Get started
Solutions / Security Enthusiasts
For security enthusiasts

Your lab. Your rules.

A production-grade SIEM for your home lab, CTF prep, or weekend threat hunting. The same engine the SOCs run, on a price you can run on the side.

Get started
Detection rules

Detection rules, your way.

Write nPL detection rules that combine YAML frontmatter with a pipe-based query language. MITRE ATT&CK mapping, risk scoring, and prevalence enrichment built in.

beacon_interval.yml ··· 
1---
2title: regular_beacon_interval_detection
3description: "Detects network connections with regular beacon-like timing patterns"
4author: nano.rs
5severity: high
6mode: staging
7schedule: "*/10 * * * *"
8mitre_tactics: TA0011
9mitre_techniques: T1095
10---
11source_type = squid_proxy
12| where dest_ip != /^(10\.|192\.168\.)/
13| stats count, dc(timestamp) as unique_times by src_host, dest_ip
14| where count > 20 AND unique_times > 15
15| prevalence enrich=true window=30d
16| risk score=70 entity=src_host factor="Regular beacon pattern"
17| table timestamp, src_host, dest_ip, count, host_count, risk_score
Query engine

Query everything.

Pipe-based query language over ClickHouse. Filter, enrich, and correlate events in real time with sub-second response over billions of rows.

hunt, uncommon outbound ··· 
1source_type = zeek_conn
2| where dest_port IN (443, 8443, 8080)
3| stats count by src_ip, dest_ip, dest_port
4| prevalence enrich=true
5| where host_count < 3
6| table timestamp, src_ip, dest_ip, dest_port, count, host_count
Results 3 events matched · 142 ms
Timestamp Src IP Dest IP Dest port Count Host count
10:42:31 10.0.1.42 185.220.101.8 443 847 1
10:41:18 10.0.1.42 91.215.85.17 8443 312 2
10:40:05 10.0.3.15 45.33.32.156 8080 156 1
Platform

Built for tinkerers.

Everything you need to run a serious security operation from your home lab, with no compromises against what the SOCs get.

01 · Parsers

50+ built-in parsers.

Sysmon, Zeek, Suricata, Windows Event Logs, cloud audit trails, and more. Parse everything out of the box, and write your own when you don't.

02 · Deployment

Self-hosted or cloud.

Run nano on your home lab, a VPS, or let us manage it. Your data, your infrastructure, your choice. The open core never expires.

03 · Engine

Rust + ClickHouse.

Sub-second queries over billions of events. No JVM warmups, no garbage-collection pauses, no surprise memory limits.

04 · Open core

Open detection rules.

Write nPL detection rules with MITRE mapping, risk scoring, and prevalence enrichment. Full transparency. No vendor lock-in.

Recommended tier

Hobby. Or self-host the open core.

The managed Hobby tier runs $19/mo ($17 on annual), 2 GB/day, 365+ day retention, 300 AI requests, all the product. Or self-host nano's open core for free, on your own iron.

$19/mo
Hobby tier · or self-host free
See full pricing

Open the search bar. Hunt something.

Bring your logs, your wireshark captures, your CTF dumps. The product is the same one the SOCs get.

Get started Read the docs

Hobby tier from $19/mo · or self-host the open core for free