Documentation overview highlighting key features and benefits of Panther's cloud-native threat detection platform
Panther is a cloud-native threat detection platform that transforms terabytes of raw logs per day into a structured security data lake to power real-time detection, swift incident response, and thorough investigations.
With detection-as-code in Python or Simple Detections YAML, and out-of-the-box integrations for dozens of critical log sources, Panther solves the challenges of security operations at scale.
A diagram showing how Panther works: It ingests, parses, and normalizes security logs, detects anomalies with rules, then alerts your team of suspicious activity. At the bottom of the diagram is a "Long-term retention" box, showing that data is stored in Snowflake and queryable.
Panther works by ingesting log events from any data source, running them through detection logic, and alerting your team when a match is found. You can then query your structured log data to conduct investigations.


  • Focus on security, not ops with a cloud-native architecture that eliminates the need to manage servers, storage and updates.
  • Detect threats immediately by analyzing logs as soon as they are ingested, giving you the fastest possible time to detection.
  • Answer security questions quickly with the ability to immediately query months of data in minutes and efficiently search for IoCs across all logs.
  • Reduce false positives with Detection-as-Code in Python or Simple Detection YAML, and CI/CD workflows for creating, testing, and deploying detections.
  • Expedite incident response by adding dynamic context to alerts to power more efficient routing, triage, and automation.
  • Reduce SIEM costs dramatically while gaining lightning-fast query speeds, with an efficient, highly scalable data lake architecture.
Learn more about the advantages of running Panther instead of a traditional SIEM.

Key features

  • Effortless Data Ingestion: Built-in support for common data transports such as S3, SQS, SNS, and out-of-the-box integrations for critical log sources like Okta, Duo, Slack, Google WorkSpaces, and more.
  • Log normalization: Logs are parsed and IoC fields like domains and IPs are normalized to support analysis, searches and correlations across all log types.
  • Detection-as-Code: Highly customizable Python or Simple Detection YAML-based detections, a built-in testing framework, and the ability to create detections directly in the Panther Console or with CLI workflows including the Panther Analysis Tool and CI/CD.
  • No-code detections: The Simple Detections workflow lets you create and manage detections in the Panther Console using a no-code builder, enabling collaboration with teammates who work in the CLI workflow.
  • Security data lake: Normalized security data is aggregated in a high-performance, scalable, and cost-effective data lake capable of running queries over massive data sets in minutes using Data Explorer or Scheduled Searches.
  • Search: Query petabytes of data and find related activity based on attributes like usernames, emails, IPs, and more to tell the full story during an incident.
  • Detection packs: Built-in detections give customers a starting point to customize as needed. Provided by Panther to analyze key log sources and support common security and compliance needs.
  • Alert routing: Feed alerts into notification systems for triage, and include valuable context to enable hands-off response via automation platforms.

Getting Started

Follow the quick start guide to get your new Panther account up and running.
Last modified 6h ago