Elastic SIEM is a powerful tool for detecting threats and investigating security incidents. But as log volume grows, using Elastic for everything can quickly become prohibitively expensive—especially when it comes to high-volume data sources. Scanner.dev helps you address this problem, augmenting Elastic to reduce both your operational costs and engineering maintenance burden.

Security teams frequently deal with log sources that produce vast amounts of data: cloud audit logs (e.g., AWS CloudTrail), network traffic logs (e.g., Cloudflare HTTP and DNS), and endpoint logs (e.g., Windows Event logs). Ingesting just one of these high-volume sources into Elastic can cost hundreds of thousands of dollars annually—or even reach into seven figures.

The cost grows out of two main factors:

1. Infrastructure Requirements: Processing terabytes of logs per day means running a large Elastic cluster with lots of compute and memory.
2. Engineering Overhead: At scale, maintaining an Elastic cluster demands continuous attention from engineers, who must optimize performance, configure shards, manage storage, and troubleshoot stability issues.

For long-term storage, many teams turn to Amazon S3 to retain logs that can't be cost-effectively kept in Elastic. The typical query tool for these logs, Amazon Athena, can be painfully slow—especially when dealing with raw JSON data.

Scanner integrates seamlessly with Elastic to take on the challenges of high-volume logs, eliminating the need for costly cluster expansion and minimizing maintenance efforts.

Instead of pushing massive log volumes directly into Elastic, you can send them to S3. Scanner then organizes the raw logs in S3, making them easy to search while keeping costs much lower. By using Scanner to handle high-volume logs, it's common for teams to reduce ingestion costs by 80-90%, saving hundreds of thousands of dollars annually.

Elastic clusters running at scale can require a lot of manual tuning—adjusting memory settings, reconfiguring shards, managing query nodes, and more. Scanner removes this burden entirely. It automatically organizes your raw logs in S3, creating text and numerical indexes without requiring any user intervention. As ingestion volumes fluctuate, Scanner scales up or down automatically, and it leverages serverless functions to execute queries—eliminating the need for dedicated query nodes.

Querying data in S3 with Amazon Athena is often slow, especially with raw JSON logs. Optimizing Athena for log data requires extensive engineering effort—creating partitions, transforming logs to Parquet, etc. With Scanner, your data is organized automatically for fast search, with performance that can be 100 times faster than Athena. Scanner's indexing means that teams can quickly find what they need, without the cost and complexity of traditional optimization approaches.

For teams that use Elastic's detection rules, migrating to Scanner is straightforward. Scanner can translate your existing rules for use within its platform, retaining your alert coverage without heavy migration effort. Currently, Scanner supports Elastic detection rule types like Custom Query, Threshold, and Event Correlation.

Scanner is designed to work alongside Elastic SIEM—offloading high-volume log sources such as cloud audit logs, network traffic logs, and endpoint logs. By redirecting these log sources to Scanner, you can reduce your Elastic cluster size, which translates into both lower infrastructure costs and reduced labor for maintenance. Plus, with Scanner, querying your historical data is dramatically faster.

With Scanner, your SIEM setup becomes more scalable, cost-effective, and easier to manage—all without sacrificing the power of Elastic for detection and investigation.