An open source, serverless security data lake for AWS that normalizes logs, enables detection-as-code, and supports petabyte-scale threat hunting.
Matano is an open source security data lake platform built for AWS that ingests, normalizes, and stores security logs from various sources into a structured, queryable data lake. It enables security teams to perform threat hunting, detection, and response at petabyte scale using open table formats and detection-as-code, reducing reliance on proprietary SIEM solutions.
Security engineers, SOC analysts, and cloud security teams operating on AWS who need a scalable, cost-effective platform for centralizing security logs, writing custom detections, and performing investigations without vendor lock-in.
Developers choose Matano because it provides a fully serverless, open-source alternative to commercial SIEMs, leveraging AWS-native services and open standards (Iceberg, ECS) for complete data ownership, unlimited scalability, and significant cost reduction while enabling powerful detection-as-code workflows.
Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
Uses Apache Iceberg tables and Elastic Common Schema (ECS) for vendor-neutral data storage, enabling querying with engines like Athena or Snowflake without data lock-in.
Built entirely on AWS serverless services (e.g., Lambda, Kinesis) for petabyte-scale log ingestion with zero operational overhead and cost-effective pay-as-you-go pricing.
Supports writing real-time threat detections in Python with Sigma rule import, allowing version control and customization of security logic.
Integrates out-of-the-box with 50+ security log sources like AWS CloudTrail and Okta, reducing initial setup time for common use cases.
The architecture is tightly coupled to AWS serverless services, making deployment on other cloud providers impossible without significant re-engineering.
Requires proficiency in Vector Remap Language (VRL) for log transformation and Python for detections, which may deter teams without strong scripting backgrounds.
Primarily supports alerting via Amazon SNS and Slack; connecting to other systems like PagerDuty or ServiceNow necessitates additional custom configuration.
Matano is an open-source alternative to the following products:
ELK Stack is a collection of three open-source projects: Elasticsearch, Logstash, and Kibana, used for searching, analyzing, and visualizing log data in real-time.
Elastic Security is a security information and event management (SIEM) and endpoint security platform that provides threat prevention, detection, and response capabilities.
Splunk is a platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface.