caver is moving from MIT to a closed-source commercial product.
Here is exactly what changes.

v0.1 was a public bet. The thesis: a SIEM stack that replaces Splunk Enterprise + ES + ITSI + UBA + SOAR can run on top of an OCSF Parquet lakehouse on commodity object storage, speak SPL natively, register as a Splunk distributed-search peer for side-by-side deployments, and ship as one integrated stack rather than as five products glued together.

We released the whole thing under MIT on 2026-05-13 to prove the architecture in public. v0.1 shipped with 1,618 tests green, nine end-to-end migrators (dashboards, saved searches, scheduled alerts, indexes, ES correlation searches, ITSI service trees, UBA threat models, SOAR playbooks, plus the auto-port of runnable searches into the caver scheduler), a splunkd-compatible REST surface, and a standalone SPL engine. The architecture is validated.

v0.1 answered the technical question. The next decade of work answers a different question entirely: can a small team displace Splunk inside real customer accounts, sustain 24×7 enterprise support, hold the SLAs SOCs need, carry SOC 2 Type II and FedRAMP through the audit cycle, and out-iterate vendors with 100× the headcount.

That work needs a sustainable commercial model. It needs to fund SREs, security engineers, customer-success engineers, and salespeople who actually understand the Splunk-displacement story. The conventional enterprise-SIEM posture (closed-source binaries plus a per-deployment commercial license) is what every customer in this market already buys, what every procurement org already knows how to evaluate, and what acquirer-side legal teams recognize at a glance. We chose it deliberately.

• •New releases ship as closed-source proprietary software. Binaries plus a per-deployment commercial license, delivered via the enterprise channel.
• •Source code is private. The public GitHub repositories that hosted v0.1 are no longer the canonical place to obtain a current build. Source is not publicly distributed.
• •Pricing is published. Three editions (Standard $24K–$56K per deployment / year, Enterprise contact-sales, MSSP partner-tiered) priced per deployment, not per GB ingested. Full details at /caver/pricing/.
• •The customer relationship moves to an enterprise vendor model. Onboarding, support, escalation paths, SLAs, SOC 2 attestation, security data sheets, and pen-test summaries are all delivered through the standard commercial channels procurement teams already use.

• •The v0.1 MIT grant is permanent and irrevocable. Anyone who obtained v0.1 under MIT retains those rights forever. We cannot revoke them and would not try to. You can keep using v0.1, fork it, deploy it, modify it, redistribute it per MIT's terms.
• •We will not pursue v0.1 users. The grant is permanent. No audits, no takedown notices, no retroactive fees. We will gladly upgrade you to a commercial license when you want enterprise support, the latest installers, or the layers and capabilities that landed after the transition.
• •Your data stays yours. OCSF Parquet (an open, vendor-neutral columnar format) on any S3-compatible bucket. Your bucket, your keys. No proprietary tsidx, no vendor lock-in on the storage layer.
• •The product mission is unchanged. Replace Splunk Enterprise + ES + ITSI + UBA + SOAR with one integrated stack on a lakehouse you control. The license change is about funding the team building the next decade of it; the architecture, the migrators, and the Splunk-displacement story all carry forward.

The order matters. Most commercial SIEMs were never open. The architecture decisions that shape them were made behind closed doors, validated only against the customers who paid to see them, and locked behind a vendor's interpretation of what "works at scale" means.

v0.1 published the architecture, the schema, the test surface, the migrators, and the wire format. Anyone who wanted to know exactly how an open-source SIEM could replace the five Splunk products had the source code in front of them for the validation window. That public record is permanent. Subsequent work moves into the conventional enterprise-vendor posture because that is the model that funds SOC 2, 24×7 SLAs, and a team large enough to chase real Splunk replacements inside Fortune 500 accounts.

Two ways in. If you want to evaluate caver, email [email protected] with the rough size of your Splunk bill, your renewal window, and the modules you most want to displace. We will come back within a business day with a sizing estimate and a POC plan.

If you have questions about the license transition itself (legal posture, MIT-grant preservation, MSSP exclusion), the same email reaches us — flag the subject as "license question" and we will pull the right person into the thread.