Scanner makes petabytes of security logs searchable in seconds, directly against S3. Founders Cliff Crosland and Steven Wu, Stanford CS alumni and former engineering leads at Cisco-acquired Accompany, built a purpose-built inverted index that maps field values to file regions in object storage. Queries that previously took hours now return in seconds. A streaming detection engine runs hundreds of rules continuously across tens of terabytes per day without re-scanning on each pass. Sequoia led the Series A.
The problem is structural. Companies keep 10 to 30 days of logs in a SIEM like Splunk, where costs can consume 15% of a CISO's entire budget, and archive the rest in S3 where data is cheap but effectively frozen. Breaches, audits, and forensic investigations require logs going back a year or more. That data is unreachable when it matters most. Scanner's customers include Notion, Ramp, Benchling, Confluent, Lemonade, and BeyondTrust. Ramp expanded from security logs to application logs and reduced its SIEM bill in the process. Benchling replaced a prior product after a forced tenfold price increase and called it one of the best technical decisions the team had made.
The number worth reading the full piece for: within weeks of Scanner's MCP release, nearly one third of customers were running it in production, and AI agents now account for 80% of all queries on the platform. Notion's detection and response team built an internal agent that autonomously runs security investigations using Scanner. That adoption rate is not a beta metric. It is a signal that agentic security workflows have a hard infrastructure requirement, sub-second query latency, and Scanner is currently the only product built to meet it at scale.
[READ ORIGINAL →]