Anvilogic Reviews

Anvilogic serves as our security analytics tool on top of our security data lake.

In my day-to-day work, we perform detection engineering on Anvilogic, and we also use the Armory to provide us with strong coverage from a MITRE perspective and security coverage over our logs to ensure that we can detect threats and respond to those threats efficiently and effectively.

We pursued Anvilogic as a piece of the puzzle to replace Splunk, our legacy SIEM platform, and it was a big part of being able to decouple the detection capabilities that Anvilogic offers from the data storage capabilities of a data lake, which is a big use case as well.

Our data lake is run on top of AWS using Snowflake.

One of the best features Anvilogic offers is the Armory, which is full of various different pre-built detections; that was a huge improvement from any kind of pre-built detections we had in Splunk and saved a lot of time to really increase our coverage capability. I also appreciate the normalization process for log sources, normalizing them to a consistent schema where those alerts automatically apply is a nice feature and gives us a very clear-cut way to handle lots of different log sources in a centralized manner, ensuring that we are doing threat detection on those log sources.

The normalization process has enhanced our log monitoring maturity; previously in Splunk, we had SIEM mapping set up for log sources, but it did not translate necessarily to immediate security value because there were not pre-built detections that leveraged that SIEM mapping. The ability for Anvilogic to have built-in curated detection logic that automatically applies once we normalize logs creates immediate maturity and value every time we normalize a log source. It gives us a target to identify if a log source should be normalized. If it should, we know the value and output from Anvilogic; if it should not, we can identify custom use cases and build custom logic in Anvilogic or hold onto those logs in our data lake without any detections running on them if it is more for compliance or incident response.

Anvilogic plus Snowflake has vastly improved our total cost of ownership for the SIEM platform; we went from a pretty expensive platform in Splunk that was not vertically scalable due to budget limitations to a platform now that is far more efficient per terabyte of data ingested and processed per day. The savings per terabyte of data being ingested and monitored for security threats was a pretty significant percentage, which was a huge advantage. We now have budgetary space to scale up our solution as needed as the business grows.

We have had to make difficult decisions to not ingest certain logs in the past due to budgetary restrictions, but now we can take a more liberal approach in accepting most requests and ingesting those logs into our SIEM because the cost to do so is not a problem for the company and for our internal budgets, which is huge.

There is room for growth in the product platform; our detection engineers using Anvilogic every day encounter some frustrating UX experience issues where buttons are not logically placed, and workflows are not working as expected. There is also room for growth in integrating the platform with third parties, as we have encountered limitations in what can be executed via API and what is documented. We are a heavy automation integration team, so having this well documented is important for us. The enterprise capabilities within the platform also seem somewhat limited, as we run into limitations in managing detections at scale and making changes to those detections at scale. Especially at an enterprise level, if we need to add enrichment logic to every single detection deployed, it can be quite onerous; we had to develop custom scripts to manage that. Thus, enhancing enterprise-type features for managing the platform at scale rather than clicking through the GUI is important as we continue to grow. Additionally, the AI capabilities have been somewhat unstable and unintuitive to use, which is key for increasing adoption.

One other thing is that the detection logic builder today is somewhat limited in flexibility regarding implementing detections, grouping detections together, and handling alerts when they fire. This might be partly due to our need to adjust to a different platform, but flexibility is key for any enterprise platform to meet our unique business requirements. Having the capability to build custom detection logic not tied to a specific structure would be helpful; although a lot can be done, it often requires working with our account team which is time-consuming and less intuitive.

I have been working in my current field for a little under 10 years.

Generally, Anvilogic is stable, although we have experienced some usability issues; the biggest instability has been with the AI agent, which the team is not using fully due to inconsistent results. Aside from that, the platform itself is stable.

Anvilogic's scalability is quite good; however, we require more and more detection capabilities, and there is a ceiling based on what the Armory offers or what our team can custom develop. I would love to see an increase in out-of-the-box detections curated by the team, which would be a significant value add. As for the platform technology being based on Snowflake, it has essentially unlimited scalability, so I have no concerns there.

Customer support is great, particularly from our immediate contact, Brad, who is very engaged and responds quickly, dedicating time to answer questions and onboard us effectively. However, outside of him, the process can get vague, with requests sometimes disappearing and lacking a clear tracking system, but overall, the experience is generally positive with some expected challenges from a smaller team.

We previously used Splunk and switched to Anvilogic + Snowflake.

The moment we realized we needed something better was triggered by the lack of detection coverage and the overhead required to improve detection in Splunk, along with the non-scalable cost of operating it. We constantly dropped logs from monitoring, which is not the focus of a security organization; we wanted better coverage and monitoring, and that is what Anvilogic and Snowflake enabled us to achieve.

Since onboarding, we started with rough, quick migrations of log sources and detections from Splunk to Anvilogic, but we have since cleaned up a lot of our normalization tasks and ensured things are correctly categorized, steadily deploying more Armory detections onto our existing data sets for better coverage.

While I do not have specific metrics, we have certainly seen a return on investment, mainly in time taken to improve detection coverage and the ability to detect threats on our logs. The Armory has greatly increased our coverage while reducing the time that would have been needed to develop detections ourselves in Splunk. However, the volume of alerts generated is shifting the cost to the operations side, requiring us to ensure that detections are tuned and alerts are efficiently firing to prevent noise that could increase costs for operations personnel and risk missing incidents.

My experience with pricing, setup cost, and licensing has been overall positive; the Anvilogic team has been very engaged throughout the process, which helped us adopt the platform. Weekly calls and a hands-on approach over the significant changes in how we do SIEM have been beneficial. Licensing is reasonably affordable and should be evaluated over time concerning the platform's value. Setup costs primarily involved internal work to configure our pipelines, but mostly consisted of man-hours.

We evaluated various options before choosing Anvilogic, including Gurucul, Panther Security, and Splunk Cloud, among others. Ultimately, we found Anvilogic to be the best fit for our needs.

Another feature we are excited about, but we have not seen the value in yet, is the AI capabilities for detection engineering; it is, in theory, going to be very powerful and really reduce our time to develop new detections. There are more agentic features coming on the roadmap that have not been released yet, and we have not been able to see the full picture of value of that aspect of the product yet, but in theory, those should be extremely beneficial and really magnifying the amount of detection engineering work our team can do.

What surprised me the most about Anvilogic was the modern solution it offered to solving a SIEM business problem, which was different from other vendors. Anvilogic being a detection engineering tool makes sense and allows us to run it on any data lake background, which is unique. This decoupling of security detection from security data storage enabled us to pursue this path.

If Anvilogic disappeared tomorrow, we would lose our detection capability, which would be significant and necessitate finding another vendor's solution.

I rate Anvilogic about a seven on a scale of 1 to 10.

I chose a seven because the platform is a huge improvement from our legacy SIEM platform in Splunk, especially from a detection perspective. However, there are certainly opportunities to improve the user experience and capabilities, as well as to mature the platform. These three aspects make a difference in execution and can improve competitive edge significantly.

I convinced our leadership to adopt Anvilogic by emphasizing the cost benefits of increased capabilities at a lower cost. The Anvilogic-Snowflake combination presented a centralized source, which is advantageous for reusing security data across other non-SIEM use cases, making it an easy sell.

My advice for others considering Anvilogic is that depending on your company's detection engineering needs and maturity with your legacy SIEM platform, Anvilogic can provide a swift, significant value add. If you have a dedicated SIEM team with many custom use cases built on a platform such as Splunk, Anvilogic may not be the correct fit. We were a small team managing a complex old system and were not getting the full value from Splunk. Anvilogic provided a more dynamic, low-overhead solution, making it a great fit for us, but for larger teams with custom detection needs, it might be less flexible.

My main use case for Anvilogic is for triage in the SOC. That's the primary use case.

The 'we need something better' moment was triggered when we were trying to roll out custom alerts with Splunk Enterprise Security; it was atrocious to do that. You would have to clone things and then reuse alerts you made. Just making new alerts, the process was not very good, and there was no versioning for all the alerts we create. So we had to trust Splunk for what they created. Rolling out new alerts was a pain since you had to load them up in a new app and things similar to that.

With Anvilogic, they made it super simple. I can describe a process where they have something they refer to as the Armory. You just go to the Armory, click all the things you want. It automatically pushes it down to your Splunk Enterprise with their app loaded up on there if you modify it as needed. It tends to just work, and you can customize it easily since it tells you the Splunk language plus the normal human language. So it makes modifying it simple with rollback versioning. They have groups based on known attackers coming for you, and you can group them together that way and deploy a whole set of alerts designed just for those specific use cases of those attackers and their IOCs.

Aside from the easy custom alerting with Anvilogic, the next feature I appreciate most is that they also standardized bringing in the logs. They set some macros that help standardize and make more sense than Splunk. They teach you and give you insights every morning or every week, saying, 'Hey, this is not working, so what do you want. You're getting one or two of these alerts per day. Do you want to squash them from error to warning?' They're always giving you tips on how to improve the efficiency of the system itself. Creating scenarios was amazing. In Anvilogic's case, you create scenarios based on MITRE ATT&CK framework. Every rule that fits that MITRE will get used.

My usage with Anvilogic has evolved since onboarding. After about two or three years, they started offering their cloud-based SOC where instead of just using Splunk as a data set, you could run your searches against Snowflake databases, Demisto, and others including Azure log storage. Their generative AI work has been fantastic as it's very specific in what you need to do. The route they've gone with the different types of AI agents aligns exactly with what I was hoping the market would do. Seeing them do the Tier Zero for SOC-type stuff with their playbooks has been impressive.

Since adopting Anvilogic, our team's quick SOC response has become essential. We have been known to respond within five to seven minutes to an attacker compromising an account.

Anvilogic could be better in areas of the triage dashboard as they're beholden to Splunk's functionality. I need to click three times to get to all the information I need. Enterprise Security did that better in the old version. Anvilogic requires three clicks to get the full set of information. More customization on the triage dashboard would be beneficial, however, there have been no limitations so far.

Anvilogic has been in use for just over three years.

Regarding stability and reliability of Anvilogic, I cannot recall an outage. There might be temporary issues with updates, yet they have a Slack chat where they respond really fast. I have never experienced a serious outage.

Anvilogic grows effectively with the needs of my organization. They see where the market and technology are going, and they can institute all the things they wish they had when they were SOC operators.

I would evaluate their customer and technical support as fantastic. Their support is excellent since they answer my questions. When I try to create new solutions within the scope, they work with me effectively.

Positive

I did not extensively consider alternatives before selecting Anvilogic. Enterprise Security was still the best SIEM available since we were a Splunk shop. Through my reseller consortium networks, I received personal introductions to people at the founder level. Within 30 minutes of talking to Anvilogic, I realized they addressed all the problems I had been experiencing.

I would describe my experience with deploying Anvilogic as simple.

I have seen a return on my investment with Anvilogic. We rolled out approximately 1,500 Armory alerts in three months, which would not have been possible with Splunk, and they were all fixed and modified as needed.

My experience with pricing, setup costs, and licensing of Anvilogic was the easiest experience I have ever had.

When other teams ask about Anvilogic, I tell them it is security only. There were no surprises about the Anvilogic solution once I started using it; they were honest from the beginning about what they do and where they are going. Their culture is fantastic, and the people care about what they are doing.

The deployment model for Anvilogic is hybrid. We use Azure for some machines and have a small AWS footprint.

I rate Anvilogic a 9 out of 10, as they work effectively and fix the problems that people have with other SOCs and SIEMs.

The primary use case for Anvilogic is detection velocity and keeping version control of the detections. We're still not fully deployed, so it's not in production yet.

What I appreciate the most about Anvilogic are the features we discussed on the roadmap today. Being able to generate detections and map them back to MITRE, not as a 'we've accomplished security' type of metric, but at least showing that you have some form of adequate coverage across all of those different domains, is something that you can very easily take back up to the leadership of your company and help build out the roadmap for your entire security program.

It is difficult for me to suggest improvements for Anvilogic after seeing the roadmap evolve with the improvements they're making.

The solution is not currently in use.

Other than scheduled downtime that companies obviously have, I haven't experienced any downtime or crashes with Anvilogic. There are no reliability issues.

Anvilogic is helping us identify what the needs of the business are, where in many cases, business processes just run off on their own. We're a large company with many people doing different things, and this is helping us bring the company more in line with how they make their money and what's required to do that.

I think that they've been extremely helpful. We've been in a pretty thick deployment with them, so we've had regular engagement from the engineering team working with us.

Positive

We were still in conversations with Splunk as they were pushing everything they could to try to keep us there. We looked at a couple of other similar AI platforms, but Anvilogic was a clear leader because I really appreciated breaking apart the entire architecture that existed before. I always felt that security teams had no business maintaining a Splunk environment anyway.

My experience with the pricing, setup costs, and licensing of Anvilogic has been positive. I actually really appreciate the pricing that we came into because I viewed Anvilogic as a one-for-one with enterprise security.

It took a lot of systems administration and ownership responsibilities away from my firefighting team, which is what I view an incident response team should be doing.

I have seen ROI with Anvilogic. We're taking these things that executives see on the news, cyber threats falling from the sky, and we're taking the timeline that would take weeks or sometimes even months to address, depending on what's required for the detection, and bringing that timeline down to hours and days.

A lot of process and technology debt around our existing SIEM solution first triggered the need for something better. Also, all the different use cases that individuals at the company were trying to use the SIEM to address just made it a data swamp that we had to get ourselves out of.

People come to me asking about Anvilogic. I view Anvilogic as an easy button for detection engineering. You're talking about replacing multiple headcount and a lot of process and oversight with the technology.

The roadmap surprised me, and the rapid adoption and use of AI across the platform is bold and going in the right direction. I just know that there's going to be a lot of trepidation among organizations to begin broadly adopting AI from vendors.

Looking 12 months out, I see Anvilogic fitting in or potentially replacing our detection architecture as we already are. We're rebuilding the entire thing from the ground up, redoing our entire knowledge management structure to automate that in a Git style version controlled method, and Anvilogic is a key piece.

We do this as a three-pronged solution because we did a major overhaul with bringing in Cribl for a data observability pipeline, we brought in Anvilogic to run as the detection engine, and Snowflake, where all the data lives and sits, is part of our strategy that completely overhauls how we do detection here.

The detection maturity is one of the metrics that's in the dashboard that I've already begun including in our weekly CISO update. I've already heard him walking around referencing detection maturity. The MITRE coverage is good, so you can quickly say that we're covered here across a lot of different use cases.

On a scale of one to 10, I would rate Anvilogic overall as a nine. That's challenging because we're not in production and there's not necessarily a deep bench of companies with previous experience. However, I appreciate the direction we're going and the technology.

I primarily use Anvilogic as a wrapper over SIM, mainly Splunk, but it can also be applied to other SIM platforms like Kibana. I utilize it for versioning the rules and detection logic I write, which can get stale or require enhancement. For example, if I wrote a detection rule for detecting script execution that needed additional logic, I used Anvilogic to maintain those versions or to build behavioral detection patterns, which is complicated in Splunk alone.

Anvilogic allows me to extract a plethora of information, including mapping TTPs assigned for detection logic, which effectively helps in setting quarterly coverage agendas, thus illustrating its vital role in detection strategy and management presentations. The first thing that would break without Anvilogic is the complex detection logic involved in creating behavioral patterns, which yield high-fidelity alerts. Additionally, losing the control over Splunk SPL queries, due to lack of version control provided by Anvilogic, would pose a nightmare for any detection engineering team.

The deployment model for Anvilogic was private.

The best features of Anvilogic include easy usability for beginner analysts, good version control, though it could be enhanced, and the need for improved access controls and better training notifications for users. The quick responses regarding new threats and the thorough curation of detection rules were also positives. However, hiring customization based on customer environments and reducing noise from detections is critical.

I was surprised by the effective version control capabilities and how easily one can configure complex behavioral patterns. The learning curve is not steep, allowing even those with basic knowledge in writing detection rules to adapt quickly. However, after a year, I noticed limitations, especially concerning issue resolution timeframes.

My experience with Anvilogic is still in detection engineering, but writing detection logic in scripting languages, like the Splunk processing language, has limitations compared to programming languages. Anvilogic does provide some flexibility but has limitations when baseline detection rules or complex behavioral patterns are involved. I found it very efficient for version control with Splunk, although it lacked a robust CI/CD pipeline, which is crucial for comprehensive testing before changes go into production. The API documentation was also limited, affecting data analytics capabilities regarding detection logic. Nonetheless, Anvilogic's support team was responsive and provided good support when I raised issues.

One suggestion I have for Anvilogic is improving the whitelisting process, as maintaining a CSV for that can become cumbersome when it reaches 10,000 lines. Additionally, the separation for customer-specific detection rules and suppressions could be better defined so the changes can be made without needing customer support every time.

I was informed about the AI SOC solutions Anvilogic was working on; however, they were not functional at the time, and I cannot comment on their effectiveness since I lacked access to those features. The version controlling and behavioral patterns are strong suits of Anvilogic, but there needs to be stronger access control and CI/CD pipeline integration. Additionally, customer support could be more prompt, and custom detections should be tailored more effectively.

It has been almost eight months since I last worked with Anvilogic because I switched companies, so I have not worked with it since.

I generally handle scalability through Splunk admin team support, and I did not face significant downtime or reliability issues with Anvilogic. It felt stable and sufficiently reliable throughout my time using it.

In 12 months, I do not believe Anvilogic will be replaced since it is deeply integrated into the detection framework at Rakuten, and the time taken to stabilize integrations is considerable. Even with its shortcomings, the value Anvilogic brings in detection and threat investigation is hard to replicate quickly.

Anvilogic will not be replaced at Rakuten, as its integration is extensive, and the time to build stable detection solutions is significant. Even small companies face challenges transitioning expertise, which makes Anvilogic a viable long-term solution.

The rating for the technical support of Anvilogic would depend on factors like who handles the request, but on a scale of 1 to 10, I would rate it around 6.5 to 7. Requests are typically addressed within 45 to 60 days, which I consider a reasonable timeframe given the number of customers.

Positive

Anvilogic was introduced at my last company before I joined the detection engineering team, and I know it is mainly used by that team. I am unsure if they have switched back to any other MSSP or whether they have switched back from Anvilogic to any other product.

The deployment process took place before my arrival at the company.

Based on the context of the environment, I find Anvilogic is highly beneficial for smaller cybersecurity teams needing an efficient detection tool. Larger organizations may explore alternatives, but for small to intermediate teams, Anvilogic fits well in their detection processes.

Regarding triage, I usually perform analysis directly through Splunk, so I do not find Anvilogic enhances my triaging process significantly. However, it does provide useful triggered rules, but Splunk remains my primary tool for queries and triage.

My overall review rating for Anvilogic is 6.5 out of 10.

Anvilogic serves as our main SIEM and detection engineering platform. We use Anvilogic to create alerts based on our data, and the AI capability to detect alerts based on whatever data we are feeding into it is a feature that our team at Kroll particularly values.

We have SentinelOne data, which is our EDR, and we have EDR data directly set up through Anvilogic input without using any third-party tool to get that data. Anvilogic has integrations directly in place, and we are using the SentinelOne input through Anvilogic. Since we uploaded or ingested that data, Anvilogic has started to give us suggestions about what alerts could be fired through that data. Anvilogic has flagged the threat identifiers through which we can build some use cases or modify them for our use. Anvilogic has also helped us understand what is a false positive and what could be a promising use case for our company in particular, providing valuable support.

Regarding how Anvilogic supports our detection engineering, the uniqueness is about AI, which we did not have in Splunk earlier. This helps us not only to close the false positives but also features AI to write our queries. This capability lifts a lot of burden from the SOC team as they do not have to focus on how to write a query but can concentrate on investigating an alert or a use case, which has really caught my eye, and I am glad we have onboarded that feature.

Anvilogic has positively impacted our organization with a significant decrease in false positives and providing the independence of multiple data repositories, allowing us the choice of having different repositories. This flexibility enhances our operational efficiency, and the AI also assists with writing queries, making it scalable and cost-effective as we can adjust according to our needs.

The best features that Anvilogic offers include its independence from a particular solution, allowing us to have Snowflake as a data repository now and the flexibility to move to other platforms such as Databricks or Splunk while keeping our detections intact. Another valuable feature is the AI capability, which not only assists in detection but also helps us to write queries, completing multiple tasks efficiently. Additionally, Anvilogic is a no-code platform, so the base search is already ready for us, and we just have to tweak it according to our use cases. Anvilogic's new features enable us to improve SOC efficiency and filter out a lot of false positive alerts. Additionally, it has an attached MITRE framework, automatically detecting it so we do not have to manually add the MITRE framework IDs as we did in Splunk.

Among those features, the one that has made the biggest difference for our team is the AI capability; we have seen a significant shift in our SOC operations. Many false positives are handled by the AI, allowing the team more time to discuss and investigate the actual use cases. Each use case also includes a description of what it is trying to detect, which helps engineers understand the use case's purpose without needing to reach out to seniors for clarification.

Currently, there is a limitation of 100 inputs in Anvilogic integrations, which is less than our needs, making it a challenge to fit all our inputs. Additionally, I believe the documentation should be publicly accessible. We work with different teams to get the data, but since the documentation is not available to everyone, we often have to explain how to make integrations. Also, there are features that do not work as expected; for example, we recently tried to ingest an AWS CloudTrail input to which Anvilogic could not accept any more data past a certain point, forcing us to look for alternatives. We have found that data mapping is sometimes not adequate, as it can only parse JSON data, contrary to the documentation suggesting that CSV or XML formats are acceptable, which has caused issues.

I have been working in my current field for three years, and it has been one year that we have moved to Anvilogic. Prior to that, we were using Splunk as our data ingestion platform and as well as SIEM.

Anvilogic is somewhat stable. Regarding data inputs, we have had issues, but in terms of downtime, we have not experienced any.

Anvilogic is quite scalable, allowing us to significantly lower storage and processing costs compared to legacy SIEM-only approaches. Thanks to having a different data repository, we do not crowd Anvilogic with data and accordingly adjust it to our specific needs.

Customer support is generally good, though we sometimes have to wait longer for answers, which can be a bit frustrating, but overall the support is satisfactory.

Positive

We were previously using Splunk and decided to switch due to its lack of AI capabilities related to the SIEM product. We also evaluated other options before settling on Anvilogic.

The AI capabilities mentioned on Anvilogic's website are indeed good and promising; however, there are areas that require work, particularly concerning data ingestion. Users may encounter roadblocks while integrating inputs, as we faced significant delays due to data input inconsistencies.

Initially, the triage piece was not integrated into Anvilogic's UI, but since its integration, it has helped the team to easily check the triage dashboard and assess current use cases, encouraging us to continue seeking new ways to use it more efficiently.

The moment we realized we needed something better was triggered by Splunk's lack of AI integration, which prompted my manager to consider Anvilogic due to its promising AI features. Since onboarding, we have evolved to remove false positives effectively, which was a challenge with Splunk, allowing for fewer alerts due to Anvilogic's capabilities. Additionally, we no longer need to be dependent on a particular data repository, benefiting from the flexibility that Anvilogic provides.

I rate Anvilogic a six out of ten. I chose a six out of ten for Anvilogic because, despite the impressive detection capabilities and intriguing features, I still see a need for improvement with the data ingestion process. If the data is not ingested properly, the detections could be compromised. While it excels at detection and offers good use cases, my personal experiences with certain problems influenced the decision to rate it just above average.

My main use case for Anvilogic is security incident event management. A quick specific example of how I use Anvilogic for security incident event management is triaging or correlation of security events from multiple security platforms and log sources.

I currently utilize multiple of Anvilogic's AI features, both for fine-tuning and developing new content, as well as the threat intelligence feeds that it provides.

In my opinion, the best features Anvilogic offers are the AI features, which are great, and their common language rule tuning and modeling is much simpler than those other vendors that require query building skills.

The common language rule tuning and modeling have made things easier for my team because it is broken down into multiple smaller chunks rather than one large chunk of code. Multiple smaller, pre-processed data points are basically visible and editable in those smaller chunks without having to actually code at all.

Anvilogic has impacted my organization positively because it is native for cloud-type infrastructures and they have a significant proactive approach to cost licensing. Rather than having to import all data, it actually sits on top of Snowflake, which reduces overall cost for data storage itself. Since implementing Anvilogic, our overall costs have been reduced. 

Anvilogic can be improved further by maturing certain intelligence aspects outside of articles. This is an aspect that lacks in most SIEM and secure analytics tools, but personally  the framework  or "barebone" is in Anvilogic, it just needs further maturing 

I have been using Anvilogic for six months.

Anvilogic is stable.

Anvilogic's scalability is good and it scales properly.

I have not directly worked with customer support since I am a manager, but I have not heard any complaints from my employees.

Negative

I previously used top tier SIEM's. I switched to Anvilogic because it looked overall better and proved to be a better fit for our type of architecture.

I have seen a return on investment in the form of time saved developing new content.

My experience with pricing, setup cost, and licensing was straightforward. They provide estimates because obviously every business is different, but they provided reasonable estimates that were fairly accurate based on other customers from a similar type of background or size.

Before choosing Anvilogic, I evaluated other options. including vendors in the top quadrant

Anvilogic has changed how my team thinks about detection and data usage because it makes it easier to follow than other tool sets. Since a lot of the content is dynamic, you can follow the trail in the threat hunt perspective compared to other tools where you have to manually recreate a new query to investigate the action further.

The moment that led me to choose Anvilogic was triggered because we normally evaluate vendors every so often to make sure we have a proper solution in place.

My usage of Anvilogic has evolved since onboarding and it is a bit more mature now, which certainly does help.

When other teams ask about Anvilogic, I tell them that it is fairly good.

There has not been anything that has become easier to justify or explain to leadership since adopting Anvilogic.

My advice to others looking into using Anvilogic is to conduct a test or proof of concept based on your actual future stance so that you feel the proper controls and everything is adequate to where you want to go.

I am looking forward to seeing how the tool will evolve and grow, especially with the AI features. I would rate this product overall as a 9 out of 10.

We use Anvilogic as an SOC detection engineering platform. In addition to that, we use it for hunting and investigation purposes.

We are a fairly small team with three people in total in the SOC. Their prebuilt configurations and all the detections and scenarios are the reason why we have good coverage today. We use them as a template to start off with. Of course, it needs a bit of customization for the organization it is being deployed for, but it works in our case. We use that, build it, and then fine-tune it for our scenario. We are then good to deploy it. Usually, what used to take us about a week's worth of detection development can be done in about an hour and a half or two at best by using these templates.

Anvilogic provides security analytics across multiple data platforms. It can integrate with different data platforms and provide the same kind of analytics.

We have been able to reduce the cost of having some of these analytics and capabilities deployed across different platforms because we route most of our alerts into Anvilogic. The analytics work on those, whether they are from endpoints, SaaS applications, Identity, or SIEM. We have been able to save costs by not having to deploy these across different platforms. There is also efficiency in terms of getting some of these done quickly and faster rather than jumping between different things.

Anvilogic enables us to break free from vendor lock-in. That was one of the key reasons why we chose Anvilogic. We have changed SIEM once since we moved to Anvilogic. In between, when we were looking at some other integrations, Anvilogic was ready to integrate easily with them. Vendor lock-in is a much lesser concern now.

Anvilogic's AI assistant has helped improve our detection logic. Prior to Anvilogic, somebody would do the investigation, come up with the results, go ahead with a review process, and implement the findings. Since we have had Anvilogic, it automatically does the assessment and gives us a daily report. The analyst just has to do the implementation after the review, so the investigation process from my analyst is no longer required. We feel that the outcome from Anvilogic is also reliable. We do not have to go back and get into the weeds to see specifically whether it is the right analysis.

It simplifies detection engineering and threat hunting across multiple search languages, although we do not fully leverage all the benefits. Most of our platforms are pulled in from the SIEM, and some of them are from the likes of CrowdStrike and other places. We leverage a standard taxonomy. If this were to be between two different SIEMs, the search capability would be very helpful. However, the AI capability for writing out a quick query by using things like regex or regular expressions and building out regular expressions helps. When an analyst is investigating something or building something, they quickly want to understand what a certain component means, so having that within the same pane helps. So, we use it in some capability, but those capabilities are very helpful so far.

Anvilogic has significantly reduced our end-to-end detection engineering time. Earlier, it used to take about a week and a half for someone to go in and check. With their templates and prebuilt scenarios and cases, it now takes just about a day or two where we have to look at it and then customize it for us.

Anvilogic has helped our organization reduce false positives. The tuning insights feature of Anvilogic comes up with proactive ways to reduce false positives. It gives the analyst a view of what is causing the false positives. Is it genuine or not? Is it malicious or not? They can then action items on those. They also maintain an ongoing allow list and deny list, which helps to suppress false positives temporarily, or in the longer run, makes the whole process both accountable with audit logs and quicker.

We were able to realize its benefits immediately. We did a proof of concept in 2021, and our coverage at that point was in the lower twenties. We got to about the upper eighties in two quarters, and it was very steep, quick growth.

Before Anvilogic, we had no visibility into our detection coverage. The ability to break it down by industry verticals, such as attackers and adversaries, is valuable.

Detection insights help us easily identify the most noisy ones, the effective ones, and what needs to be fixed to move the noisy ones to effective ones.

The hunting capabilities are very good. The AI components and hunting packages give us quick insights into what needs to be looked at.

The partnership has been very good. Their professional services and customer relationship have been very good. Our features and bugs have been fixed on time without a lot of follow-up, and their support has been excellent.

Finally, there is a feature within Anvilogic that provides the threat landscape or our effectiveness towards the threat landscape on an ongoing basis. That is another feature that we liked.

The hunting insight needs integrable capability with different platforms to gather all of that insight and show it on a single canvas on Anvilogic. That is the only feature that could improve the way we do operations.

The pricing is slightly edging towards being a bit much for smaller organizations.

We have used the solution for close to three years.

For the most part, Anvilogic has been performing well, but because they use a Splunk backend, there is sometimes a bit of slowness and Splunk-related issues. It is generally stable, however.

Anvilogic has worked well for us. We started with about 55 detections and scaled up to about 980 odd detections so far. It has scaled very well for us. We have been able to get to a good scale. We do not have a multi-SIEM environment, so I do not know how it is for customers with that kind of environment.

One of the best things about Anvilogic is the partnership, their knowledge, the depth of technical understanding, and the speed at which they respond. I would rate them the topmost, a ten out of ten.

Positive

We used SOC Prime long ago, but it was in a limited capability. We were just looking at certain detections and logic to use from there. Anvilogic definitely is far better for us.

The initial setup was quite easy for us. There was a bit of a learning curve, which involved just understanding how the platform worked, taking about a month, but integrating with our existing platforms was a piece of cake. They have APIs for most things and standard off-the-shelf solutions such as SIEMs, endpoints, firewalls, and identity providers. It was very easy to integrate. The technical integration was very easy. It took about a month of learning from my team to get comfortable with the product and how to use it. It is one of the easiest security tools to learn.

The platform does not require any maintenance on our end, but once we start building out the detections, it requires some maintenance on our side to see that everything is running properly. That is more like an operational aspect.

Anvilogic has saved us about 25% percent of what a detection engineering platform would be. It is difficult to put quantitative aspects like better operations and structure quality, but I would say efficiency increased by about 50%.

Anvilogic has not helped reduce our overall SOC or IR operations costs because we use the time we saved to do more. If we were not doing more and did not have Anvilogic, we would need one dedicated person to do this detection engineering. That cost has significantly been reduced.

We were an early adopter, so the pricing was definitely good. Because they do not completely replace a SIEM, their pricing is slowly edging towards being a little too much for a smaller organization like ours. It is almost on the border. That is a bit of a challenge on our side, but the value still speaks for it. If the price increases more than where it is now, it would be a tough place for us.

Overall, I would rate Anvilogic a nine out of ten, considering its capabilities, features, interactions, and pricing.

My main use case for Anvilogic is coordinating and tracking indicators of compromise and detection rules. I use Anvilogic for coordinating and tracking indicators of compromise or detection rules by feeding detection rules into Splunk, our Splunk environment, and these are turned into actionable alerts for our security operations center.

Anvilogic has positively impacted my organization by being a force multiplier for our security operations center and has allowed us to coordinate and distribute work more efficiently and provide consistency among the multiple SIEM environments.

I was able to create 90 detection scenarios in the first two weeks of using Anvilogic, which showcases how it improved efficiency and consistency for my team.

The best features Anvilogic offers are consistent recording and tracking of detection engine detection rules as they adapt over time to adversary's behaviors, and the ability to operate in multiple security SIEM environments.

Anvilogic works for my team by providing a single point of contact to put detection engineering rules that then get distributed to all of the various event management engines, as we have multiple SIEM environments in our company, including Microsoft Defender, Splunk, Elastic, and others.

Anvilogic has changed how my team thinks about detection by allowing us to no longer apply the same configurations and correlation rules in multiple Splunk environments and can transparently search across multiple SIEMS platforms.

What surprised me the most about Anvilogic once I started using it is the ease of creating and maintaining custom threat intel and threat scenarios.

Anvilogic can be improved with more support for cross-platform and native detection languages such as Sigma and Yara rules.

I have been using Anvilogic for about six months.

Anvilogic has been very stable and reliable.

Anvilogic's scalability has been great as it has been able to scale and perform well, better than the available resources we have to throw at it, and we have not run into any issues with our analysts not being able to access Anvilogic and perform their activities efficiently.

Anvilogic customer support has been very productive to work with.

I have seen a return on investment in that Anvilogic has been more of a fundamental enablement technology than a return on investment, but it has definitely allowed us to move more quickly with integrating our corporate acquisitions as well as with our corporate colleagues who use other SIEM technologies.

When other teams ask about Anvilogic, I tell them it makes detection engineering into a process rather than a one-time operation.

I convinced my leadership to adopt Anvilogic by comparing it to the manual operations and the overhead of repeated detection engineering processes.

My advice for others looking into using Anvilogic is to start with the configurations and detection rules that come prepackaged, and then reach out and create your own to expand your capabilities; once you start using this system, it becomes much easier and more efficient than manually maintaining detection rules.

I provide this review with a rating of 10.

The main use cases for Anvilogic are around detections and detection engineering, trying to accomplish everything from identifying, prioritizing threats, baselining current capabilities, and, based on the threat prioritization, identifying the gaps and recommended use cases that we will have to deploy to bridge those gaps. These are the use cases that we have deployed.

We enjoy a good partnership with the Anvilogic product and engineering teams. We could put many features that were not available in their pipeline, and they are quick to deliver key features for us. Deploying Anvilogic required training our team to adopt it, but during the evaluation, we planned our success criteria, which included training. The Anvilogic team has been with us since the beginning of the evaluation until now, maintaining the same cadence of meetings to review progress and areas for improvement, which is very helpful as a customer because we know they are not just after the next sale.

We were one of the first customers of Anvilogic, so many of its features were still under development when we began our journey with them. During the first 90 days, our primary focus was on migrating our detection content from the previous platform to Anvilogic. We concentrated on ensuring that this migration was done correctly. As we got more familiar with the platform, we discovered that Anvilogic has a highly robust detection library, with over 3,000 detections available. Their research team plays a crucial role in building these detections. Initially, we only deployed our custom detections that we had migrated, but over time, we began utilizing the detections from the library as well.

With each new feature that was released, we found our experience improved significantly. For instance, we appreciated the option to automatically deploy recommended detections. The insights capability was particularly impactful for us, as it automatically identified recommendations for tuning our use cases and fixing issues that needed attention. It also helped us discover areas we weren't actively monitoring. These differentiating features made a significant difference in our operations. Although it took us nearly a year to fully adopt Anvilogic, we are now at a point where all key stakeholders on the security operations team love the product and the user experience. Most importantly, we value the level of support we receive from Anvilogic.

From a maturity perspective, it has been very easy to measure our detection maturity over time. By using this detection engineering platform, we can manage the entire detection engineering lifecycle. Therefore, it’s simple to show executives our progress: where we started, where we currently are, and what remains to be done. We can also demonstrate how our maturity is evolving as new threats are identified and how we respond to them. All of this information is easy to justify thanks to the maturity dashboards available within the platform.

The features of Anvilogic that I prefer the most include having a holistic approach, from identifying the concept of analyzing maturity, doing it similarly to how we were doing it, looking at data maturity, data timeliness, data availability, and then into our detection maturity, and not only looking at prioritized detections needed for our specific area or domain, which was very important for us. From that point, deploying any recommended content is very simple. 

Another important feature is the concept of a multistage threat scenario. After we started subscribing to Anvilogic, in future releases, they built out new features around automated threat detections and insights, such as health insights, hunt insights, and tuning insights, which are all neat features that allow my team to be more efficient.

I believe the future is very exciting, especially regarding the agentic approaches that have gained popularity following the rise of generative AI and large language models. We fully expect that within a year, Anvilogic will incorporate some level of agentic workflow capabilities. We might adopt these features solely within Anvilogic, or we may choose to integrate them with our own homegrown agentic workflows. This is the direction I see for Anvilogic's adoption moving forward.

Anvilogic can be improved by focusing on the agentic way of doing things, similar to what we saw with Monte Copilot, which still needs work. The team is currently doing that work as seen in the roadmap, including having an agent for search, a detection agent, and a hunt agent, making those concepts come to fruition.

We started looking at Anvilogic in late 2021, and then we started evaluating them in early 2022. By late 2022, we were already subscribed to Anvilogic.

Other than scheduled downtimes, I have not experienced any outages.

Anvilogic scales effectively with the growing needs of our organization, and we don't have issues when onboarding our primary stakeholders into the platform. They can use it and receive necessary training and coaching, while the most important part is that we can meet with the Anvilogic customer success team almost weekly to review our adoption and share feedback.

They are top-notch. They are always available. The customer service team is always available to us. The product management and the product engineering team are available to us if we need to review something with them.

Positive

Like many companies in this field, we utilize the MITRE ATT&CK framework to benchmark our current capabilities and build detections. Each year, at the beginning of the year, we download the latest version of the MITRE ATT&CK framework and assess our current detections. We tag and benchmark them, prioritize threats, and identify which use cases require new detection capabilities. Previously, this process took my team about two to three weeks, and we only performed it annually. However, around 2021, MITRE introduced the concept of sub-techniques. Initially, we were analyzing around 300 techniques, but now we have to analyze over 600. This effectively doubled the time that my team needed to complete the analysis. The work became repetitive and monotonous. As a result, I began searching for a solution that could streamline this process.

When Anvilogic reached out, we discussed our detection processes, and they explained the capabilities of their platform. It felt like a meeting of the minds because what we were doing manually, they could automate. We realized this solution could save us a significant amount of time and make us more agile. By automating the processes of prioritization, identifying gaps, and deploying recommended detections, we could conduct threat prioritization exercises whenever necessary. Given that the threat landscape evolves almost daily, completing these exercises only once a year would put us at a disadvantage. When we recognized Anvilogic’s capabilities, we knew we had to consider their solution.

In early to mid-2021, Anvilogic was the only one doing it this way. We were doing it manually while they were building it, and now there are many similar companies emerging, but we are happy with the success we have had with Anvilogic, choosing to partner with them and providing feedback and feature requests they can incorporate into subsequent releases.

Since Anvilogic was a new concept and product, we needed to invest a lot of time in training our team to adopt it. Fortunately, during the evaluation phase, we established clear success criteria, one of which was training on Anvilogic. The Anvilogic team has been with us from the very beginning of this process and continues to support us today. 

We have detections in multiple places. Most of our detections are on-prem, but there are some that are in the cloud. We use their integration pipelines to bring all of them together.

It was fair. All of us like to deal with vendors who have a certain level of integrity, and the people who run Anvilogic have the highest level of integrity, which makes those sorts of negotiations much easier.

During our evaluation, we encountered many products making various promises. However, when it came to Anvilogic, they were able to identify key aspects of our processes during the evaluation period, which was impressive. This demonstrated that the Anvilogic product was engineered effectively and was functioning as intended. As a result, we started to trust both the team and the platform more.

Since then, we have enjoyed a strong partnership with the Anvilogic product and engineering teams. There were times when features we needed were not initially available, but we were able to communicate our requests, and they were quick to prioritize and deliver those key features for us.

If Anvilogic were to disappear tomorrow, my heart would break. My advice to Anvilogic is to prioritize my request. 

I would rate Anvilogic a nine out of ten.

It serves as the glue between all my vendor telemetry and gives us the capability to build our own detection capabilities in a very advanced way. We have moved off of single-based detections into threat scenarios, which gives us significantly higher fidelity detection capability.

There were no surprises about Anvilogic once I started using it. I knew the quality of the team that was building this tool and it has been a great partnership and collaboration, and they have just been fantastic partners.

It has been a journey that we have jointly been on together. As we are building our program, we are partnering very closely with Anvilogic and pushing the threshold of detection engineering capabilities.

We are on a continuous journey together, and we are continuously trying to push and innovate new ways to push the threshold of detection engineering. We are only able to do many of these capabilities due to the partnership that we have with Anvilogic, where they are meeting what we need to continually push new innovative solutions.

I appreciate all the features of Anvilogic. Our usage of Anvilogic has evolved since onboarding. We originally started soft and focused really on the ETL process to bring data in. As we started getting data in, we began using the detection and correlation engine. As we got more advanced, we started using the threat scenario engine, and we have built many custom processes from that.

Anvilogic can be improved by adding the ability to do on-ingest detections. This is something that we have been having a conversation on for a short time now, but I am hopeful that they will have that in their future roadmap.

I have been using Anvilogic for just about three years.

I would assess the stability and reliability of Anvilogic as very good. There has been no downtime in the traditional sense, but it has all been scheduled downtime. We have had advanced notice, and there are no performance issues or crashes that we know of. Anytime we have been using the platform, it has been available.

Anvilogic scales effectively with the growing needs of my organization. We have not had any scaling issues thus far.

Just my team has access to Anvilogic, and that is by design.

I would evaluate their customer service and tech support as fantastic. We have had a great partnership. I would rate them a ten out of ten.

The need for something better first triggered when I joined the organization and started building the detection response program. I was familiar with the big name products, but I was looking to build something bleeding edge and next-gen. With Anvilogic, I knew the team, and I knew that it was a team of practitioners building this tool as opposed to one practitioner who hired software engineers to build the tool. I have experience consulting those types of products. I knew Anvilogic was being built by practitioners, which really motivated me to pursue the tool.

There has been a journey regarding how I justify things to leadership and how I convinced leadership to let me adopt Anvilogic. There was significant information and education that had to occur at the board level to get adoption and buy-in. As we have helped mature the education level of the board to embark on the journey, it became prevalent that we needed a solution and a partner that could keep up with the growing demand that we have in this particular space.

We are pure cloud based, and we run on top of Snowflake. The deployment was very simple. We were in the early phase for Snowflake, so there were a couple early implementation hiccups, but we partnered with Anvilogic on those, and that was kind of part of us being that early implementation partner. We paved the way for future Snowflake customers.

We started our journey with Anvilogic. I do not have the metrics to show in our current organization that could justify that, but the capability that we have on Anvilogic is unmatched to any other platform.

I considered Panther and Hunters before selecting Anvilogic. Originally, we would have considered Anvilogic, but they had not migrated or enabled the capability on Snowflake yet. We were actually in the 11th hour for signing a contract with Hunters when Anvilogic reached out to me and said they were testing a Snowflake capability and asked if we were willing to test it. We put together a time frame for a very quick POV. I knew the capability and the aptitude of this team and was very motivated to do so in a timely manner, and we were able to conclude our POV and determine it was a superior product before we signed the contract with Hunters.

If Anvilogic disappeared tomorrow, everything would break first. 

I would rate Anvilogic a ten out of ten.