SIEM for Security Enthusiasts

For Security Enthusiasts

Your lab. Your rules.

nano gives you a production-grade SIEM for your home lab, CTF practice, or personal threat hunting — free forever on the hobby tier.

Detection Rules

Detection rules, your way

Write nPL detection rules that combine YAML frontmatter with a pipe-based query language. MITRE ATT&CK mapping, risk scoring, and prevalence enrichment built in.

beacon_interval.yml

...

123456789101112131415161718

---

title : regular_beacon_interval_detection

description : "Detects network connections with regular beacon-like timing patterns"

author : nano.rs

severity : high

mode : staging

schedule : */10 * * * *

mitre_tactics : TA0011

mitre_techniques : T1095

---

source_type = squid_proxy

| where dest_ip != /^(10\.|192\.168\.)/

| stats count , dc (timestamp) as unique_times by src_host, dest_ip

| where count > 20 AND unique_times > 15

| prevalence enrich =true window =30d

| risk score =70 entity =src_host factor ="Regular beacon pattern"

| table timestamp, src_host, dest_ip, count, host_count, risk_score

Query Engine

Query everything

Pipe-based query language over ClickHouse. Filter, enrich, and correlate events in real-time with sub-second response.

Query editor

...

123456

source_type = zeek_conn

| where dest_port IN (443, 8443, 8080)

| stats count by src_ip, dest_ip, dest_port

| prevalence enrich =true

| where host_count < 3

| table timestamp, src_ip, dest_ip, dest_port, count, host_count

Results

3 events matched

timestamp	src_ip	dest_ip	dest_port	count	host_count
10:42:31	10.0.1.42	185.220.101.8	443	847	1
10:41:18	10.0.1.42	91.215.85.17	8443	312	2
10:40:05	10.0.3.15	45.33.32.156	8080	156	1

Platform

Built for tinkerers

Everything you need to run a serious security operation from your home lab.

50+ Built-in Parsers

Sysmon, Zeek, Suricata, Windows Event Logs, cloud audit trails, and more. Parse everything out of the box.

Self-hosted or Cloud

Run nano on your home lab, a VPS, or let us manage it. Your data, your infrastructure, your choice.

Rust + ClickHouse

Sub-second queries over billions of events. No JVM warmups, no garbage collection pauses.

Open Detection Rules

Write nPL detection rules with MITRE mapping, risk scoring, and prevalence enrichment. Full transparency, no vendor lock-in.

Hobby Tier $0 Free forever. No credit card required. Up to 25 EPS (~1.7 GB/day) with 30-day retention. Start Free

Built by Incident Responders

Ready to hunt?

Get started in minutes. No credit card. No sales call.

Get Started Read the Docs