A company that noticed you were deleting your own evidence
There is a quietly absurd bargain at the center of corporate security, and Scanner is a company built entirely on refusing to accept it. The bargain goes like this: your systems produce an enormous, ever-growing river of log data - every login, every API call, every config change, every packet a firewall frowns at. This data is, in a real sense, the crime-scene footage of your entire company. And the traditional way to make it searchable, a Security Information and Event Management system or SIEM, charges you by roughly how much of it you feed in. So security teams do the rational, terrible thing: they keep two weeks, maybe a month, and let the rest evaporate. When an attacker turns out to have been sitting inside the network for six months - as attackers annoyingly like to do - the footage of how they got in was deleted to save money. This is the industry equivalent of turning off the security cameras to lower the electric bill.
Scanner's founders, Cliff Crosland and Steven Wu, lived this bargain from the inside. Crosland was a principal engineer at Cisco running backend infrastructure for the Webex People Graph; before that he was an engineering lead at Accompany, which Cisco acquired. Wu was a senior technical leader at Cisco and had earlier founded Predictive Edge, a machine-learning startup that Dropbox bought. These are distributed-systems people - the kind who look at a petabyte and see an addressable engineering problem rather than a budget line to be minimized. What they kept running into was the same wall: the data was already sitting cheaply in Amazon S3, and yet to actually search it you had to pay to shovel it into somewhere expensive.
So in 2022 they built the thing that shouldn't need to be shoveled. Scanner is a security data lake that builds its own full-text index on top of the log data where it already lives - in object storage, in your own S3 - rather than reingesting it into a proprietary store. The result is the combination the old bargain said you couldn't have: the price of S3 with the speed of a SIEM. You keep everything. You search all of it. The line the company puts on its homepage is a small taunt dressed as a statistic: "Your SIEM sees 1%. Scanner sees what it can't."
What is actually clever here
The trick, and it is a genuine engineering trick rather than a marketing one, is when the indexing happens. Scanner builds its index at the moment data is ingested and stores that index cheaply alongside the raw logs in object storage. Because the heavy lifting is done up front and the index is compact, searches don't require spinning up an expensive always-on cluster to brute-force through raw files. The engine is written in Rust, which is the language you reach for when you care about throughput and memory more than you care about being fashionable. In one demonstration the company ran its index across 1.4 pebibytes of AWS CloudTrail data - a scale at which most tools quietly suggest you archive to cold storage and give up on searching it - and kept it queryable.
Around that core, Scanner has assembled the workflow a security team actually needs. It comes in four honest pieces:
Collect & Enrich
Pull in and enrich logs - CloudTrail, Cloudflare, Windows event logs and more - and index them at ingestion time.
Search & Investigate
Full-text search across years of data in under ten seconds, so threat hunting stops being a batch job you leave running overnight.
Detection & Response
Continuous detection rules run on the full stream, managed as detection-as-code straight from GitHub.
MCP & APIs
A Model Context Protocol server and search APIs that let AI agents query the whole log history programmatically.
The visibility gap, drawn to scale
Sequoia writes a check for the boring layer
In March 2026 Scanner raised a $22 million Series A led by Sequoia Capital, with CRV and Mantis VC joining. The angel list is the part that tells you who takes this seriously: Christina Cacioppo, the founder and CEO of Vanta; Tom Killalea, who was Amazon's very first Chief Information Security Officer and now chairs MongoDB's board; and Venkat Venkataramani, who founded Rockset and runs infrastructure at OpenAI. When Amazon's original CISO and OpenAI's infra lead both put money into the same log-indexing startup, the thesis is not subtle.
Sequoia's Bogomil Balkansky framed the bet in terms of what comes next rather than what exists now: security teams "generate massive amounts of data but can only afford to search a fraction of it," and Scanner's approach "enables companies to move into the agentic era of cybersecurity." The phrase "agentic era" is doing some venture-capital work, but underneath it is a concrete constraint. AI agents that hunt threats are only as capable as the data they can reach and the speed at which they can reach it. An agent pointed at a two-week window is a very expensive way to be nearsighted. Scanner is, in this reading, less a security product and more the affordable memory that the AI security tools of the next few years will need to plug into. The MCP server is exactly that plug.
Who is actually running it
The customer roster skews toward the kind of high-growth companies that generate a lot of logs and hire detection engineers who have strong opinions about them: Notion, Ramp, Postman, Benchling, Unit21, BeyondTrust, Lemonade, and EliseAI. The numbers the company shares are usefully specific rather than vaguely triumphant. Notion wired an AI agent into Scanner and reported an 84% reduction in investigation time, along with a 30% bump in team job satisfaction - which is a polite way of saying the humans stopped dreading the part of the job where they wait on slow queries. Ramp's detection team went from two weeks of searchable history to months, and now hunts years of logs for indicators of compromise in minutes.
That job-satisfaction number is the one worth sitting with. Most security tooling gets sold on fear - the breach you'll suffer if you don't buy it. Scanner's most quoted internal metric is instead about the people operating it having a less miserable time. It turns out that "you can finally search all of your data" and "your analysts are less burnt out" are the same sentence.
The incumbents it is arguing with
Scanner is picking a fight with a well-funded neighborhood: Splunk, Elastic, Datadog's security line, Microsoft Sentinel, Panther, Sumo Logic, and the data-lake approaches people bolt onto Snowflake or Amazon Security Lake. Most of those either charge for ingestion or make you assemble your own search layer over a lake. Scanner's argument is narrow and, if it holds, powerful: don't move the data at all, don't rebuild the plumbing, just index it in place and make the whole thing fast. It is the sort of positioning that either becomes a category or gets absorbed into one - and the caliber of the people betting on it suggests the first outcome is at least plausible.
From two engineers to Sequoia
- 2022
Scanner is founded in San Francisco
Cliff Crosland and Steven Wu leave the Cisco/Dropbox world to fix exploding log costs from the storage layer up.
- 2023
Security data lake goes to market
Full-text search and enrichment ship directly over log data sitting in Amazon S3.
- 2024
Detection-as-code arrives
Continuous detections run on the full stream, with rules managed in GitHub like any other code.
- 2025
AI agents get a door in
An MCP server and search APIs let autonomous agents query petabytes of logs in object storage.
- 2026
$22M Series A led by Sequoia
CRV, Mantis, and a marquee angel list back the bet on the "agentic era of cybersecurity."