One enterprise SIEM stack. The end of the volume-based SIEM tax.
Caver ships its own enterprise lake, with the full SIEM on top. Install it and you get a complete OCSF Parquet lakehouse out of the box, provisioned, retained, and compacted by Caver itself: no data-lake team to hire, nothing extra to administer. Already standardised on S3? Point it at any S3-compatible bucket instead. Query one lake in five languages, SPL, SQL, KQL, ES|QL, and LSQL, plus Sigma content and a grounded AI assistant, on a next-generation Go + Rust engine. No per-GB ingest tax, no proprietary tsidx format, no lock-in.
A next-generation engine. Go, Rust, open columnar.
The compute plane was rebuilt in Go and Rust on top of the same open lake. Columnar execution directly on any S3-compatible object storage, aggressive caching, and file-level pruning make queries fast and storage cheap, on an engine built to scale out. Speed, scale, and future compatibility, not a rewrite you have to re-learn.
Go control plane
~20 focused services on a NATS bus behind one gateway. Build-then-swap deploys, a supervising watchdog. Scales out horizontally, not a monolith.
Rust transform sidecar
The hot ingest and normalisation path runs in Rust, so throughput climbs without dragging the control plane.
Columnar on open storage
A vectorised, columnar engine runs SPL, SQL, and more directly on open Parquet in any S3-compatible bucket. Pluggable by tier: embedded for speed today, distributed SQL as volume grows. No proprietary index format.
Base-reuse + ephemeral cache
A query's base result materialises once into a TTL-bounded Parquet cache, so dashboard panels and repeat searches reuse it instead of re-scanning raw.
Manifest pushdown + pruning
The planner skips files and partitions that cannot match, so a query touches a fraction of the lake, not all of it.
QoS priority scheduling
Priority-aware admission with a reserved lane keeps heavy ad-hoc queries from starving dashboards and scheduled detections.
Measured against raw ingest volume in the same window. Legacy tsidx-style SIEMs land near 2:1. Less storage bought, and with columnar pruning, far less storage scanned per query.
Five layers. One lakehouse.
What used to require a stack of separately licensed products, SIEM, detection, service monitoring, UBA, and SOAR, and the licenses that come with all of them. Caver ships it as one integrated commercial stack reading and writing one OCSF Parquet bucket.
SIEM core: a multi-language query engine on OCSF Parquet, plus operator console + scheduler.
Query in SPL, SQL, KQL, ES|QL, or LSQL, plus Sigma content and a grounded AI assistant. Federates with most search tools, Splunk, Elastic, Sentinel, and more, and the search head you already run treats it as a native indexer.
SOAR + case management.
Notables, incident cases, and approval-gated playbooks with a credential vault, auto-block response, never-block allowlists, and auto-run analyzers. Signed PDF exports, a SOAR operations dashboard, plus Telegram/Slack/Teams oncall.
POST /api/slam/notables { "rule": "brute-force", "severity": "high", "entity": "alice" }
Enterprise Security: risk-based alerting + ATT&CK coverage.
123 content packs, 100% SigmaHQ mapped, Detection IDE with live backtest. Per-entity and per-rule risk contributions, ATT&CK-tagged aggregation.
ITSI-equivalent: service tree, KPIs, propagated health, NEAP episodes.
A KPI is just SPL + thresholds. Episodes assemble on cron and surface in the analyst queue.
Per-entity baselines. Multi-anomaly threats promoted to your queue.
65+ unsupervised models, no labelled training data. Off-hours bursts, beaconing, lateral movement.
Every common deploy path. Pick the one that fits your stack.
From bare-metal Helm to one-click cloud templates, the deployment surface is documented and runnable end-to-end on every target below, including a .spl that registers Caver as a search peer of your existing search head (Splunk, for example). Enterprise license includes installer access for all targets.
enterprise registry TTerraformaws TTerraformgcp TTerraformazure DDockercompose --profile demo up RRender RRailway FFly.io SSplunk SHcaver-peer.spl Forensic-grade chain of custody. Built in, not bolted on.
SLAM gives every incident a tamper-evident evidence locker. The bytes you collect during an investigation are cryptographically pinned and provably unchanged from upload to export, the kind of custody your legal team asks for, that almost no SIEM ships.
SHA-256 · HMAC-signed audit · tamper-evident · signed PDF
The full Evidence Locker story →SHA-256 per artifact
Every file attached to an incident is hashed on upload, with uploader and timestamp recorded.
Re-verified on every read
The hash is recomputed on each fetch. If a stored byte ever diverges, the download is refused, not silently served.
HMAC-signed audit trail
Every upload, download, verify, and delete is signed, so who-touched-what-when cannot be quietly rewritten.
Court-ready exports
One click produces a signed PDF of the full case: timeline, evidence, and custody record intact.
Hardened, secure by default.
Your SIEM is the highest-value target on the network, so Caver treats its own posture as a feature, not a checklist you apply later.
Refuses to run insecure
A misconfigured service fails loudly at startup instead of silently listening open. Secure is the default shape, not a hardening guide.
Security headers + CSP
Hardened response headers and a content-security policy ship on by default at the gateway.
Rate-limited everywhere
Global and per-principal rate limits across the API surface, including the AI assistant, so no caller can amplify cost or hammer a credential.
OIDC SSO + RBAC
Enterprise sign-on over OIDC, role-based access over a closed capability set, and least-privilege defaults: an unassigned token is a viewer, never an admin.
Multi-tenant by design
Index-scoped RBAC and per-index ingest ACLs make the index the tenant boundary: one deployment serves many customers, MSSP-ready, with no cross-tenant reads.
And Caver watches itself: every service ships its own telemetry into the same lake it protects, so the SIEM is one of the sources it monitors.
Beyond the five layers. The companion products.
The core stack consolidates your SIEM, detection, service-monitoring, UBA, and SOAR tools into one platform. These ship alongside it, reading and writing the same OCSF Parquet lake: the data pipeline, the App Store, the AI-security observatory, the intel feeds, the agent surface, and the OT/ICS plugin.
The security data pipeline. Ships lean, extends by App Store.
The collector ships lean: core, sources, and the OCSF VRL normalisation framework. Vector (Rust) drives the high-throughput hot path, and an OpenTelemetry distro fits shops already on OTel. Per-vendor coverage installs from the Caver App Store. Drops the universal-forwarder dependency.
The deepest AI / LLM security coverage in the industry.
Three ways to see your AI usage: pull provider audit logs, drop an inline proxy that inspects live LLM traffic and runs inline threat detection on every exchange (verdict only, no content persisted), or emit first-party events from your own agents. It all lands in one ai_observability index with 200+ CAVERN rules across prompt injection, shadow AI, agent-framework abuse, vector-DB exfiltration, and supply-chain compromise. No DLP agent required.
Full platform surface exposed to AI agents over MCP.
Connect Claude Desktop, Claude Code, or any MCP client and run SPL/SQL/KQL, search CAVERN rules, pull notables, trigger playbooks. The grounded AI assistant does not guess: it discovers your accessible indexes under your own permissions, generates and validates the query, then runs a live preview against your lake before it answers. Every answer is a real query you can keep.
OT / ICS with native device-identity decode.
Extends the platform to operational technology. Passive protocol decode reads device identity straight from OT telemetry, so IT/OT correlation, asset discovery, and protocol-aware detection normalise into the same CAVERN pipeline as your IT logs. Native Dragos + Claroty integration. Per-deployment pricing.
A full app store. Versioned, OCSF-mapped apps.
Per-vendor coverage installs as an app: a versioned bundle that maps a source fully to OCSF (parser, schema, and content in one package). The catalog carries 167 versioned apps today, and a deployment-server subscription pipeline pushes updates to subscribed collectors automatically, so a new parser or detection reaches the fleet without a redeploy.
STIX 2.1 and TAXII 2.1 feeds, straight from the CVE forge.
Caver Forge publishes fresh CVE intelligence and Sigma detections as standards-based feeds at feeds.redeyesecurity.com. Subscribe over TAXII 2.1, pull STIX 2.1 objects, and light up detections grounded in your OCSF schema, no bespoke ingest glue.
AI that writes and tests your detections, from a CVE or a sentence.
Describe a threat, or point Forge at a freshly published CVE from NVD, CISA KEV, MSRC, GHSA, or OSV, and it authors a CAVERN rule grounded in your actual OCSF lake schema, transpiles it to SPL and Sentinel KQL, and backtests it against your history to confirm it fires (and at what false-positive rate) before a human ever sees it. It collapses 'CVE published' to 'working detection' from weeks to minutes, and the results publish to the RedEye Intel Feeds. You promote to production; Forge does the grind.
Dashboard Studio. 15+ chart types, accelerated.
Build the SOC view without leaving the platform. Studio's panel editor, a deep chart library, and base-search reuse mean rich dashboards that stay fast, plus lake-health and network-flow views out of the box.
Dashboard Studio
Drag-in panels with a per-viz Configure surface: palette, legend, axis, labels. Clone-and-edit any panel, keep personal dashboards.
15+ chart types
From time series and geo to network-flow graphs, powered by ECharts, with signature centerpiece charts on the rich content packs.
Accelerated by base-reuse
A dashboard's base result is materialised once into ephemeral Parquet, then every panel reuses it instead of re-scanning raw.
160+ integrations. Every one OCSF-normalised.
Out-of-box coverage across 11 categories. Every integration ships a caver-collector receiver or adapter and at least one CAVERN content pack with detection rules tuned to the source's event shape.
Cloud platforms
12Identity & SSO
10Productivity & collaboration
12Developer & DevOps
14EDR & endpoint
10Network & perimeter
11Cloud security
8AI & LLM
12OT / ICS
7Sales, CRM & support
15Observability & analytics
10Already have a search head you love? Keep it.
Caver registers as a peer on most search tools (Splunk, for example), so your existing dashboards, saved searches, and correlation rules keep running unchanged against the OCSF lake. Federation modes ship for Elastic / Kibana, Microsoft Sentinel, Sumo Logic, Datadog, and growing.
Don't see a tool you rely on?
Suggest it and we'll scope it. New integrations land as a caver-collector receiver plus a CAVERN content pack, typically inside a single release cycle.
Request an integration →Two ways to adopt.
Migrate fully, or run in parallel.
Migrate fully and retire the legacy stack, or stand Caver up in parallel beside the SIEM you run today and cut over when the numbers convince you. Either way, one license, one lake, no per-GB meter.
Full migration
Point caver-migrate at your legacy SIEM and it ports the lot in one command: dashboards, saved searches, scheduled alerts, correlation and risk rules, service trees + KPIs, behavior models, and SOAR playbooks, each mapped onto the matching Caver layer.
- ✓ Day one your SOC opens the same dashboards and runs the same queries, on Caver, on the enterprise lake it ships.
- ✓ Auditable: --dry-run prints a full coverage report before --apply touches anything.
- ✓ Every migrator is tested end-to-end before it touches your data.
Run in parallel
Stand Caver up beside what you already have. It registers as a peer on most search tools (Splunk, for example) and federates with Elastic, Sentinel, and more, so existing dashboards and correlation rules keep running, now against your OCSF lake. New data lands in the lake instead of the indexer tier.
- ✓ Forwarders unchanged: they tee to Caver, or speak their native protocol directly.
- ✓ Search head unchanged: the peer app drops in via the standard install flow.
- ✓ Object storage runs roughly 10x cheaper than indexer storage at the same retention.
Frequently asked.
Probably what you came here to know.
If your question is not here, the answer is almost always in the docs.