PickYourTechPickYourTech home
Matano logo

Matano

Serverless security data lake for AWS with detection-as-code

SIEM & Threat Detection

Matano delivers a cloud‑native, serverless security data lake on AWS, normalizing 50+ log sources, enabling detection‑as‑code with Python, and offering vendor‑neutral analytics via Apache Iceberg.

Matano banner

Overview

Overview

Matano is a cloud‑native security data lake built specifically for AWS environments. It ingests and normalizes unstructured logs from more than 50 native and third‑party sources, storing them in an open table format (Apache Iceberg) with Elastic Common Schema (ECS) alignment. Real‑time detections are authored in Python, with built‑in support for importing Sigma rules, and custom log transformations are handled via Vector Remap Language (VRL) scripts.

Deployment

The platform is fully serverless, leveraging AWS services such as Athena, S3, and SNS, which eliminates the need for managing servers and reduces operational overhead. Users deploy Matano with a single CLI command that provisions the required resources in their AWS account. Once deployed, analysts can query the lake directly from any Iceberg‑compatible engine (Athena, Snowflake, Spark, Trino, etc.) and route alerts to destinations like Slack or SNS, enabling flexible, cost‑effective security operations.

Highlights

Normalize unstructured logs into a structured, real‑time data lake using Apache Iceberg.
Integrates out‑of‑the‑box with 50+ security log sources and custom VRL pipelines.
Detection‑as‑code with Python, including automatic Sigma import.
Fully serverless on AWS, enabling low‑cost, zero‑ops scaling.

Pros

  • Serverless architecture reduces operational overhead.
  • Vendor‑neutral storage format ensures data ownership.
  • Rich integration ecosystem covers major cloud and SaaS sources.
  • Python detections allow flexible, real‑time threat hunting.

Considerations

  • Tied to AWS services; not multi‑cloud out of the box.
  • Requires familiarity with VRL and ECS for custom transformations.
  • Performance depends on chosen query engine (Athena, etc.).
  • Initial setup may need AWS CLI credentials and IAM permissions.

Managed products teams compare with

When teams consider Matano, these hosted platforms usually appear on the same shortlist.

Elastic Security SIEM logo

Elastic Security SIEM

Modern, cost-efficient SIEM with years of searchable data.

Exabeam logo

Exabeam

SIEM and UEBA for threat detection and response

IBM QRadar SIEM logo

IBM QRadar SIEM

Enterprise SIEM for real-time threat detection and compliance.

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Security teams needing a cost‑effective alternative to traditional SIEMs.
  • Organizations that already use AWS and want to keep data in‑account.
  • Teams that prefer code‑first detection development.
  • Analysts who want to query logs with familiar SQL engines.

Not ideal when

  • Enterprises requiring on‑premise deployment.
  • Teams without Python or VRL expertise.
  • Use cases demanding real‑time dashboards built into the platform.
  • Multi‑cloud environments where data must reside outside AWS.

How teams use it

Reduce SIEM licensing costs

Ingest all security logs into Matano’s data lake and query with Athena, eliminating the need for expensive third‑party SIEM storage.

Custom threat detection with Python

Write detection scripts that scan CloudTrail and Okta logs in real time, generating alerts to Slack via SNS.

Enrich and normalize logs from a new SaaS app

Use VRL to parse raw JSON, map fields to ECS, and make the data instantly searchable alongside existing sources.

Ad‑hoc investigation using existing analytics tools

Connect Snowflake or Trino to the Iceberg tables and run complex joins without moving data.

Tech snapshot

Rust67%
Kotlin14%
TypeScript10%
Python6%
Java1%
JavaScript1%

Tags

threat-huntingdfirawscybersecurityalertingcloud-nativesiemaws-securityapache-iceberglog-analyticssecurity-toolsrustcloudserverlessdetection-engineeringcloud-securitysecopssecuritylog-managementbig-data

Frequently asked questions

Do I need to manage any servers for Matano?

No. Matano is fully serverless and runs on managed AWS services.

Which log sources are supported out of the box?

Matano includes integrations for over 50 sources such as CloudTrail, VPC Flow Logs, Okta, GitHub, Crowdstrike, and many more.

Can I use my own query engine?

Yes. The data lake is stored in Apache Iceberg, so any Iceberg‑compatible engine (Athena, Snowflake, Spark, Trino, etc.) can query it.

Is the stored data portable?

Data is saved in an open table format (Apache Iceberg) with ECS schema, allowing you to move or copy it without vendor lock‑in.

How are detection scripts executed?

Detections are Python programs invoked in real time as logs are ingested, and they can emit alerts to configured destinations like SNS or Slack.

Project at a glance

Dormant
Visit siteView repo
Stars
1,651
Watchers
1,651
Forks
124
LicenseApache-2.0
Repo age3 years old
Last commitlast year
Primary languageRust

Last synced 4 hours ago