EDG3 · Edge-Resident SIEM on a Columnar Lakehouse

The Problem

Cloud-only SIEM is breaking.

Four compounding pressures that every CISO is now budgeting around.

Ingestion Inflation

$2–6 / GB

Log spend is outrunning risk.

Cloud-SIEM bills scale with data volume, not risk. Boards are demanding log-spend cuts.

Cloud-Tethered Detection

Blinded SOC's

Severing the telemetry link is the first move.

Attackers cut the cloud path before striking. A SOC that only sees through the cloud is already compromised.

Sovereign & Regulated

3–7 yrs

Hot retention cloud SIEM can't serve.

DORA, APRA CPS 234, NIS2 require hot-searchable retention and jurisdictional control that cloud SIEM can't deliver.

Agentic Inflection

On-Device AI

The next decade runs at the edge.

Nvidia-class inference is now practical at the endpoint. Edge-native security wins the next decade.

The Platform

Edge-resident SIEM on a columnar lakehouse.

Six architectural layers. Two of them reshape the market. The other four make sure the promise holds.

Endpoint Agent

Detection, triage and response run inside one endpoint binary. No cloud round-trip. Keeps working when the link is gone.

Single binary
Linux · Win · Mac · OT · edge response

Columnar Query Engine

Queries run in under 100ms across 7+ years of hot telemetry. On-device Parquet, not a cloud round-trip.

On-device Parquet
< 100ms · 7+ yrs

Detection-as-Code

3,000+ rules, forkable, diffable, auditable in git. Every rule mapped to MITRE ATT&CK tactic and technique.

3,000+ rules
git · MITRE mapped

Agentic Triage

AI analyst with cited evidence, ATT&CK mapping and confidence score. On-device inference, no data egress.

Nvidia inference
Cisco Foundation-sec

Autonomous SOAR

Ransomware auto-contained. Every other response class is approval-gated, audited, reversible.

Ransomware auto-contain
Human-gated elsewhere

Cloud Lakehouse

Customer-owned Parquet storage. Open format. No per-GB ingestion fees. No re-ingest lock-in.

Customer-owned
Parquet · open format

Technology Summary

Eight pillars. One binary.

The moving parts behind the platform. Built for operators, inspectable by architects.

Architecture

Proprietary columnar lakehouse with localised NVMe flash and cloud object-storage sync.

Detection

3,000+ vendor-agnostic Detection-as-Code rules with sub-second evaluation.

Data Pipeline

High-throughput message streaming with at-least-once delivery guarantees.

Query Engine

137 pre-compiled security macros. Under 100ms response time across years of data.

AI / ML

On-device LLM inference with retrieval-augmented generation. No data egress.

Orchestration

Event-driven SOAR workflows following Infrastructure-as-Code principles.

Deployment

Automated provisioning with IaC templates, SSL automation and agent distribution.

Security

Dedicated isolated instances, mutual TLS, RBAC and enterprise SSO built in.

Core Capabilities

Ten modules. One binary. One price.

No add-on SKUs. No per-module pricing. Every customer gets the full platform.

SIEM & Log Management

Centralised collection, normalisation and long-term retention on customer-owned Parquet.

Detection-as-Code

3,000+ rules git-managed, diffable, auditable, mapped to MITRE ATT&CK.

Agentic Triage

AI analyst with citations. Verdicts with evidence chain and ATT&CK tagging.

Autonomous Response

Ransomware auto-contained. Every other action human-gated, audited, reversible.

Forensics & Evidence

Chain-of-custody exports, immutable evidence store, regulator-ready reports.

Threat Intelligence

MISP, OTX and premium feed ingestion with on-device enrichment and graph correlation.

OT / ICS Security

Purpose-built for maritime, defence, mining, utilities. Air-gap and sovereign deployments.

Cloud Security Posture

AWS, Azure, GCP, OCI posture scanning with auto-remediation playbooks.

Enterprise SSO & RBAC

Okta, Entra, PingID, SAML, OIDC. Fine-grained roles and delegated admin.

Cloud Integrations

200+ connectors for EDR, ticketing, identity, CASB, DLP, cloud services.

Why Edge

Edge-native vs. cloud-tethered incumbents.

Three compounding moats: architectural (edge-first), data (customer-owned lakehouse), learning (every analyst override trains the next verdict).

Capability	Splunk ES	Sentinel	CrowdStrike NG-SIEM	SIEMonster Edge
Edge-resident detection	No	No	Partial	Yes
Autonomous ransomware containment	No	No	Partial	Yes
Customer-owned storage	No	No	No	Yes
Flat per-endpoint pricing	No	No	Partial	Yes
Agentic triage with citations	No	Add-on	Partial	Yes
MSSP multi-tenant mesh	Partial	Partial	No	Yes
< 100ms queries across 7 yrs	No	No	No	Yes

Under the Hood

Detection. Reasoning. Response. Evidence.

Four product layers, built to be inspectable by the people whose job depends on trusting them.

Detection Engine

Detection-as-code, enriched on-device.

3,000+ preloaded rules, queries run in < 100ms across 7+ years
Every rule mapped to MITRE ATT&CK tactic & technique
Rules are code: forkable, diffable, auditable in git
Columnar Parquet engine on-device, no cloud round-trip
Cross-source correlation: logs + endpoint + network + cloud
Custom rules deploy in minutes, not release cycles

Agentic Triage

An AI analyst that shows its work.

Cisco Foundation-sec (security-tuned LLM) as the reasoning model
Nvidia-class on-device inference, no data leaves the customer
CPU + quantised Llama-3-8B fallback for constrained estates
Every verdict: cited evidence, ATT&CK mapping, confidence score
Analyst override signal trains the next verdict. The platform compounds.

verdict CONFIRMED MALICIOUS · 95% confidence

technique T1055.012 · Process Hollowing

evidence explorer.exe → unsigned memory region

outbound C2 IP matched TAG-RUBY

blast radius 4 endpoints, same tenant, 5 min

Deep dive: the AI analyst

Autonomous Response

Fast on ransomware. Gated on everything else.

Autonomous: ransomware containment only
Host quarantine in < 30 seconds
Block lateral movement at the NIC
Revoke credentials and kill sessions
Human-gated: every other response class
Disable accounts, firewall blocks, DNS sinkhole, process termination, endpoint reimage
All actions reversible, audited, notified.
Playbooks as code: YAML-defined, version-controlled. Slack-native approve/deny. 200+ action connectors. Full rollback and audit trail.

Deep dive: the endpoint agent

Forensics & Outcomes

Evidence that stands up to auditors, regulators and insurers.

7+ yrs hot-searchable retention. No cold-tier, no re-ingest fees.
100% chain of custody. Every action, user, host cryptographically signed.
Your storage, your keys. Customer-owned Parquet, always.
Auto-trigger immutable store: evidence auto-collected on T1003 / T1021 / T1059 / T1071, WORM-stored, cryptographically hashed, time-stamped.
Outcome-led reporting: every incident closes contained, eradicated or recovered, with a time-to-outcome number.
One-click case packaging: PDF, CSV, PCAP, signed manifest. Consumable by your auditor, regulator or cyber-insurer without translation.
Open format (Parquet + OCSF). Consumable without re-ingest.

Deep dive: risk & outcomes

Vertical Strongholds

Built for the places cloud SIEM cannot go.

Operational Technology

Maritime, defence, mining, utilities, manufacturing.

Regulated Finance

Regional banks, credit unions, insurers. DORA, APRA, MAS.

Healthcare

Hospital networks and medical device fleets. HIPAA, GDPR.

State & Local Government

Agencies under CJIS, StateRAMP, IRAP, IL4/5.

MSSP & MDR Partners

Multi-tenant mesh with per-customer isolation and branding.

Sovereign & Air-Gapped

Fully disconnected deployments with sovereign feeds and keys.

“The first SOC platform we've bought that doesn't assume the cloud is reachable. It finished deploying before our legal team finished the DPA.”

– CISO, Tier-1 Maritime Operator (under NDA)

MSSP & Multi-Tenant

Native MSSP economics, not a bolt-on.

Horizontal-scale control plane, fully isolated. Built for partners who sell, not just resell.

1000's

Tenants per instance

Horizontal-scale control plane, fully isolated. Mesh backhaul. Customer agents report to isolated tenant instances, no shared control plane.

Zero

Shared storage

Each customer's lakehouse lives in their own cloud or on-prem. You never hold their data. Per-tenant storage. Per-tenant keys.

Flat

Per-endpoint economics

Price customers on endpoints, not GB. Kill the per-GB margin compression that eats MSSP books.

White-label

Console & reports

Partner-branded dashboards, PDF outputs, delegated admin and RBAC. Cross-tenant IOC intelligence respects isolation.

Reach

Where the competition can't follow

Deploys into OT, maritime, defence, mining, remote sites, segmented and air-gapped networks. CrowdStrike and Rapid7 can't reach these estates. You can.

Hosted

No infrastructure to run

Open-core licensing you can forecast against. We host the control plane. You keep the customer relationship and the margin.

Deep dive: MSSP & multi-tenant

Integrations

200+ connectors. Your stack, untouched.

Edge fits into the estate you already have. No rip-and-replace. Every connector is bi-directional where the vendor allows.

Cloud & IaaS

AWS (CloudTrail, GuardDuty, VPC)
Azure (Entra, Defender, Sentinel bridge)
GCP (SCC, Chronicle bridge)
Oracle Cloud, Alibaba Cloud

Endpoint & EDR

CrowdStrike Falcon
SentinelOne Singularity
Microsoft Defender
Carbon Black, Sophos, ESET

Identity & SSO

Okta, Microsoft Entra ID
PingID, Duo, OneLogin
SAML 2.0 / OIDC / SCIM
Active Directory + LDAP

Ticketing & GRC

Jira, ServiceNow, Zendesk
PagerDuty, Opsgenie, VictorOps
GRC: Archer, LogicGate
Email, Slack, Teams

Network & NDR

Zeek, Suricata, Corelight
Palo Alto, Fortinet, Cisco
ExtraHop, Vectra AI
Firewall and IDS syslog

SIEM Bridges

Splunk bi-directional
Microsoft Sentinel
QRadar, Chronicle
Legacy CEF / Syslog / Kafka

Compliance

Audit-ready out of the box.

Every control mapped, every action time-stamped. Pre-built templates for the frameworks your auditor actually asks for.

DORA APRA CPS 234 NIS2 GDPR HIPAA PCI-DSS SOX ISO 27001

Configurable retention

3-year, 5-year, 7-year, or custom policies per data class. Hot-searchable through the full window.

Data residency & sovereignty

Storage stays in your chosen jurisdiction. Per-region keys, per-tenant encryption.

Continuous audit evidence

Every control mapped to framework requirement with time-stamped evidence pulled automatically.

One-click regulator reports

Pre-built templates for DORA ICT incidents, APRA notifiable events, NIS2 disclosures, HIPAA breach reports.

Editions

Simple, transparent pricing. Flat per-plan.

All plans include the full platform. Annual billing saves 17%.

70–90% less than Splunk, Sentinel or CrowdStrike NG-SIEM at equivalent scale. 500 endpoints on Edge: from $22,788/yr. Same scale on Traditional SIEM: $100K–$300K.

Starter

$479/month

Up to 150 endpoints

Billed annually $5,748/yr

6-month cloud retention
3,000+ DaC rules
137 query macros
22 dynamic runbooks
Compliance dashboards
Vulnerability intelligence

Professional

$949/month

Up to 500 endpoints

Billed annually $11,388/yr

1-year cloud retention
Everything in Starter
SOAR workflows

See Edge in your SOC in minutes.

Single-binary install. No data leaves your network. Detection and triage begin on the first event ingested. Cancel any time.

Sign Up

Starter plan. 150 endpoints. Create an account, install the binary, see detections on the first event.

edg3.io/signup

Book a Demo

30 minutes with the product team. We'll walk the full platform against your use case.

edg3.io/demo

Talk to Sales

Enterprise, MSSP and sovereign pricing. Tailored quoting and architecture review.

sales@edg3.io