Scanner Raises $22 Million to Build Cloud-Native Security Data Lakes for Enterprise Threat Hunting

Scanner Raises $22 Million to Build Cloud-Native Security Data Lakes for Enterprise Threat Hunting

Scanner, a cybersecurity startup focused on helping organisations build cloud-native security data lakes for threat hunting, detection, and response, has raised $22 million in a Series A funding round led by Sequoia Capital. The investment highlights growing enterprise demand for security solutions that can handle the massive volumes of data generated by modern cloud infrastructure while enabling real-time threat detection and forensic investigation.

The company's platform enables security teams to centralise security telemetry from diverse sources — cloud services, endpoints, network devices, identity systems, and applications — into a unified data lake optimised for security analytics. Unlike traditional Security Information and Event Management (SIEM) systems, which often struggle with cloud-scale data volumes and carry prohibitive licensing costs based on data ingestion rates, Scanner's approach uses cloud-native architecture to provide cost-effective storage and analysis of security data at scale.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The funding will be used to expand Scanner's engineering team, accelerate product development, and grow its go-to-market operations. The Series A round brings the company's total funding to approximately $30 million including seed-stage investment, positioning it as a well-capitalised challenger in the competitive security analytics market.

Background and Context

The enterprise security market has been undergoing a fundamental architectural shift driven by cloud migration. Traditional SIEM platforms — dominated by Splunk (now part of Cisco), Microsoft Sentinel, and IBM QRadar — were designed for an era when security data was generated primarily by on-premises infrastructure. As organisations have moved workloads to AWS, Azure, Google Cloud, and multi-cloud environments, the volume and diversity of security telemetry has exploded.

This data explosion has created two interconnected problems. First, traditional SIEMs struggle to ingest and process cloud-scale data volumes efficiently, leading to dropped events, delayed alerts, and gaps in visibility. Second, the cost of SIEM licensing — typically based on data ingestion volume — has become a significant budget item, forcing security teams to make uncomfortable decisions about which data to collect and which to discard.

The security data lake approach addresses both problems by leveraging cloud-native storage (like Amazon S3 or Google Cloud Storage) for raw security data, with purpose-built query engines for threat hunting and detection. This architecture decouples storage costs from analytics costs, enabling organisations to retain comprehensive security data at a fraction of traditional SIEM pricing. Organisations that carefully manage their technology stacks — from genuine Windows 11 key deployments to cloud security posture — understand the value of solutions that scale without spiralling costs.

Why This Matters

Sequoia's lead investment signals strong institutional confidence in the security data lake category. Sequoia's portfolio includes some of the most successful cybersecurity companies in history, and the firm's willingness to lead Scanner's Series A suggests it sees a significant market opportunity that existing players are not adequately addressing.

The timing of this investment reflects the growing urgency of the cloud security data challenge. Major security breaches in 2025 and 2026 have repeatedly demonstrated that organisations lacked sufficient visibility into their cloud environments to detect and respond to threats effectively. In several high-profile incidents, forensic investigators found that critical security telemetry had been discarded due to SIEM cost constraints, hampering post-breach investigation and remediation.

For enterprise security teams, Scanner's approach offers the promise of ending the painful trade-off between data retention and budget constraints. The ability to retain comprehensive security data indefinitely — at a cost structure that scales linearly with storage rather than exponentially with ingestion — changes the economics of security monitoring fundamentally.

Industry Impact

Scanner enters a market that is attracting significant attention from both startups and established players. Companies like Cribl, Panther, Matano, and Amazon Security Lake are all pursuing variations of the security data lake concept, indicating broad market validation for the approach. Scanner's differentiation will need to come from its specific implementation, query performance, detection capabilities, and integration ecosystem.

The traditional SIEM vendors face a strategic challenge. As security data lake alternatives demonstrate viable approaches to cloud-scale security analytics at lower cost, the pricing models that have underpinned the SIEM market for decades come under pressure. Splunk's acquisition by Cisco was partly driven by this dynamic, as standalone SIEM economics became increasingly difficult to sustain.

For enterprise productivity software and cloud service providers, the emergence of security data lake solutions represents both a partner opportunity and a competitive dynamic. Microsoft, for example, offers its own SIEM (Sentinel) while also hosting the Azure infrastructure that security data lakes run on, creating a complex competitive landscape within its own ecosystem.

Expert Perspective

Cybersecurity analysts note that the security data lake category is still maturing, and Scanner will need to demonstrate that its platform can deliver not just cost-effective data storage but also the real-time detection and response capabilities that security teams require. The risk for security data lake approaches is becoming a "data swamp" — accumulating vast amounts of security data without the analytical tools to derive actionable intelligence from it.

Venture capitalists tracking the cybersecurity space view the category as well-timed, noting that the convergence of cloud migration, rising data volumes, and SIEM cost pressure creates a structural market opportunity that could support multiple successful companies.

What This Means for Businesses

Organisations currently spending significant portions of their security budget on SIEM licensing should evaluate security data lake alternatives as part of their next planning cycle. The potential cost savings — often 50-80% compared to traditional SIEM pricing for equivalent data volumes — can free up budget for other security investments. Companies already managing their software costs carefully with tools like an affordable Microsoft Office licence will appreciate the same cost-efficiency mindset applied to security infrastructure.

The transition from traditional SIEM to security data lake architecture is not trivial, however. Organisations should plan for migration complexity, staff training on new tools and query languages, and the need to rebuild detection rules and response playbooks for the new platform.

Key Takeaways

• Scanner raised $22M Series A led by Sequoia Capital for cloud-native security data lake platform
• The platform addresses growing enterprise frustration with traditional SIEM cost and scale limitations
• Security data lakes decouple storage costs from analytics, enabling comprehensive data retention at lower cost
• The investment reflects strong institutional confidence in the security data lake market category
• Traditional SIEM vendors face increasing competitive pressure from cloud-native alternatives

Looking Ahead

The security data lake market is expected to see continued investment and consolidation over the next 12-18 months. As more organisations adopt cloud-native security analytics, expect to see integration partnerships, acquisition activity from larger security platforms, and the emergence of standardised query languages and data formats that improve interoperability across the security data ecosystem.