Scanner is a radically different way to detect threats in security data. Most security teams run a SIEM at the center of their stack. But SIEMs price on ingestion volume and cap retention at around 30 days, which forces a painful tradeoff: teams end up diverting 95% of their log data to object storage like S3 just to keep costs manageable. The result is a SIEM that covers a thin slice of your environment and a data lake full of logs no one can practically search or run detections against. Scanner works differently at every layer. Storage: We index semi-structured and unstructured log data directly in your S3 buckets. No ingestion pipelines, no re-ingestion, no schema work. Your data stays where it is. Detection: Logs stream into a numerically efficient cache where detections run continuously. There's no batch job, no scheduled query scanning your entire dataset. Detections operate on the stream itself. Investigation: When an analyst or agent runs a query, Scanner spins up short-lived compute that exists only for the duration of that query and then disappears. The indexes narrow the search space by orders of magnitude before any data is read, so even petabyte-scale queries resolve in seconds. Query compute is active less than 1% of the day. The rest of the time, it doesn't exist. The result is a system where petabytes of security data are searchable in seconds, detections run continuously, and costs scale with actual usage rather than data volume. Today, AI agents are Scanner's most prolific users, investigating alerts and hunting threats around the clock. Teams at Notion, Ramp, and Benchling use Scanner as their core security data layer.