It is 3:14 a.m. somewhere - it always is, on a security team. An alert fires. In the old world, an analyst would crack open a console, paste a query into a search bar, wait, refine, wait again. Pay per gigabyte for the privilege. Make peace with the dashboard. By the time the cup of coffee arrived, the incident either was, or wasn't. Nobody could say which.
Panther's version of that morning looks different. The alert still fires. But it was written in Python by a security engineer who committed it to a git repository, ran tests against it, and shipped it through code review like any other piece of software. The query lands in a security data lake that holds years of telemetry, not weeks. An AI agent has already triaged the noise away, leaving a short list of things that matter. The analyst doesn't grep. The analyst thinks.
Security monitoring at cloud scale should not require an enterprise contract and a sense of humor about pricing.- The Panther thesis, paraphrased
The Problem They Saw
The legacy SIEM was never built for the cloud. It was built for a single corporate network with a polite quantity of logs, in an era when a "data deluge" meant six hard drives. Then everything moved. Applications scattered across AWS regions. Identity vendors multiplied. Containers spun up and died inside a single afternoon. The logs - oh, the logs - went exponential.
Security teams reacted the way every team reacts to a flood: they bought a bigger bucket. They paid Splunk, or QRadar, or someone with three vowels in their name, for the right to index everything. They watched their bills do what bills do when ingestion is metered. And in the quiet moments, between dashboards, they asked the question that powers every category-defining company: does it have to be this way?
The SIEM market spent fifteen years getting better at storing logs and worse at understanding them. Panther bet that the answer was code, not configuration.- Field notes, YesPress
The Founders' Bet
Jack Naglieri spent his Airbnb years building StreamAlert, an open-source detection framework that ended up running inside Netflix, Coinbase, Duo Security, and a long tail of companies whose security engineers had grown allergic to vendor UIs. The thing worked. People kept emailing about it. The pattern was hard to miss: security teams wanted to write detections the way engineers write code - in a language they liked, in a repo they owned, with tests that ran in CI.
So in 2018, Naglieri left Airbnb, gathered a small founding team, and started Panther Labs. The bet was simple to state and audacious to ship: rebuild the SIEM from scratch, on a cloud-native data lake, with Python as the detection language. Decouple compute from storage so the bill stops scaling like a horror movie. Treat the SOC like a software team. Let the rest follow.
I wanted a SIEM I would actually want to use. There wasn't one. So we built it.- Jack Naglieri, founder, on the obvious-in-hindsight origin story
The Product, Briefly Explained
Panther has four parts that, conveniently, all start with the letter D if you squint. Data lake. Detections-as-code. Dashboards-but-better. And, since 2024, dare-we-say-it AI agents that close the loop.
Cloud SIEM
Ingests, normalizes, and analyzes log data in real time. No on-prem boxes. No "professional services" line item.
Detection-as-Code
Python detections live in git, get unit tested, and ship through pull request. The SOC, finally, joins the rest of engineering.
Security Data Lake
Serverless storage on Snowflake. Years of telemetry, queried with SQL, at prices that don't require a quarterly apology.
AI SOC Agents
Triage, investigation, detection tuning, threat hunting. The robots don't replace analysts. They cancel out the 2 a.m. version.
The Proof
Coatue Management led the Series B. Lightspeed had been there since the Series A. Snowflake Ventures - Panther's own data infrastructure partner - wrote a check, which is the venture-capital equivalent of marrying your roommate. Then, in January 2023, a $68M Series C extension landed, and the AI roadmap got real.
- 2018Founded. Jack Naglieri leaves Airbnb. Panther Labs incorporates in San Francisco.
- 2020Series A. $15M led by Lightspeed Venture Partners. The cloud SIEM thesis goes public.
- 2021Unicorn. $120M Series B led by Coatue. Valuation crosses $1.4B in under two years.
- 2023Series C. $68M extension. The AI build begins in earnest.
- 2024AI SOC. Autonomous triage and investigation agents ship across the platform.
- 2026Now. ~310 employees, ~$57M annual revenue, and a growing list of teams who have quietly moved off Splunk.
What Panther customers report
We replaced our legacy SIEM with Panther and reduced our monthly bill, our alert fatigue, and our therapist's Tuesday slot.- Composite of testimonials, only slightly embellished
The Mission
The official line is short: detect, investigate, and respond to threats at cloud scale - powered by code and AI. The unofficial line is shorter still: security teams should operate like software teams. Versioned. Tested. Reviewed. Shipped. The dashboard is fine. But it should be the result of the work, not the work itself.
Panther's culture inherits that worldview from its open-source roots. The company hires engineers who came up writing detections by hand, who have war stories about per-event pricing, and who, given a quiet evening, would rather refactor a YAML rule than answer one more Slack ping. The pitch to recruits is identical to the pitch to customers: come build the tool you always wished you had.
The best security teams are software teams in disguise. Panther just made the disguise optional.- An anonymous reviewer on a public engineering blog
Why It Matters Tomorrow
The cloud is not getting simpler. Identity sprawl is not getting smaller. Attackers, having read the same papers as everyone else, are getting handier with LLMs and faster at moving through misconfigured environments. The volume of security telemetry will keep doing what volumes do, which is grow.
In that future, Panther's bet looks less like a startup pitch and more like a forecast. Storage is cheap when you decouple it from compute. Detections are durable when they live in a repo. Analysts are leveraged when an AI agent eats the boring 85%. None of these are exotic ideas in any other software category. Security is just the last room in the house to get rewired.
Back to 3:14 A.M.
The alert fires again, in some other timezone, on some other team. This time, nobody opens a console. The detection that caught the anomaly was committed three weeks ago by an engineer who unit-tested it on a Tuesday afternoon. The query that proves the case ran across two years of logs in less time than it takes to read this sentence. A triage agent has already correlated the signal across identity, network, and endpoint, and dropped a single, ranked incident into the queue.
The analyst doesn't grep. The analyst doesn't pivot. The analyst reads, decides, responds. The coffee is still warm. The SIEM, against every reasonable expectation, is on their side.
That is what Panther is selling. Not a product, exactly. A different morning.