Partnering with Scanner: Every Log Tells a Story—If You Can Find It Fast Enough
Source: Sequoia Blog
Overview
Cliff and Steven are making petabytes of security data searchable in seconds, opening the door to a new era of AI‑driven security operations.
The Problem
Enterprise security teams are drowning in logs they can’t afford to keep or search. Modern tools generate massive amounts of data—every API call, login event, and network connection. Investigations often require a year’s worth of logs, but storing everything in a SIEM like Splunk can consume up to 15 % of a CISO’s budget.
Most companies compromise by keeping only the most recent 10–30 days in the SIEM and archiving older logs in Amazon S3. While storage is cheap, the data becomes effectively frozen and unsearchable. When a breach, compliance audit, or forensic investigation occurs, the needed evidence is often out of reach.
Introducing Scanner
I first heard about Scanner from a security engineer at Temporal, who described it as “crazy fast.” After reaching out to co‑founder Cliff Crosland, I learned how Scanner works:
- Purpose‑built inverted index that maps field values directly to file regions in S3.
- Queries are narrowed to only the relevant slices of data, turning petabytes of logs into an interactive experience.
- What once took hours now runs in seconds.
- A streaming detection engine runs hundreds of detection rules continuously across tens of terabytes per day without re‑scanning the entire dataset.
The Founders
Cliff Crosland and Steven Wu are Stanford CS alumni who previously led engineering at Accompany (acquired by Cisco), building core data infrastructure at production scale. Their obsession with performance drives the design of a system that feels instantaneous.
Customers & Use Cases
Scanner’s early adopters read like a who’s‑who of the cloud‑native world:
- Notion – Built an internal AI agent that autonomously runs security investigations using Scanner.
- Ramp – Started with security logs, expanded to application logs, and reduced their SIEM bill.
- Benchling – Switched after a tenfold price increase from a competitor; the head of security engineering called it one of their best technical decisions.
- Confluent, Lemonade, BeyondTrust, and others are also leveraging the platform.
The Emerging AI‑Driven Workflow
The speed of Scanner enables “agentic” security workflows. Within weeks of its MCP release, nearly a third of customers were in production, and 80 % of queries now come from AI agents. This shift signals a future where investigative work is largely automated, requiring rapid, iterative queries rather than minute‑ or hour‑long searches.
Sequoia’s Involvement
Sequoia is leading Scanner’s Series A round and is excited to partner with the founders as they reinvent a market overdue for transformation. Scanner is gaining traction among technically forward organizations and is poised to define the next decade of security infrastructure.