new A next-generation Go + Rust engine see why ↓
v0.21 · enterprise license · 4,000+ detection rules

One enterprise SIEM stack. The end of the volume-based SIEM tax.

Caver ships its own enterprise lake, with the full SIEM on top. Install it and you get a complete OCSF Parquet lakehouse out of the box, provisioned, retained, and compacted by Caver itself: no data-lake team to hire, nothing extra to administer. Already standardised on S3? Point it at any S3-compatible bucket instead. Query one lake in five languages, SPL, SQL, KQL, ES|QL, and LSQL, plus Sigma content and a grounded AI assistant, on a next-generation Go + Rust engine. No per-GB ingest tax, no proprietary tsidx format, no lock-in.

how it fits live · streaming queries in <800ms p95
SEND FROM ANYWHERE
caver-collector
Vector pipelines
OTel Collector
Splunk UF / HEC
Splunk S2S
Syslog · Kafka · OTLP
70+ SaaS APIs
OCSF Parquet
on any S3-compatible storage
MinIO · S3 · GCS · Azure · R2
managed by Caver · or bring your own · open format
QUERY WITH ANYTHING
Caver UI
SPL
SQL
KQL
ES|QL
LSQL
Sigma
AI assistant
ingest
21 receivers
HEC · S2S · Syslog · OTLP · Kafka · 70+ SaaS
storage
OCSF Parquet
S3 · MinIO · R2 · GCS · Azure
query with
5 languages
SPL · SQL · KQL · ES|QL · LSQL, plus Sigma · UI
per-GB ingest
$0
flat per-deployment license
the engine

A next-generation engine. Go, Rust, open columnar.

The compute plane was rebuilt in Go and Rust on top of the same open lake. Columnar execution directly on any S3-compatible object storage, aggressive caching, and file-level pruning make queries fast and storage cheap, on an engine built to scale out. Speed, scale, and future compatibility, not a rewrite you have to re-learn.

control plane

Go control plane

~20 focused services on a NATS bus behind one gateway. Build-then-swap deploys, a supervising watchdog. Scales out horizontally, not a monolith.

hot path

Rust transform sidecar

The hot ingest and normalisation path runs in Rust, so throughput climbs without dragging the control plane.

query engine

Columnar on open storage

A vectorised, columnar engine runs SPL, SQL, and more directly on open Parquet in any S3-compatible bucket. Pluggable by tier: embedded for speed today, distributed SQL as volume grows. No proprietary index format.

acceleration

Base-reuse + ephemeral cache

A query's base result materialises once into a TTL-bounded Parquet cache, so dashboard panels and repeat searches reuse it instead of re-scanning raw.

planner

Manifest pushdown + pruning

The planner skips files and partitions that cannot match, so a query touches a fraction of the lake, not all of it.

scheduling

QoS priority scheduling

Priority-aware admission with a reserved lane keeps heavy ad-hoc queries from starving dashboards and scheduled detections.

measured compression
48:1

Measured against raw ingest volume in the same window. Legacy tsidx-style SIEMs land near 2:1. Less storage bought, and with columnar pruning, far less storage scanned per query.

Caver, OCSF Parquet48:1
legacy tsidx SIEM~2:1

Five layers. One lakehouse.

What used to require a stack of separately licensed products, SIEM, detection, service monitoring, UBA, and SOAR, and the licenses that come with all of them. Caver ships it as one integrated commercial stack reading and writing one OCSF Parquet bucket.

Caver

SIEM core: a multi-language query engine on OCSF Parquet, plus operator console + scheduler.

Query in SPL, SQL, KQL, ES|QL, or LSQL, plus Sigma content and a grounded AI assistant. Federates with most search tools, Splunk, Elastic, Sentinel, and more, and the search head you already run treats it as a native indexer.

/ui/home · caver v0.21
index=auth status=failure | stats count by user1.8 GB · 220ms
  alice52
  bob3
─ remote_caver_lake returned in 198ms5 rows
SLAM

SOAR + case management.

Notables, incident cases, and approval-gated playbooks with a credential vault, auto-block response, never-block allowlists, and auto-run analyzers. Signed PDF exports, a SOAR operations dashboard, plus Telegram/Slack/Teams oncall.

POST /api/slam/notables
{
  "rule": "brute-force",
  "severity": "high",
  "entity": "alice"
}
CAVERN

Enterprise Security: risk-based alerting + ATT&CK coverage.

123 content packs, 100% SigmaHQ mapped, Detection IDE with live backtest. Per-entity and per-rule risk contributions, ATT&CK-tagged aggregation.

ECHO

ITSI-equivalent: service tree, KPIs, propagated health, NEAP episodes.

A KPI is just SPL + thresholds. Episodes assemble on cron and surface in the analyst queue.

checkout.payments CRIT
  ├─ stripe-adapter            OK
  ├─ payments-api              WARN
  └─ db-prod01                 CRIT ← propagates
UBA

Per-entity baselines. Multi-anomaly threats promoted to your queue.

65+ unsupervised models, no labelled training data. Off-hours bursts, beaconing, lateral movement.

3.2σ peak z-score
1 threat promoted
80 users baselined
INSTALL

Every common deploy path. Pick the one that fits your stack.

From bare-metal Helm to one-click cloud templates, the deployment surface is documented and runnable end-to-end on every target below, including a .spl that registers Caver as a search peer of your existing search head (Splunk, for example). Enterprise license includes installer access for all targets.

Helmenterprise registry TTerraformaws TTerraformgcp TTerraformazure DDockercompose --profile demo up RRender RRailway FFly.io SSplunk SHcaver-peer.spl
evidence locker

Forensic-grade chain of custody. Built in, not bolted on.

SLAM gives every incident a tamper-evident evidence locker. The bytes you collect during an investigation are cryptographically pinned and provably unchanged from upload to export, the kind of custody your legal team asks for, that almost no SIEM ships.

SHA-256 · HMAC-signed audit · tamper-evident · signed PDF

The full Evidence Locker story →
1

SHA-256 per artifact

Every file attached to an incident is hashed on upload, with uploader and timestamp recorded.

2

Re-verified on every read

The hash is recomputed on each fetch. If a stored byte ever diverges, the download is refused, not silently served.

3

HMAC-signed audit trail

Every upload, download, verify, and delete is signed, so who-touched-what-when cannot be quietly rewritten.

4

Court-ready exports

One click produces a signed PDF of the full case: timeline, evidence, and custody record intact.

Hardened, secure by default.

Your SIEM is the highest-value target on the network, so Caver treats its own posture as a feature, not a checklist you apply later.

Refuses to run insecure

A misconfigured service fails loudly at startup instead of silently listening open. Secure is the default shape, not a hardening guide.

Security headers + CSP

Hardened response headers and a content-security policy ship on by default at the gateway.

Rate-limited everywhere

Global and per-principal rate limits across the API surface, including the AI assistant, so no caller can amplify cost or hammer a credential.

OIDC SSO + RBAC

Enterprise sign-on over OIDC, role-based access over a closed capability set, and least-privilege defaults: an unassigned token is a viewer, never an admin.

Multi-tenant by design

Index-scoped RBAC and per-index ingest ACLs make the index the tenant boundary: one deployment serves many customers, MSSP-ready, with no cross-tenant reads.

And Caver watches itself: every service ships its own telemetry into the same lake it protects, so the SIEM is one of the sources it monitors.

what's new

Beyond the five layers. The companion products.

The core stack consolidates your SIEM, detection, service-monitoring, UBA, and SOAR tools into one platform. These ship alongside it, reading and writing the same OCSF Parquet lake: the data pipeline, the App Store, the AI-security observatory, the intel feeds, the agent surface, and the OT/ICS plugin.

caver-collector

The security data pipeline. Ships lean, extends by App Store.

The collector ships lean: core, sources, and the OCSF VRL normalisation framework. Vector (Rust) drives the high-throughput hot path, and an OpenTelemetry distro fits shops already on OTel. Per-vendor coverage installs from the Caver App Store. Drops the universal-forwarder dependency.

21 receivers 44 transform + normalise 22 sinks App Store apps v1.418
ai observatory

The deepest AI / LLM security coverage in the industry.

Three ways to see your AI usage: pull provider audit logs, drop an inline proxy that inspects live LLM traffic and runs inline threat detection on every exchange (verdict only, no content persisted), or emit first-party events from your own agents. It all lands in one ai_observability index with 200+ CAVERN rules across prompt injection, shadow AI, agent-framework abuse, vector-DB exfiltration, and supply-chain compromise. No DLP agent required.

3 ingest modes inline LLM detection 24 AI content packs 200+ detection rules agentless
intelligence & ai

Full platform surface exposed to AI agents over MCP.

Connect Claude Desktop, Claude Code, or any MCP client and run SPL/SQL/KQL, search CAVERN rules, pull notables, trigger playbooks. The grounded AI assistant does not guess: it discovers your accessible indexes under your own permissions, generates and validates the query, then runs a live preview against your lake before it answers. Every answer is a real query you can keep.

MCP server 13 orchestrator primitives 5 query languages
Caver industrial

OT / ICS with native device-identity decode.

Extends the platform to operational technology. Passive protocol decode reads device identity straight from OT telemetry, so IT/OT correlation, asset discovery, and protocol-aware detection normalise into the same CAVERN pipeline as your IT logs. Native Dragos + Claroty integration. Per-deployment pricing.

Modbus DNP3 EtherNet/IP S7comm BACnet IEC 104
caver app store

A full app store. Versioned, OCSF-mapped apps.

Per-vendor coverage installs as an app: a versioned bundle that maps a source fully to OCSF (parser, schema, and content in one package). The catalog carries 167 versioned apps today, and a deployment-server subscription pipeline pushes updates to subscribed collectors automatically, so a new parser or detection reaches the fleet without a redeploy.

OCSF-mapped bundles versioned subscription pipeline
redeye intel feeds

STIX 2.1 and TAXII 2.1 feeds, straight from the CVE forge.

Caver Forge publishes fresh CVE intelligence and Sigma detections as standards-based feeds at feeds.redeyesecurity.com. Subscribe over TAXII 2.1, pull STIX 2.1 objects, and light up detections grounded in your OCSF schema, no bespoke ingest glue.

STIX 2.1 TAXII 2.1 CVE feed Sigma detections
caver forge

AI that writes and tests your detections, from a CVE or a sentence.

Describe a threat, or point Forge at a freshly published CVE from NVD, CISA KEV, MSRC, GHSA, or OSV, and it authors a CAVERN rule grounded in your actual OCSF lake schema, transpiles it to SPL and Sentinel KQL, and backtests it against your history to confirm it fires (and at what false-positive rate) before a human ever sees it. It collapses 'CVE published' to 'working detection' from weeks to minutes, and the results publish to the RedEye Intel Feeds. You promote to production; Forge does the grind.

CVE → detection in minutes grounded in your schema auto-backtested human-approved to prod
dashboards

Dashboard Studio. 15+ chart types, accelerated.

Build the SOC view without leaving the platform. Studio's panel editor, a deep chart library, and base-search reuse mean rich dashboards that stay fast, plus lake-health and network-flow views out of the box.

Dashboard Studio

Drag-in panels with a per-viz Configure surface: palette, legend, axis, labels. Clone-and-edit any panel, keep personal dashboards.

15+ chart types

From time series and geo to network-flow graphs, powered by ECharts, with signature centerpiece charts on the rich content packs.

Accelerated by base-reuse

A dashboard's base result is materialised once into ephemeral Parquet, then every panel reuses it instead of re-scanning raw.

supported technologies

160+ integrations. Every one OCSF-normalised.

Out-of-box coverage across 11 categories. Every integration ships a caver-collector receiver or adapter and at least one CAVERN content pack with detection rules tuned to the source's event shape.

160+integrations
11categories
100%CAVERN-mapped
OCSFnormalised output

Cloud platforms

12
AWSMicrosoft AzureGoogle CloudCloudflareDigitalOceanLinodeVercelNetlifyFastlyHashiCorpTerraformKubernetes

Identity & SSO

10
OktaAuth0JumpCloudDuo SecurityOneLoginKeycloakBitwardenAzure AD / EntraGoogle WorkspacePing

Productivity & collaboration

12
Microsoft 365SlackMicrosoft TeamsZoomCisco WebexMattermostDiscordIntercomBoxDropboxNotionAsana

Developer & DevOps

14
GitHubGitLabJiraConfluenceCircleCIBuildkiteLaunchDarklySnykLinearTinesPostHogSysdigMongoDB AtlasSnowflake

EDR & endpoint

10
CrowdStrikeSentinelOneMicrosoft DefenderCarbon BlackTrend MicroWazuhClamAVYARAFalcoosquery

Network & perimeter

11
TailscaleCloudflare Zero TrustCisco MerakiCisco UmbrellaFortinetPalo Alto NetworksIvantiCitrixSuricataZeekWireshark

Cloud security

8
WizLaceworkTenableSysdig SecureMicrosoft SentinelAWS GuardDutyAWS SecurityHubTrivy

AI & LLM

12
OpenAIAnthropicMicrosoft CopilotAmazon BedrockAzure OpenAIGoogle Vertex AIHugging FaceLiteLLMPortkeyLangFlowOllamaLM Studio

OT / ICS

7
DragosClarotySiemensRockwell / Allen-BradleySchneider ElectricABBHoneywell

Sales, CRM & support

15
SalesforceHubSpotStripeShopifyZendeskServiceNowPagerDutyTwilioSendGridPostmarkMailgunMimecastAtlassian StatuspageOpsgenieDatadog

Observability & analytics

10
SplunkGrafanaPrometheusElasticKibanaLokiOpenTelemetryVectorApache KafkaConfluent

Already have a search head you love? Keep it.

Caver registers as a peer on most search tools (Splunk, for example), so your existing dashboards, saved searches, and correlation rules keep running unchanged against the OCSF lake. Federation modes ship for Elastic / Kibana, Microsoft Sentinel, Sumo Logic, Datadog, and growing.

Don't see a tool you rely on?

Suggest it and we'll scope it. New integrations land as a caver-collector receiver plus a CAVERN content pack, typically inside a single release cycle.

Request an integration →

Two ways to adopt.
Migrate fully, or run in parallel.

Migrate fully and retire the legacy stack, or stand Caver up in parallel beside the SIEM you run today and cut over when the numbers convince you. Either way, one license, one lake, no per-GB meter.

1

Full migration

Point caver-migrate at your legacy SIEM and it ports the lot in one command: dashboards, saved searches, scheduled alerts, correlation and risk rules, service trees + KPIs, behavior models, and SOAR playbooks, each mapped onto the matching Caver layer.

  • Day one your SOC opens the same dashboards and runs the same queries, on Caver, on the enterprise lake it ships.
  • Auditable: --dry-run prints a full coverage report before --apply touches anything.
  • Every migrator is tested end-to-end before it touches your data.
$ caver-migrate --apply-all
2

Run in parallel

Stand Caver up beside what you already have. It registers as a peer on most search tools (Splunk, for example) and federates with Elastic, Sentinel, and more, so existing dashboards and correlation rules keep running, now against your OCSF lake. New data lands in the lake instead of the indexer tier.

  • Forwarders unchanged: they tee to Caver, or speak their native protocol directly.
  • Search head unchanged: the peer app drops in via the standard install flow.
  • Object storage runs roughly 10x cheaper than indexer storage at the same retention.
federate > add Caver as a search peer

Frequently asked.
Probably what you came here to know.

If your question is not here, the answer is almost always in the docs.

Commercial. Caver is closed-source proprietary software, delivered as binaries plus a commercial license in the same shape as every other commercial SIEM in this market. Source is not publicly distributed. Historical note for the record: Caver v0.1 was released publicly under the MIT License on 2026-05-13 to validate the architecture, and that v0.1 grant is permanent and irrevocable for anyone who obtained the v0.1 code under it; active development has since moved to a private commercial codebase. Full transition explainer at /caver/transition/. Contact matt@redeyesecurity.com for evaluation access and license terms.

The whole legacy SIEM stack, consolidated onto one OCSF Parquet lake you own. Caver is the query and analytics core, a multi-language engine speaking SPL, SQL, KQL, ES|QL, and LSQL, with Sigma content and a grounded AI assistant on top. CAVERN delivers detection engineering and risk-based alerting with full MITRE ATT&CK coverage and 123 content packs. ECHO gives you service trees, KPIs, and episode correlation. UBA runs 65+ behavioral models. SLAM is the SOAR: approval-gated playbooks, incident cases, a credential vault, auto-block response, and analyzers. Five integrated layers, plus an AI-security observatory and a collector pipeline, so you can retire whichever legacy products you pay for today, Splunk, Elastic, Sentinel, or others, and run it all on storage you control.

The compute plane was rebuilt in Go and Rust with a vectorised, columnar engine executing directly on open Parquet in your own object storage. Two things drop the cost lines: a manifest planner prunes files and partitions a query cannot match, so it scans a fraction of the lake, and a base-result cache reuses a query's foundation across dashboard panels and repeat searches instead of re-scanning raw. Storage shrinks too: measured against raw ingest volume in the same window, columnar OCSF Parquet compresses about 48:1, where legacy tsidx-style formats land near 2:1. Less bought, less scanned.

No. Caver speaks the languages your team already knows. Address the same OCSF lake in five query languages, SPL, SQL, KQL (Sentinel-compatible), ES|QL (Elastic), and LSQL (LogScale), every one executed by the same engine. Sigma detection content transpiles straight in, and the grounded AI assistant turns plain English into a validated query it actually runs against your lake before answering. Existing dashboards, saved searches, and correlation rules keep running unchanged. One lake, zero re-training.

Yes. Caver slots into the stack you already run, no rip-and-replace. Splunk: yes, it registers as a distributed-search peer so existing dashboards, saved searches, and correlation rules keep running against your OCSF lake. Elastic / Kibana, Microsoft Sentinel, Sumo Logic, and Datadog: yes, via federation modes. New data lands in your OCSF lake instead of an expensive indexer tier, and any licensing change with a tool you keep is made through that vendor per your existing contract. Running something not named here? Ask, integrations land as a caver-collector receiver plus a CAVERN content pack, typically within a release cycle.

In Caver's own enterprise lake by default: the install provisions and manages the whole OCSF Parquet lakehouse itself, retention, compaction, and lifecycle included, so there is no lake to administer and no data-lake hire. Prefer your own storage? Point it at any S3-compatible bucket instead: AWS S3, MinIO, Google Cloud Storage, Azure Blob, Cloudflare R2. Either way it is open format on storage you control, and the same files are queryable by Trino, AWS Athena, Spark, and AI agents, no proprietary file format gates you in.

Two cost lines disappear: the per-GB ingest license (the biggest line item in most legacy SIEMs) and the indexer storage tier (replaced by roughly 10x cheaper object storage at the same retention, compressed about 48:1). For an org ingesting hundreds of GB/day, that's typically six to seven figures annually, before you count the consolidation of detection, ITSI, UBA, and SOAR into one platform.

Yes, end-to-end. CAVERN ships RBA contributions per detection rule, tactic-spread and source-diversity aggregators, identity and asset risk-factor multipliers (admin 2x, crit-prod 1.875x, service-account 0x), and per-entity timelines. ATT&CK technique and tactic tags propagate from rule to contribution to aggregation.

The Go and Rust core is tagged v0.21.x and running in real deployments. 123 CAVERN content packs and 4,000+ detection rules ship today, with migrators covering dashboards, saved searches, correlation rules, service trees, behavior models, and SOAR playbooks end-to-end. Treat the version seriously and follow the docs runbook before standing up critical SOC workflows.

Request evaluation access and we'll set up a short intro call to understand your environment (current SIEM, storage tier, on-prem vs. cloud), then ship a time-bound evaluation installer. Prefer to dig in first? The full technical docs are linked below.