Land your security data as OCSF Parquet on any S3-compatible storage. Query it in seven languages, SPL, SQL, KQL, Sigma, PromQL, natural language, or the native Caver UI, over one lake you own. Caver is the enterprise SIEM you run on top: no per-GB ingest tax, no proprietary tsidx format, no vendor lock-in on storage.
What used to require a stack of separately licensed products, SIEM, detection, service monitoring, UBA, and SOAR, and the licenses that come with all of them. Caver ships it as one integrated commercial stack reading and writing one OCSF Parquet bucket.
Query in SPL, SQL, KQL, Sigma, PromQL, or natural language. Federates with most search tools, Splunk, Elastic, Sentinel, and more, and the search head you already run treats it as a native indexer.
Notables, operator-editable YAML playbooks, case management, signed PDF exports, plus Telegram/Slack/Teams oncall.
POST /api/slam/notables { "rule": "brute-force", "severity": "high", "entity": "alice" }
123 content packs, 100% SigmaHQ mapped, Detection IDE with live backtest. Per-rule risk contributions, ATT&CK-tagged aggregation.
A KPI is just SPL + thresholds. Episodes assemble on cron and surface in the analyst queue.
65+ unsupervised models, no labelled training data. Off-hours bursts, beaconing, lateral movement.
From bare-metal Helm to one-click cloud templates, the deployment surface is documented and runnable end-to-end on every target below, including a .spl that registers Caver as a search peer of your existing search head (Splunk, for example). Enterprise license includes installer access for all targets.
enterprise registryTTerraformawsTTerraformgcpTTerraformazureDDockercompose --profile demo upRRenderRRailwayFFly.ioSSplunk SHcaver-peer.splSLAM gives every incident a tamper-evident evidence locker. The bytes you collect during an investigation are cryptographically pinned and provably unchanged from upload to export, the kind of custody your legal team asks for, that almost no SIEM ships.
SHA-256 · HMAC-signed audit · tamper-evident · signed PDF
Every file attached to an incident is hashed on upload, with uploader and timestamp recorded.
The hash is recomputed on each fetch. If a stored byte ever diverges, the download is refused, not silently served.
Every upload, download, verify, and delete is signed, so who-touched-what-when cannot be quietly rewritten.
One click produces a signed PDF of the full case: timeline, evidence, and custody record intact.
The core stack consolidates your SIEM, detection, service-monitoring, UBA, and SOAR tools into one platform. These ship alongside it, reading and writing the same OCSF Parquet lake: the data pipeline that feeds it, the AI-security layer, the agent + orchestration surface, and the OT/ICS plugin.
Python for orchestration and complex normalisation, Vector (Rust) for high-throughput hot paths, and an OpenTelemetry distro for shops already running OTel. Drops the universal-forwarder dependency.
24 dedicated content packs and 200+ purpose-built CAVERN rules across the full AI threat surface: prompt injection, shadow AI, agent-framework abuse, vector-DB exfiltration, and supply-chain compromise. No DLP agent required.
Connect Claude Desktop, Claude Code, or any MCP client and run SPL/SQL/KQL, search CAVERN rules, pull notables, trigger playbooks. A Claude-powered orchestrator turns plain-language requests into config, rules, and backtests.
Extends the platform to operational technology: IT/OT correlation, asset discovery, and protocol-aware detection normalised into the same CAVERN pipeline as your IT telemetry. Per-deployment pricing.
Describe a threat, or point Forge at a freshly published CVE, and it authors a CAVERN rule grounded in your actual OCSF lake schema, transpiles it to SPL, and backtests it against your history to confirm it fires (and at what false-positive rate) before a human ever sees it. It collapses 'CVE published' to 'working detection' from weeks to minutes. You promote to production; Forge does the grind.
Out-of-box coverage across 11 categories. Every integration ships a caver-collector receiver or adapter and at least one CAVERN content pack with detection rules tuned to the source's event shape.
Caver registers as a peer on most search tools (Splunk, for example), so your existing dashboards, saved searches, and correlation rules keep running unchanged against the OCSF lake. Federation modes ship for Elastic / Kibana, Microsoft Sentinel, Sumo Logic, Datadog, and growing.
Suggest it and we'll scope it. New integrations land as a caver-collector receiver plus a CAVERN content pack, typically inside a single release cycle.
Request an integration →Caver is modular. Migrate fully, run it in parallel during a transition, or just drop in the collector to trim or enrich what your existing SIEM ingests. Any single layer stands on its own and augments the SIEM you already run.
Point caver-migrate at your legacy SIEM and it ports the lot in one command: dashboards, saved searches, scheduled alerts, correlation and risk rules, service trees + KPIs, behavior models, and SOAR playbooks, each mapped onto the matching Caver layer.
Stand Caver up beside what you already have. It registers as a peer on most search tools (Splunk, for example) and federates with Elastic, Sentinel, and more, so existing dashboards and correlation rules keep running, now against your OCSF lake. New data lands in the lake instead of the indexer tier.
Not ready for the full platform? Run only caver-collector. Its 21 receivers and 44 transforms sit in front of your existing SIEM to filter, route, and OCSF-normalise, cutting ingest volume or enriching events before they land.
Every layer stands alone. Add CAVERN detections, ECHO service monitoring, UBA, or SLAM case management one at a time, against the same OCSF lake, to assist or extend the SIEM you already run.
If your question is not here, the answer is almost always in the docs.