new A next-generation Go + Rust engine see why ↓
commercial pricing · flat per deployment, not per GB

Pay for the deployment. Not for every gigabyte you happen to ingest.

Three deployment tiers, every one covering the whole platform. One flat license per deployment, capacity bands you can actually control, and no surprise true-up from a noisy Tuesday. A paid POC that credits to year one, and a displacement credit if you are leaving Splunk. That is the whole model.

why the math works

No ingest meter. The lake comes included.

Legacy SIEM bills stack a per-GB license on top of an indexer storage tier, and both grow with data you do not control. Caver removes both lines: the license is flat per deployment, and the platform ships its own enterprise lake on cheap object storage.

the meter

The per-GB meter is gone

One flat license per deployment. A noisy firewall day, a chatty DNS resolver, a new SaaS audit log: none of it is a budget event anymore. Ingest what the SOC needs.

the lake

Enterprise lake included

Caver provisions, retains, and compacts its own OCSF Parquet lakehouse out of the box. No data-lake team to hire, nothing extra to administer. Already standardised on S3? Bring your own bucket instead; it is the option, never the prerequisite.

the storage bill

Object storage, not indexer tiers

Retention lives on object storage, roughly 10x cheaper than indexer-tier storage at the same retention. Compression helps too: about 48:1 measured against raw ingest volume in the same window; legacy tsidx-style SIEMs land near 2:1.

deployment tiers

Three tiers. One axis you actually move.

Every tier ships the whole platform: the multi-language SIEM core, CAVERN detection engineering, ECHO service intelligence, UBA behavioral analytics, SLAM automation and response, Dashboard Studio, and the enterprise lake underneath. Tiers move on capacity, deployment, tenancy, and support, never on which layers you get.

STANDARD Cloud
$24K to $56K
per deployment / year

Mid-market replacing a legacy SIEM.

The whole platform, Caver-hosted: all five layers, five query languages (SPL, SQL, KQL, ES|QL, LSQL), Sigma content, the grounded AI assistant, and the enterprise lake underneath.

  • enterprise lake included: provisioned, retained, compacted by Caver
  • up to 750 hosts monitored
  • up to 75 data sources connected (HEC, S2S, OTel, syslog, files, JSON, custom)
  • single tenant · OIDC SSO + RBAC
  • 1-year audit-log retention
  • business-hours support · 24-hr Sev-1 response
  • self-serve onboarding + 4 hours of guided setup
  • scheduler-driven alerting included (cron jobs, channel actions, no-op-on-empty)
Talk to sales →
★ most picked
ENTERPRISE Cloud or on-prem
Contact sales
per deployment / year

Org scale, on our infrastructure or yours.

Everything in Standard at organization scale, plus the self-managed tooling: installers, the App Store pipeline, and your own storage if you want it.

  • up to 5,000 hosts monitored · unlimited data sources
  • installer access included: Helm, Terraform, cloud templates
  • App Store subscription pipeline: 167 apps pushed to subscribed collectors
  • bring-your-own S3-compatible object storage option
  • 7-year audit-log retention
  • 24×7 support · 1-hr Sev-1 · named TAM
  • white-glove 60-day onboarding included
Book a discovery call →
MSSP Cloud or on-prem
Partner pricing
Enterprise base + per-tenant

For MSSPs and MDR resellers.

The Enterprise platform run as a service: one deployment, many customers, every tenant isolated at the index level.

  • one deployment, many customers: index-scoped tenant isolation · per-tenant keys
  • white-label UI, custom domain, branded email
  • partner-tier reseller margin
  • dedicated partner TAM
  • co-marketing on accepted joint deals
  • channel-friendly EULA + MSP addendum
Become a partner →

One deployment = one production cluster, with the dev and staging environments for the same customer entity included. Multi-deployment discount kicks in at the second cluster.

capacity bands

Bands are hosts and sources, not gigabytes.

Splunk charges by the gigabyte you ingest. A bad firewall day costs you money, and a new logging source costs you a procurement cycle. We refuse to recreate that dynamic. Caver capacity is measured in two units a customer can actually control.

hosts monitored

Distinct asset IDs

Servers, endpoints, network devices, cloud accounts, OT assets: anything that shows up in your data with an identifier. The count grows with your infrastructure, not with your luck.

data sources connected

Active integrations

Each integration sending data into Caver counts once, no matter how chatty it is. Add a new SaaS audit log? Plus one source: a predictable line item, not a budget event.

Over-capacity Soft

UI banner plus an audit-log alert, on both sides. No hard lockouts.

True-up At renewal

Pay the next band up if usage ran high during the term.

Audit cadence Once / term

30-day notice. Reciprocal capacity inspection.

Two ways to adopt. Same license either way.

Migrate fully with caver-migrate and retire the legacy stack, or run Caver in parallel beside the SIEM you have today and cut over when the numbers convince you. Both paths are covered by the same per-deployment license: there is no single-layer edition and no collector-only SKU.

Two ways to de-risk moving off Splunk.

paid poc

60-day pilot. Credit-back.

$25K to $75K stands Caver up against your real data in a non-production environment for 60 days. Convert, and the full POC fee credits 100% toward your year-one license. Walk, and you keep the deployment plan, the sizing data, and a clean exit. Free POCs filter for tire-kickers; paid POCs filter for buyers.

  • Joint success criteria documented before kickoff
  • Customer-supplied data sources, non-production scope
  • One 30-day extension available on mutual agreement
  • Conversion target: signed order form within 30 days of POC end
splunk-displacement credit

Up to 50% off year one.

Bring written proof of a terminated Splunk contract and we take a meaningful slice off year one. The bigger the bill you are killing, the bigger the credit. It is the cleanest signal we can give that we exist to replace Splunk, not to coexist with it.

  • 25% off year one if Splunk spend was under $250K
  • 35% off year one if Splunk spend was $250K to $1M
  • 50% off year one if Splunk spend exceeded $1M
  • Non-stackable with other promotional credits · year one only

Pricing FAQ.
Probably what you came to ask.

If your question is not here, the answer is almost always in the docs.

Per-GB is the pain Caver exists to retire. A bad firewall day, a new logging source, a noisy DNS resolver: under volume pricing, every one of those is a budget event. A Caver license is flat per deployment, so you ingest what you need to ingest. Capacity bands measure the two things you actually control, hosts monitored and data sources connected, and both scale predictably with your infrastructure.

One production Caver cluster, plus the development and staging environments that pair with it for the same customer entity. Multi-region failover under the same customer counts as one deployment. A second business unit or a second legal entity with its own data isolation counts as a second deployment, and multi-deployment discounting starts at the second cluster.

No. Every tier licenses the whole platform: the SIEM core, CAVERN detection engineering, ECHO service intelligence, UBA behavioral analytics, SLAM automation and response, Dashboard Studio, and the lake underneath. There is no single-layer edition and no collector-only SKU. Adoption is one of two paths: migrate fully off the legacy SIEM, or run Caver in parallel and cut over when the numbers convince you. Tiers move on capacity, deployment, tenancy, and support.

Nothing breaks. Caver surfaces a UI banner and writes an audit-log entry when usage runs past the band, visible on the customer side and on ours. There are no hard lockouts. At renewal we true up: you pay the next band up, matching actual usage during the prior term. We collect what we are owed at renewal, not by bricking a production SOC.

Both, from Enterprise up. Standard runs Caver-hosted. Enterprise and MSSP run Caver-hosted or on your own infrastructure, and the license includes installer access: Helm charts, Terraform modules, and cloud templates, plus the App Store subscription pipeline that keeps collectors current. Same license model either way. The SLA differs slightly: 99.9% uptime when Caver-hosted, mutually agreed when self-hosted, because you control the operating environment.

Not for the commercial product. The fastest way in is the paid 60-day POC, which credits 100% toward year one if you convert. Free POCs filter for tire-kickers; paid POCs filter for buyers, and the credit removes the cost objection.

Show us written proof of an active Splunk contract you are terminating in order to land on Caver (a redacted order form is fine). Based on the Splunk annual spend, you get 25%, 35%, or 50% off year one. The credit is year-one only and non-stackable with other promotional credits. Every accepted credit becomes a published displacement case study, with your approval.

No. Caver is closed-source proprietary software, delivered as binaries plus a commercial license, the same shape as every other commercial SIEM in this market. The full MIT-to-commercial story is at /caver/transition/. Contact matt@redeyesecurity.com for evaluation access and license terms.

Caver ships with a standard EULA that handles the bulk of the relationship. Larger enterprise customers typically prefer an MSA with Caver-specific order forms attached. We work with either. Tennessee is the default governing law; we have negotiated alternative law and venue for larger deals.

ready when you are

Sales call, paid POC, or both.

Email us the rough size of your current SIEM bill, your renewal window, and the products you most want to displace. We come back within a business day with a sizing estimate and a POC plan.