ZaunDocs

Platform Overview

Understand Zaun's architecture, key concepts, and how the platform works.

Zaun is a unified security operations platform that combines detection engineering, investigation tooling, and expert response into a single system.

Architecture

+---------------------------------------------------+
|                   Zaun Platform                    |
+------------+------------+-----------+--------------+
|  Detection |  Data Lake |  Runbooks | Investigation|
|  Engine    |            |           | Console      |
+------------+------------+-----------+--------------+
|               Integration Layer                    |
+------------+------------+-----------+--------------+
|   Cloud    |  Identity  |    EDR    |  SaaS / AI   |
|   (AWS,    |  (Okta,    | (CrowdSt,| (Shadow AI,  |
|    GCP,    |   Entra,   |  S1,     |  OAuth,      |
|   Azure)   |   Google)  |  Defender)|  SaaS apps)  |
+------------+------------+-----------+--------------+

Key Concepts

Detections

Detections are the core of Zaun's monitoring. Each detection:

  • Maps to a specific threat or risk scenario
  • Is backed by a documented runbook
  • Produces structured findings with full evidence
  • Is tunable per-environment to reduce noise

Runbooks

Every detection has a corresponding runbook that documents:

  • What the detection looks for
  • Why it matters
  • How to investigate a finding
  • What remediation steps to take

Runbooks are living documents. Your FDSE updates them as your environment evolves.

Forward Deployed Security Engineer (FDSE)

Your FDSE is a dedicated security engineer who:

  • Builds custom detections for your environment
  • Ships new coverage weekly
  • Tunes existing detections to reduce false positives
  • Reviews findings and provides context
  • Documents everything in runbooks

Findings

When a detection fires, it produces a finding that includes:

  • Timestamp and source event data
  • Investigation trail showing what was analyzed
  • Severity and confidence scoring
  • Recommended next steps from the runbook

Data Flow

  1. Ingestion: Zaun pulls data from your connected sources via APIs and webhooks
  2. Normalization: Raw events are normalized into a common schema in the data lake
  3. Detection: Detection rules run against normalized data
  4. Enrichment: Findings are enriched with context from multiple sources
  5. Alerting: Findings route to the appropriate team via your preferred channels
  6. Investigation: Full evidence trail available in the investigation console

Security Model

  • All data is encrypted in transit and at rest
  • SOC 2 Type II compliant
  • Role-based access control (RBAC) for all platform features
  • Audit logging for all platform actions
  • Data retention policies configurable per customer

Next Steps

Getting Started

Set up your Zaun environment and start securing your organization.

Shadow AI / SaaS

Discover unsanctioned AI and SaaS usage and what data it can touch.

On this page

ArchitectureKey ConceptsDetectionsRunbooksForward Deployed Security Engineer (FDSE)FindingsData FlowSecurity ModelNext Steps