matano
Matano is an open-source security data lake built on AWS that normalizes and stores security logs from 50+ sources in a structured, queryable format using Apache Iceberg. It supports real-time detection-as-code in Python, vendor-neutral data ownership, and integrates with standard query engines like Athena and Snowflake for investigations and threat hunting.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | matanolabs/matano |
| Owner | matanolabs |
| Primary language | Rust |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.7k |
| Forks | 121 |
| Open issues | 55 |
| Latest release | Unknown |
| Last updated | 2025-01-08 |
| Source | https://github.com/matanolabs/matano |
What matano is
A Rust-based, serverless security data lake platform that ingests logs via managed connectors, applies VRL transformation pipelines for normalization to ECS schema, stores data as Iceberg tables in S3, and enables real-time Python detections with alerting to SNS/Slack. Supports multi-engine querying (Athena, Snowflake, Spark, Trino, BigQuery Omni, Dremio) without vendor lock-in.
Get the matano source
Clone the repository and explore it locally.
git clone https://github.com/matanolabs/matano.gitcd matano# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- AWS account setup and IAM credential management required before CLI deployment; initial deployment takes a few minutes.
- Log source onboarding varies: managed sources (50+) are quick; custom sources require VRL scripting knowledge and testing in transformation pipeline.
- Detection authoring in Python requires security/threat intelligence expertise; Sigma rule import eases adoption but custom tuning is typical.
- Iceberg table schema design and ECS normalization upfront reduces query friction but delays initial value if not planned carefully.
- Query cost via Athena/Snowflake is proportional to data scanned; partitioning strategy and retention policies critical for cost control at scale.
When to avoid it — and what to weigh
- Non-AWS Deployments — Matano is AWS-native. If your infrastructure is on-premises, GCP, or Azure, this is not a fit without significant custom work.
- Real-Time, Sub-Second Alerting Required — Serverless latencies and batch processing may not meet SLAs for instantaneous breach detection. Evaluate if query/ingest lag is acceptable for your use case.
- Out-of-Box GUI & Dashboards — Matano provides log ingestion and detection framework, but dashboarding and visualization must be built via external tools (Athena UI, Grafana, Superset). No native SIEM dashboard suite.
- Minimal DevOps/Platform Expertise — Deployment, log source configuration, VRL scripting, and detection authoring require AWS/infrastructure/Python knowledge. Not a no-code solution.
License & commercial use
Apache License 2.0 (Apache-2.0) is a permissive, OSI-approved license allowing commercial use, modification, and distribution with liability disclaimer and attribution requirement.
Apache-2.0 permits commercial deployment and modification. However, Matano Labs offers a separate commercial managed Cloud SIEM product; review commercial terms and support entitlements separately. The open-source version receives community/volunteer support only.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Matano stores sensitive security logs in your AWS account (no vendor lock-in); security posture depends on AWS IAM, S3 bucket policies, encryption (at-rest and in-transit), and VPC isolation. Rust implementation reduces memory-safety risks. No audit, penetration test results, or CVE history provided. Verify threat model, data retention, and access controls before ingesting PII-rich or regulated logs.
Alternatives to consider
Splunk
Enterprise SIEM with native dashboarding, alerting, and broad integrations; higher cost, vendor lock-in, and operational overhead vs. serverless Matano.
Elastic Security (ELK + Kibana)
Amazon Security Lake (AWS native)
AWS-managed service normalizing logs to OCSF schema; simpler onboarding but less customization, higher cost per GB, and limited to AWS sources vs. Matano's breadth and flexibility.
Build on matano with DEV.co software developers
Matano simplifies serverless security log storage and threat hunting on AWS. Review the docs, test with managed log sources, and deploy the CLI to your AWS account to get started.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
matano FAQ
Does Matano charge for use, or is it truly free?
Can I query logs outside AWS (e.g., in Snowflake or Spark)?
What happens if I need to import 200+ custom log sources?
Is Matano production-ready?
Work with a software development agency
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If matano is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Build Your Security Data Lake
Matano simplifies serverless security log storage and threat hunting on AWS. Review the docs, test with managed log sources, and deploy the CLI to your AWS account to get started.