Frequently Asked Questions
-
Easy — connect your data sources and spotr.io takes it from there. The platform automatically discovers your environment, maps your attack surface, and activates the right detection models for your data. Real-time results start flowing in seconds, not weeks. No lengthy onboarding, no professional services engagement, no waiting on us. You'll see value before you've finished your coffee.
-
spotr.io is a fully managed SaaS platform. There's nothing to install, no infrastructure to maintain, and no capacity planning on your end. The service scales horizontally to handle the demands of the world's largest organizations — and is still affordable enough for the smallest. You send the data, we handle the rest.
-
Wherever you need it. spotr.io sits alongside your existing data pipeline — whether you're routing through Cribl, Vector, Fluentd, or streaming directly from cloud-native sources. Tap into any stage of your pipeline without disrupting what's already flowing. When we detect something, signals route wherever your team already works: your SIEM, SOAR, ticketing system, or any webhook. spotr.io doesn't replace your pipeline — it makes it smarter.
-
It's easy — and we do not need your credentials.
Push data directly from your cloud environments (AWS, GCP, Azure), including CDN logs, identity events, and EDR telemetry. Already using a pipeline tool like Cribl or Vector? Just point a route our way. You can also forward streams straight from your SIEM or data lake.
No agents to install. No credentials to share. Just connect and detect. -
No. spotr.io is built to handle the highest data volumes — VPC flow logs, DNS, firewall, endpoint telemetry, all of it. If you can generate it, we can process it. And unlike traditional SIEMs, scaling up doesn't break the bank. More data means better coverage without the sticker shock.
-
Wherever your team already works. spotr.io delivers signals to your SIEM, SOAR platform, ticketing system, Slack, PagerDuty, email, or any custom webhook. You define the routing — by severity, by detection type, by team — so the right people get the right alerts through the right channels. No new dashboards to babysit unless you want them.
-
spotr.io is a streaming detection engine — we process your data in real time and don't require a data warehouse to operate. By default, data is evaluated on stream and doesn't persist after processing. If you need long-term retention for compliance or investigation, spotr.io can sink your data to S3, Snowflake, or your preferred data lake (s). You choose what's stored, where it goes, and how long it's kept. Your data, your choice.
-
Simple: one rate based on daily ingest volume, regardless of source. Windows event logs, cloud telemetry, CDN logs— it all counts the same. Unlimited concurrent detections are included. No per-detection fees, no surprise line items, no "call us to find out" games. Just predictable pricing that scales with your data.
-
Both options are available. Annual and multi-year commitments get you the best pricing, but we also offer pay-as-you-go if you want flexibility. No lock-in required to get started — use what you need, scale when you're ready.
-
Nope. Setup is free and fast — there's no professional services engagement, no lengthy onboarding project, and no hidden implementation fees. Connect your data sources, and you're detecting.
-
Much better — and not just because it's faster and can handle thousands of concurrent detection models. spotr.io runs detection models that most detection tools and SIEMs simply can't. We're not just matching patterns. We're tracking thresholds, rates, and cardinality in real time. We're running multi-step sequence detection that correlates events across sources with ordering, timing, and negation logic. And we're applying anomaly detection that learns what "normal" looks like for your environment and flags what doesn't belong — all simultaneously, all on stream.
Traditional SIEMs are limited by what you can express in a scheduled search. spotr.io is limited by your imagination. -
As many as you need. Traditional SIEMs force you to choose — more detections means slower search cycles and higher costs, so most teams cap out around 100. Other "streaming" tools claim real-time, but only support simple pattern matching — no aggregation, thresholds, sequences, or anomaly detection. The moment you need to count, correlate, or track state, they fall back to batch.
spotr.io runs tens of thousands of detection models concurrently — from simple filters to multi-stage behavioral sequences — with no performance tradeoff. Every model evaluates in real time, all the time. You stop choosing which threats to look for and start covering all of them. -
Every detection model decomposes into individual evaluators — filters, thresholds, sequence steps, anomaly baselines, behavioral comparisons. A single credential theft detection might have 15 evaluators: match the process, check the parent chain, compare against the baseline, verify MFA status, track the sequence state.
Multiply that across thousands of detection models, across every data source, across every entity in your environment — and you get millions. Each one is a tiny, focused question running continuously: "Is this normal?" "Has this happened before?" "Did the expected thing follow?"
Here's the contrast: in a traditional SIEM, between scheduled searches, the number of evaluators running against your data is zero. Events land in the index and sit there. For up to an hour at a time, nobody's watching. The lights are off.
In spotr.io, every evaluator runs against every event the moment it arrives. There is no gap. There is no dark period. Millions of questions, asked continuously, answered in sub-seconds.
The difference isn't millions vs. hundreds. It's millions vs. zero. -
Everything from simple threshold alerts to complex, multi-step attack sequences. Our detection models go well beyond pattern matching — they track rates, cardinality, and statistical anomalies in real time, and can correlate events across multiple data sources with ordering, timing, and negation logic. If you can describe the threat, spotr.io can detect it. And every model is fully transparent — no black boxes, no mystery scores. You can see exactly what triggered, why, and what data was involved.
-
No. spotr.io is designed so any security analyst can build and tune detection models without writing code or learning a proprietary query language. You don't have to start from scratch — we maintain an up-to-date library that includes industry-standard detections translated from Sigma, Splunk, and Elastic rules, plus the spotr.io detection library: advanced models you won't find anywhere else, including real-time anomaly detection, behavioral baselining, multi-step sequence correlation, and cardinality tracking. If a model is relevant to your environment, we'll let you know it's available or activate it for you. New detections on day one, no homework required.
-
Yes — and it does it in milliseconds, not hours.
spotr.io includes built-in anomaly detection functions that go far beyond static rules. Our detection engine tracks statistical baselines in real time and fires the moment behavior deviates — no signatures required, no waiting for a scheduled search to catch up.
Think: a user who normally authenticates from 2 countries suddenly showing up in 12. A service account that's never touched a production database starting to query every table. DNS request volumes that spike 40x in 5 minutes. These aren't things you write rules for. They're things you learn and detect as they happen.
And here's what makes it dangerous: our AI Detection Engineer can build these models for you. Describe what you're worried about in plain language — "alert me if any user accesses sensitive data from an unusual location at an unusual time" — and the agent constructs the anomaly detection model, sets the thresholds, and deploys it. No data science team required. No month-long tuning cycle.
Traditional SIEMs give you scheduled searches over stored data. We give you continuous statistical evaluation on the stream — thousands of anomaly models running simultaneously, each one watching for the thing that's never happened before.
Signatures catch what you've already seen. Anomaly detection catches what you haven't. -
Most AI SOC tools are glorified ticket closers. They triage alerts, auto-resolve what looks benign, and move on — but they never address why the alert fired in the first place. The underlying misconfiguration, the noisy detection, the gap in coverage — it all stays broken. Your team just stops seeing it.
spotr.io's AI SOC Analyst is different because it's built on top of the detection engine, not bolted onto someone else's. When it triages a signal, it doesn't just assess risk — it understands the detection model that produced it. That means it can autonomously tune thresholds, refine correlation logic, and tighten detection coverage based on what it learns. No human in the loop required. It doesn't just close the ticket. It fixes the problem that created it — on its own.
That's what makes it scalable. Other AI SOC tools scale your ability to ignore noise. Ours scales your ability to eliminate it — autonomously, continuously, around the clock. Fewer false positives over time, sharper detections, and a SOC that actually gets better the longer it runs. Not just cheaper. Smarter. -
Traditional SIEMs store everything in expensive, queryable warehouses because that's where detection happens — scheduled searches running against indexed data. You're paying for storage and compute just to find threats.
spotr.io detects on the stream — no warehouse required. But what about lookbacks, tuning, and building new detections? That's where the ring buffer comes in. It holds a rolling window of recent data — and considering more than half of security lookbacks happen within an hour, it doesn’t need to be more than a day or two. Use it to investigate signals, test new detection models against live data, and validate before you deploy.
Once data flows through, spotr.io can sink it to inexpensive storage like S3 or Snowflake — purely for compliance and retention. No expensive query engine. No indexing costs. No per-GB search fees.
You can still sink everything you need. You just stop paying a premium to search it for threats. -
You can — but you don't have to start there. We recommend starting with the data you're already collecting but can't afford to send to your SIEM, or that your current tools simply can't handle. VPC flow logs, DNS queries, proxy traffic, high-volume cloud telemetry, windows logs, CDN logs — the stuff with real detection value that's getting dropped or ignored because it's too expensive to index.
More of your data fits that category than you'd think. Start there, see the value, and expand from there. Over time, many of our customers find that spotr.io covers what their legacy tools were doing — faster, cheaper, and with better detection coverage. -
No. spotr.io includes a built-in ring buffer — a working set of your enriched data, right inside the product. Use it to build and test detection models, troubleshoot alerts, and run forensic investigations without ever leaving the platform or querying an external system.
This matters more than you think. If your investigation workflow depends on Snowflake or a data lake, every single query costs you money. Our AI agents build detections, tune filters, and run investigations against your ring buffer — unlimited queries, zero external compute costs.
For high-priority or sensitive signals, our AI investigator kicks off automatically — completing the investigation while the data is still in the buffer. By the time data rotates out, anything important has already been worked. The investigation findings — context, risk assessment, and supporting evidence — are permanently stored with the signal. You're not losing forensic value by skipping the data lake. You're front-loading it.
Since over 90% of security searches target the last 24 hours, a ring buffer sized at 1–2x your daily volume gives you everything you need for day-to-day operations. For the cases that go deeper, our dynamic evidence capture preserves the context around every signal so you're not piecing the story together across five different tools.
One platform. Your data, enriched, searchable, investigated, and ready to act on — without a meter running. -
The hardest part of leaving a SIEM is the years of detection logic you've built up. With spotr.io, that's a non-issue. We already maintain your Splunk and Elastic detections in our library — translated, optimized, and ready to go. Detection parity isn't a project. It's a checkbox.
From there, it only gets better. Run everything side by side, confirm you're covered, then start layering on the detection models your SIEM could never run — real-time anomaly detection, multi-step sequences, behavioral baselining across thousands of concurrent models. Need long-term storage for compliance or investigation? Sink your data to S3, Snowflake, or any data lake at a fraction of SIEM indexing costs. -
Yes — automatically. As your data streams in, spotr.io discovers semantic field types (IPs, domains, user agents, MAC addresses, and more) and enriches them in real time with context like geolocation, ASN, DNS resolution, and threat intelligence. No configuration required — we detect what your fields are and apply the right enrichments without you lifting a finger.
Already have your own enrichment sources? Bring them. spotr.io supports custom lookup tables and external enrichment feeds, so you can layer your own context on top of ours. And here's the bonus: you can sink your enriched data — fully contextualized and ready for analysis — to S3, Snowflake, or your data lake. That means even your long-term storage gets the benefit of real-time enrichment, not just your detections. -
Absolutely. Security isn't just what we sell — it's how we operate. All data is encrypted in transit and at rest. Your data streams are processed in isolated, single-tenant environments and are never shared across customers. Access is tightly controlled, audited, and limited to the minimum required to operate the service.
-
We're currently pursuing SOC 2 Type II certification. Our platform is built from the ground up with security-first architecture, including encryption, access controls, audit logging, and data isolation. If you have specific compliance requirements, reach out — we're happy to walk through our security posture in detail.
