RunReveal Documentation
RunReveal is a security data platform that unifies log ingestion, detection, and investigation. Connect 100+ sources, write detections as code, and investigate threats with AI—all backed by ClickHouse for sub-second queries at any scale.
Get started
Why RunReveal
Built for Everyone
For teams of 1 to 100,000. Every company deserves the tools to detect compromises—without needing a dedicated SIEM team to run them.
Customizable & Simple
Configure formats, enrichments, and detection rules to match your environment—while the UI stays effortless to navigate.
Own Your Data
Built on ClickHouse so you retain full control of your data. Deploy in our cloud, your cloud, or on-prem—without sacrificing query performance.
Performance & Pricing
Sub-second queries across terabytes of data with transparent, predictable pricing that beats legacy SIEMs.
What You Can Do
Collect & Centralize Logs
Connect 100+ sources via webhooks, object storage, or API polling. Use pipelines to filter, transform, and enrich data before it hits your data lake—reducing noise and costs without losing visibility.
Detect Threats
Write detections as Sigma rules or SQL queries. Test, version, and deploy detection logic alongside your infrastructure code. Alerts route to Slack, PagerDuty, Jira, or any webhook.
Investigate with AI
Ask questions in natural language across all your log data. RunReveal's native AI chat, MCP server, and autonomous agents turn hours of manual analysis into minutes of contextual investigation.
Visualize & Report
Build SQL-powered dashboards for security metrics, detection performance, and operational KPIs. Share with stakeholders or integrate with Grafana and Jupyter.
How RunReveal Works
From data collection to threat response in one seamless flow.
Connect Sources
Collect logs from 100+ sources
Webhooks
Vector, Fluent Bit
API Polling
Okta, GitHub
Object Storage
S3, R2, GCS, Azure
Topics
Filter logs to flow through different pipelines
Pipelines
Configure transforms, enrichments, filtering, and sampling
ClickHouse
Cloud, BYOC, or On-Prem
Destinations
External storage
Detections
Sigma & SQL
Signals
No notification
Alerts
With notifications
Investigations
Manual + auto triage
Notification Channels
Slack, PagerDuty, Jira
ClickHouse
Cloud, BYOC, or On-Prem
Destinations
External storage
Detections
Sigma & SQL
Signals
No notification
Alerts
With notifications
Investigations
Manual + auto triage
Notification Channels
Slack, PagerDuty, Jira
AI Chat, MCP Server, & Agents
Natural language queries, Model Context Protocol, and autonomous workflows — same data, separate from the pipeline above.
Ready to dive in? Start with the onboarding guide to connect your first source and create your first detection.