view.

@nano-rs★ 687
Enrichmentv1.0.4

VirusTotal hash lookup

Drop-in VT integration. Caching, rate-limit handling, free-tier friendly defaults.

@community★ 234
Playbookv2.0.0

Phishing IR runbook

14-step incident response playbook for email-based phishing. Quarantine, notify, document.

@ir-collective★ 921
Source packv1.8.0

Cloud audit (multi)

AWS CloudTrail, GCP Audit, Azure Activity. One pack, normalized to a common schema.

@nano-rs★ 543

The marketplace lives inside nano. Browse and install without leaving the product. Every artifact is open source, so fork and contribute through GitHub.

Entity · jsmith@acme.io Risk score
87 / 100
High
Failed logins · 3 in 24h+24
Suspicious download · cobalt-strike beacon+38
Off-hours activity · 03:14 local+15
Rare process · certutil decode+10
Entity risk & prevalence

Risk that gets the right number.

Risk scores stack across signals. Rules contribute weighted factors, prevalence baselines tell you what's actually rare, and the score updates in real time as more events land.

  • Configurable weights per detection rule and entity type
  • Prevalence baselines built from 365+ days of your data
  • Decay curves so old signals fade, fresh ones dominate
  • Entity types you define · users, hosts, services, apps
Operations

Your SIEM checks its own pulse.

Dashboards that compose. A health page that runs on autopilot, scanned by pivt every 12 hours. And settings deep enough to make every team's nano feel custom, without a fork.

SIEM health · acme-prod Last scan 4h 12m ago by pivt
Ingestion 8.4 GB/d Healthy
Detection 142 rules Healthy
Search 38ms p99 Healthy
Storage 82% used Warning
AI 2.1k req/mo Healthy
pivt Storage at 82% of plan capacity, projected to fill in ~18 days at current ingest. The Sysmon source from fleet-2 increased 40% over the last week, likely a new EDR rollout. Consider archiving older partitions or upgrading to Team tier for object-storage tiering.
SOC analyst home Last 24h
Open cases
14
-3 vs yesterday
High-risk entities
7
+2 vs yesterday
— Alerts — 7-day avg
Settings ⌘K · Search 240 settings
General 18 settings
Data sources 32 settings
Detection 47 settings
AI & agents 28 settings
Integrations 61 settings
Team & access 22 settings
Billing 12 settings
Getting started

From signup to first detection.

Five steps. No services engagement. No "professional services" line item on the invoice. Most teams hit step 5 the same afternoon.

1
Sign up
Pick a tier, pick a region, get a cluster. Or self-host the open core.
2
Connect a source
Cloud audit, EDR, firewall. One-click for the popular ones, drop a sample for the rest.
3
Run a search
Pipe-language query bar. Autocomplete knows your schema. Sub-second answers.
4
Enable detections
Install detection packs from the marketplace, or write your own in nPL.
5
Get alerted
Cases land in your queue with pivt's triage already done. You take it from there.

Full walkthrough with screenshots in the getting-started guide. About 20 minutes end-to-end.

Stop avoiding the search bar. Start using one.

Read the docs, fork the engine, run the demo. Or sign up and ingest something this afternoon.

Get started Read the docs

Self-host the open core for free · or run managed from $19/mo