Scanner makes petabytes of security logs searchable in seconds by building a purpose-built inverted index directly on top of Amazon S3. The core problem it solves: enterprise security teams can only afford to keep 10 to 30 days of logs in a SIEM like Splunk, which can consume 15% of a CISO's entire budget, so the rest sits frozen in S3, inaccessible during breaches and compliance audits. Founders Cliff Crosland and Steven Wu, both Stanford CS alums and former engineering leads at Accompany before its Cisco acquisition, designed Scanner from scratch for object storage rather than adapting existing SIEM architecture.
The customer list is the most concrete signal here. Notion, Ramp, Benchling, Confluent, Lemonade, and BeyondTrust are all in production. Benchling switched to Scanner after a competitor imposed a tenfold price increase. Ramp expanded from security logs to application logs and reduced its SIEM bill. Notion's detection and response team built an internal AI agent that runs security investigations autonomously on top of Scanner. That last data point matters: within weeks of Scanner's MCP release, nearly one third of its customers were using it in production, and AI agents now account for 80% of all queries on the platform.
Sequoia is leading Scanner's Series A. The piece is worth reading in full not for the investment announcement but for the technical walkthrough of how the inverted index maps field values directly to file regions in S3, and for the argument that query speed is the critical dependency blocking agentic security workflows at scale. If agents need to iterate fast and follow threads, minutes-long queries are a hard ceiling on what's possible. Scanner is the infrastructure bet that ceiling gets removed.
[READ ORIGINAL →]