Scanner makes petabytes of security logs searchable in seconds by running a purpose-built inverted index directly against S3 object storage. Founders Cliff Crosland and Steven Wu, Stanford CS alums and former engineering leads at Cisco-acquired Accompany, built a query engine that maps field values to file regions, skipping billions of irrelevant rows entirely. The result: queries that previously took hours now return in seconds, and a streaming detection engine processes tens of terabytes per day without rescanning data for each rule.
The problem they are solving is structural. Enterprise security teams today keep only 10 to 30 days of logs in their SIEM because Splunk-scale storage can consume 15% of a CISO's entire budget. Everything older lives frozen in S3, unreachable during breaches, audits, and forensic investigations. Scanner's customers include Notion, Ramp, Benchling, Confluent, Lemonade, and BeyondTrust. Benchling switched after a competitor imposed a tenfold price increase. Ramp expanded from security logs to application logs and cut its SIEM bill. These are not pilot deployments.
The number that warrants attention: within weeks of Scanner's MCP release, agents now account for 80% of queries on the platform, with nearly one third of customers running it in production. Notion's security team already built an autonomous AI agent that runs investigations using Scanner as its query layer. Sequoia is leading the Series A. Read the original for Bogomil Balkansky's account of how the product's architecture actually works and why speed is the prerequisite, not a feature, for agentic security operations.
[READ ORIGINAL →]