Caver vs Elastic / ELK
Elasticsearch is an excellent search engine that a SIEM was built on top of. Caver is a security data platform on an open OCSF Parquet lakehouse. Here is the honest side by side: what Elastic does well, where Caver wins, and how to decide.
Elastic is the platform teams reach for when they already run the Elastic Stack for logs and want security on the same cluster. Elastic Security is a real SIEM, and Elasticsearch is an excellent search engine. The honest question is not whether Elastic works. It is who owns the storage format, who owns the scale-engineering, and how much of the platform you assemble yourself.
The core difference is structural. Elastic keeps your data in Elasticsearch indices and ages it through hot, warm, cold, and frozen tiers. Caver stores everything once as OCSF-normalized Parquet on Apache Iceberg in your own object storage, then searches it in place. No proprietary index format and no rehydration. Compression against the same-window raw ingest runs about 48:1, so years of telemetry stay queryable instead of getting dropped to hold down the storage bill.
At a glance
| Elastic Stack / Elastic Security | Caver | |
|---|---|---|
| License model | Open source (Apache 2.0 / Elastic License v2) + commercial subscriptions. | Per-deployment commercial license-key. |
| Storage | Elasticsearch indices. ILM moves data through hot / warm / cold / frozen tiers. | Native parquet / iceberg on object storage. |
| Cold-tier search | Frozen tier requires searchable snapshots with a performance penalty. | First-class search over object storage. |
| Query languages | KQL, EQL, ES|QL, Lucene. | SPL + KQL + SQL natively, all on the same backend with a language toggle. Plus AI agents over MCP, Grafana, Trino, Athena over the same OCSF Parquet lake. ES|QL native on roadmap. |
| Operator pool | Broad open-source community. | Smaller, focused on commercial deployments. |
| Scale engineering | Your team owns shard sizing, ILM tuning, rolling restarts, version upgrades. | We own the operational complexity. |
| Content ecosystem | Elastic integrations catalog plus community-authored content. Quality varies; many integrations require operator tuning. | Curated vendor packs that ship with dashboards, saved searches, data inputs, and OCSF field mappings. Daily updates. No third-party install. |
| OT / ICS coverage | No first-class OT product. Beats can ingest industrial telemetry via custom processors and community-authored content, but no out-of-box industrial protocol decoders and no framework-aligned content. | caver-industrial: passive deep-packet decoders for BACnet/IP, S7Comm, IEC 60870-5-104, DNP3, Modbus TCP, EtherNet/IP, OPC-UA. Framework alignment for NIST 800-82 + IEC 62443. Air-gap-friendly deploy. Curated industrial threat intel. |
| AI security visibility | Limited. | caver-aisec, purpose-built. |
Elastic Security ships detection rules on top of the stack, but reaching a full SOC usually means adding pieces around it, each tuned by your operators: SOAR automation, behavioral analytics, AI-security visibility, and OT decoding. Caver ships that as one curated product: detection content, risk-based alerting, SOAR-style playbooks, service analytics, behavioral analytics, caver-aisec for AI-security, and caver-industrial for OT. Underneath, the compute plane was rebuilt in Go and Rust: a vectorized, columnar engine runs SPL, KQL, and SQL directly against the open Parquet lake, with predicate and partition pruning and base-search reuse, so cold data stays fast without a hot tier to pay for. See how it works.
Strengths
| Where Elastic wins | Where Caver wins |
|---|---|
| Open source heritage. You can run Elasticsearch entirely under your own roof, no commercial relationship required. | No scale-engineering tax. Shard layout, ILM policy, version upgrades, rolling restarts: these are operator-burden line items at any non-trivial Elastic deployment. Caver doesn’t ship that burden to you. |
| Broad community. Decades of community-authored detection content, dashboards, integrations. | Cold-tier economics. Searchable snapshots are a real Elastic capability, but they pay a measurable performance penalty. Caver’s object-storage search doesn’t. |
| Flexibility. Elasticsearch is a general-purpose engine that happens to also do SIEM. If you need full-text search, geospatial queries, log analytics, and observability all on the same platform, that’s a real story. | Query however you want. SPL, KQL, and SQL natively on the same backend. AI agents over MCP, Grafana, Trino, Athena over the same Parquet lake. Operators coming from KQL keep their language; operators on SPL or SQL get theirs too. |
| No license-key gate. Run as many clusters as you like with no per-deployment commercial conversation. | Content packs that ship complete. Each Caver pack includes dashboards, saved searches, data inputs, and OCSF field mappings, daily-updated. Elastic integrations vary widely in depth and freshness. |
| Purpose-built. Caver is SIEM-focused. Elasticsearch is general-purpose with a SIEM product layered on it. The differences show up at the edges (deployment hardening defaults, audit posture, retention guarantees). |
You do not have to cut over in a weekend. Caver can federate alongside an existing Elastic deployment during a phased migration, so operators keep querying while data and content move across. KQL operators keep KQL, SPL and SQL are native on the same backend, and ES|QL is on the roadmap.
How to decide
If you have strong Elasticsearch operators on staff and the cluster is already healthy, Elastic Security on top of it is a reasonable answer.
If you’re paying real money in operator time for cluster maintenance, version upgrades, or shard sizing, and you’d rather that time go elsewhere, Caver removes that line item.
If you need OT / ICS visibility, caver-industrial is in a different league than what’s available for Elastic.
Bringing a growing Elastic deployment under control, or evaluating greenfield? We will scope a Caver pilot against your real data and your real retention targets, and show the federation path.
Email matt@redeyesecurity.com, or read how Caver works first.