DEV.co
Open-Source Security · matanolabs

matano

Matano is an open-source security data lake built on AWS that normalizes and stores security logs from 50+ sources in a structured, queryable format using Apache Iceberg. It supports real-time detection-as-code in Python, vendor-neutral data ownership, and integrates with standard query engines like Athena and Snowflake for investigations and threat hunting.

Source: GitHub — github.com/matanolabs/matano
1.7k
GitHub stars
121
Forks
Rust
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymatanolabs/matano
Ownermatanolabs
Primary languageRust
LicenseApache-2.0 — OSI-approved
Stars1.7k
Forks121
Open issues55
Latest releaseUnknown
Last updated2025-01-08
Sourcehttps://github.com/matanolabs/matano

What matano is

A Rust-based, serverless security data lake platform that ingests logs via managed connectors, applies VRL transformation pipelines for normalization to ECS schema, stores data as Iceberg tables in S3, and enables real-time Python detections with alerting to SNS/Slack. Supports multi-engine querying (Athena, Snowflake, Spark, Trino, BigQuery Omni, Dremio) without vendor lock-in.

Quickstart

Get the matano source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/matanolabs/matano.gitcd matano# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

SIEM Cost Reduction & Augmentation

Offload high-volume log storage and compliance retention to a cheaper, serverless lake while keeping active SIEM for real-time response. Query Iceberg tables directly for deeper investigations without duplicate data.

Detection-as-Code & Threat Hunting

Write and version-control detections in Python, import Sigma rules automatically, and run continuous hunts across normalized ECS-compliant logs without managing infrastructure or custom parsers.

Multi-Cloud Log Aggregation

Centralize AWS (CloudTrail, VPC Flow, WAF, Config), SaaS (Okta, Office 365, Crowdstrike), and third-party logs (Zeek, Suricata, Cloudflare) in one queryable lake, enabling cross-source correlation and IOC pivoting.

Implementation considerations

  • AWS account setup and IAM credential management required before CLI deployment; initial deployment takes a few minutes.
  • Log source onboarding varies: managed sources (50+) are quick; custom sources require VRL scripting knowledge and testing in transformation pipeline.
  • Detection authoring in Python requires security/threat intelligence expertise; Sigma rule import eases adoption but custom tuning is typical.
  • Iceberg table schema design and ECS normalization upfront reduces query friction but delays initial value if not planned carefully.
  • Query cost via Athena/Snowflake is proportional to data scanned; partitioning strategy and retention policies critical for cost control at scale.

When to avoid it — and what to weigh

  • Non-AWS Deployments — Matano is AWS-native. If your infrastructure is on-premises, GCP, or Azure, this is not a fit without significant custom work.
  • Real-Time, Sub-Second Alerting Required — Serverless latencies and batch processing may not meet SLAs for instantaneous breach detection. Evaluate if query/ingest lag is acceptable for your use case.
  • Out-of-Box GUI & Dashboards — Matano provides log ingestion and detection framework, but dashboarding and visualization must be built via external tools (Athena UI, Grafana, Superset). No native SIEM dashboard suite.
  • Minimal DevOps/Platform Expertise — Deployment, log source configuration, VRL scripting, and detection authoring require AWS/infrastructure/Python knowledge. Not a no-code solution.

License & commercial use

Apache License 2.0 (Apache-2.0) is a permissive, OSI-approved license allowing commercial use, modification, and distribution with liability disclaimer and attribution requirement.

Apache-2.0 permits commercial deployment and modification. However, Matano Labs offers a separate commercial managed Cloud SIEM product; review commercial terms and support entitlements separately. The open-source version receives community/volunteer support only.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Matano stores sensitive security logs in your AWS account (no vendor lock-in); security posture depends on AWS IAM, S3 bucket policies, encryption (at-rest and in-transit), and VPC isolation. Rust implementation reduces memory-safety risks. No audit, penetration test results, or CVE history provided. Verify threat model, data retention, and access controls before ingesting PII-rich or regulated logs.

Alternatives to consider

Splunk

Enterprise SIEM with native dashboarding, alerting, and broad integrations; higher cost, vendor lock-in, and operational overhead vs. serverless Matano.

Elastic Security (ELK + Kibana)

Amazon Security Lake (AWS native)

AWS-managed service normalizing logs to OCSF schema; simpler onboarding but less customization, higher cost per GB, and limited to AWS sources vs. Matano's breadth and flexibility.

Software development agency

Build on matano with DEV.co software developers

Matano simplifies serverless security log storage and threat hunting on AWS. Review the docs, test with managed log sources, and deploy the CLI to your AWS account to get started.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

matano FAQ

Does Matano charge for use, or is it truly free?
The open-source version (Apache-2.0) is free. You pay only for underlying AWS services (S3, Lambda, Athena, data transfer). Matano Labs also offers a commercial managed Cloud SIEM product separately.
Can I query logs outside AWS (e.g., in Snowflake or Spark)?
Yes. Logs are stored as Apache Iceberg tables in S3; Snowflake, Spark, Trino, BigQuery Omni, and Dremio can query directly. You manage separate credentials and data access controls for each engine.
What happens if I need to import 200+ custom log sources?
Matano provides 50+ managed log source templates. Custom sources require VRL scripting in the transformation pipeline. For large numbers, you may need internal platform engineering to template and automate onboarding.
Is Matano production-ready?
Active development (latest commit Jan 2025), but no semantic versioning (nightly builds only) and 55 open issues suggest caution for critical SLAs. Test thoroughly in staging and plan for rapid iteration.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If matano is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Build Your Security Data Lake

Matano simplifies serverless security log storage and threat hunting on AWS. Review the docs, test with managed log sources, and deploy the CLI to your AWS account to get started.