Agent telemetry, security detections, logs, incidents, and on-call in one system of record. Your engineers and your agents investigate, detect, and resolve from the same data — humans in the console, agents through the API and MCP.
Most teams stitch observability from four vendors — an uptime tool, a log platform, a SIEM, and "we'll need an SDK for that." We collapse all four into one self-hostable product an agent can actually drive.
HTTP, TCP, SSL/TLS, ICMP ping, port probe, keyword match, heartbeat / cron. Multi-region. SLO targets. Status pages with custom domains. Signed alert webhooks to Slack, Discord, Teams, Telegram, PagerDuty, Opsgenie. The full uptime-vendor surface, self-hostable. /features →
Ship from Lambda, Heroku, Vercel, Docker, journald, OpenTelemetry, or just
curl. Search by typing the words you remember. Auto-extracted
facets on the side. Pattern grouping that collapses 10,000 similar lines.
Error tracking — recurring stack traces as one row, no Sentry meter.
/docs/logs →
22 ATT&CK-tagged detections, multi-event correlation, threat-intel matching on every source IP, GeoIP + identity + asset enrichment, and security cases to run the investigation. A detection opens an incident in the same pipeline as a failed health check. More on security →
Each one is a real check in the repo — not a roadmap item.
Verifies status codes, measures response time, flags degradation before full outage.
Reachable-or-not checks for databases, message queues, anything that speaks TCP.
Warns you 7 days before expiry. Validates cert chain, not just 200 OK.
Classic reachability from inside your network or ours.
Like TCP, but for the case where the URL format does not include the port.
Does the page still say "Order placed" — or is that 200 just a generic landing page?
Inverted check — your job pings us. If silence past your interval, we open an incident. Auto-resolves on next ping.
Send them from anywhere. Make sense of them without learning a new query language. Catch the spikes you'd miss at 2am. Group recurring errors so one bug is one row, not a thousand. The things Datadog, Splunk, and Sentry each charge separately for — bundled into the same bill as your uptime checks.
Lambda functions land through CloudWatch. Heroku apps in one
heroku drains:add. Vercel projects in one paste. Docker
containers via the syslog driver. systemd units via journald.
OpenTelemetry SDKs in any language. Vector or Fluent Bit pipelines.
Or just curl structured JSON straight to a URL.
All 12 sources →
No SPL to learn, no proprietary DSL. Plain substring works. So does
service:checkout AND level:error when you want filters. Auto-extracted
facets show up on the side — click a value, drill in. Live-tail
new events as they land. Click a pattern to collapse 10,000 similar
lines into the one shape that matters.
Threshold alerts when you know the magic number ("more than 10 errors in 5 minutes"). Spike-vs-baseline alerts when "normal" varies by service or time-of-day — no ML to configure, just "3× normal rate". Routes to email, Slack, Discord, Teams, Telegram, or any HMAC-signed webhook. One incident per fire, never a hundred.
Recurring stack traces collapse to one row with a count, first-seen,
last-seen, and a sample. JavaScript, Python, Java, Go, generic
ERROR:. The thing Sentry charges separately for, here for the
same bill. Mark resolved when you've fixed it. Save any log search as a
time-series and alert on it like any monitor.
Free 1 GB/mo. Startup 10 GB. Pro 100 GB. Self-host: unlimited. Every plan gets every feature on this page — no "intelligence tier".
Most "observability + security" stories are two products and two bills. Here a detection is just another rule that opens an incident — same alerting, same cases, same API. Threat-intel and enrichment run inline at ingest, so the signal is already on the event by the time a rule looks at it.
Prebuilt rules across access, exfil, secrets, web-attacks, reliability, threat-intel, AI-agent security, and MCP traffic — each carrying its MITRE ATT&CK technique where one applies. Write your own in one line of KQL-lite. They open incidents in the same pipeline as your uptime checks.
The signals a single log line can't express. Sequence — failed logins then a success. Cardinality — one IP touching many accounts. Each is one ClickHouse query, run every minute.
Known-bad indicators, Tor exits, DNSBL listings, VPN and datacenter ranges — matched the moment an event lands. Bring your own IOCs (IP, domain, hash) or ride the built-in feeds.
GeoIP, ASN, identity risk, and asset criticality stamped inline at ingest — so asset_criticality:critical AND geo_country:RU is just a search, not a join.
Group incidents into one investigation — status, severity, assignee, a notes timeline, and a true-/false-positive disposition. The analyst workspace, not a shared spreadsheet.
Forward-cursor NDJSON export so Splunk, Datadog, or your own SIEM polls the trail gap-free. Signed webhooks route every detection straight to SOAR.
Every plan gets every detection — no "security tier", no per-GB intelligence meter.
From $9/mo for 100 monitors — with logs and a full SIEM in the same bill, at a fraction of the cost of stitching together three separate vendors. Flat pricing that scales with your stack: no per-host metering, no per-seat tax, no surprise overage.
Deployable entirely on infrastructure you control. No vendor lock-in, no data leaving your environment, no "enterprise" tier gating encryption — your observability stays under your governance, on your terms.
Every account-mutating action — create, update, delete, role change, secret rotation — recorded with actor + resource + timestamp. PAT-attributed, so you can answer "what did the agent do?" with one SQL-style query.
Every line is true today. No roadmap asterisks.
/openapi.json. Generate a typed client in any language.Uptime, logs, and the SIEM on one predictable bill — no per-host metering, no per-seat tax, no "contact sales."
Sign up and we run it for you, or fork the source and run it yourself.