A while back, I was deep in research on the next generation of security infrastructure, talking to CISOs and security engineers at some of the most technically sophisticated companies in Silicon Valley. I asked them all the same question I’d asked a decade earlier when I worked in enterprise software: What’s your biggest headache? The consistency of their answers surprised me. “We drown in logs we can’t afford to keep,” as one security leader put it, “and go blind on the logs we can’t afford to search.”

Enterprise security today is a story of impossible choices. The tools that teams rely on generate enormous amounts of log data—every API call, every login event, every network connection. To investigate cyber threats, they need all of it, often going back a year or more. But storing everything in a SIEM like Splunk is prohibitively expensive; costs could easily consume 15% of a CISO’s entire budget. Instead, companies make a compromise: they keep only the most recent 10 to 30 days of logs in their SIEM and park the rest in Amazon S3, where storage is cheap, but the data is effectively frozen. When a breach, a compliance audit, or a forensic investigation happens, security teams discover too late that the evidence they need is out of reach, opaque and unsearchable. 

I first heard about Scanner from a member of the security team at Temporal, one of our portfolio companies, who called it, “crazy fast.” I looked into it, and reached out to Cliff Crosland right away.

What Cliff and his co-founder Steven Wu have built is elegant in its insight. They asked: what would a log search engine look like if you designed it from scratch for object storage? The answer was a purpose-built inverted index that maps field values directly to file regions in S3. Rather than combing through billions of rows, Scanner narrows each query to only the relevant slices of data. A petabyte of logs becomes interactive. Queries that took hours now run in seconds. And a streaming detection engine runs hundreds of detection rules continuously across tens of terabytes a day, without re-scanning the world for each one.

Cliff and Steven are exactly the kind of founders we look for. Both Stanford CS alums, they were engineering leads together at Accompany (acquired by Cisco), where they built core data infrastructure under demanding, production-scale conditions. They have an obsession with performance that borders on the philosophical; they don’t tolerate systems that feel slow. And they have the expertise to build something better.

What’s most striking about Scanner isn’t the technology—though that is genuinely impressive. It’s the customers. The companies using Scanner today read like a who’s who of the cloud native world: Notion, Ramp, Benchling, Confluent, Lemonade, BeyondTrust. And they’re not just using it—they love it. Benchling replaced another product after a forced tenfold price increase, and their head of security engineering called it one of the best technical decisions their team had made. Ramp started with security logs and then expanded to application logs, reducing their SIEM bill in the process. Notion’s detection and response team built an internal AI agent that autonomously runs security investigations using Scanner. 

That last example signals what’s to come. We are entering a new era of security operations, where AI agents will do much of the investigative work that today consumes hours of human time. But agents need to rapidly iterate, ask questions and follow threads; queries can’t take minutes, much less hours. Scanner’s speed is enabling these agentic security workflows across a wide range of companies: within weeks of their MCP release, nearly a third of Scanner’s customers were already using it in production, and agents now account for 80% of queries on the platform. That is not a prototype or a promising beta. That is the future arriving ahead of schedule.

Sequoia is proud to lead Scanner’s Series A, and we’re thrilled to partner with Cliff, Steven and their team as they work to transform a market overdue for reinvention. Scanner is winning hearts and minds among the most technically forward organizations today, and together, they will define the next decade of security infrastructure.