ZaunZaun
Book a demo →
§ P0The platform

Seven systems. One spine.

Zaun runs the full arc of security operations as a single platform: connect every source, unify the signal, author detections and runbooks, investigate without grunt work, prove compliance, ship reports leadership reads, and keep an engineer on call who knows your stack.

Book a walkthroughTour the platform ↓
ConnectionP1P1ConnectionZaun LakeP2P2Zaun LakeDetection & RunbooksP3P3Detection & RunbooksInvestigationP4P4InvestigationComplianceP5P5ComplianceReportingP6P6ReportingSupportP7P7Support
§ P1Connection

Plug into everything, the day you start.

Zaun connects to 100+ systems by OAuth, API, or sensor. Cloud, identity, endpoint, SaaS, AI providers, and the long tail. No collectors to install, no ingest tax, no waiting. Sources go live in hours and start producing signal the same day.

100+
native integrations
OAuth
first auth
< 1d
time to signal
zaun.platform / integrations directory
Zaun integrations directory with connection metrics and connect products
Zaun
§ P2Zaun Lake

Deep retention. Real hunts.

Zaun Lake keeps only the events that drive compliance, investigations, and threat hunts: authentications, sensitive actions, config changes, network egress, and other events that matter. Tagged and correlated at ingest, hot for as long as you set, and queryable in milliseconds across months of history. Ask in plain English to query the Lake, pivot through investigations, and draft reports without writing a line of SQL. Mappable to NIST 800-171, SOC 2, HIPAA, PCI, and more.

Powered by
Fluent BitAWS AthenaClickHouse
Tagging · live
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
PCI.10
· drop
API
NIST.AU
GET
SAML
HIPAA.A
CMD
· drop
AUTH
NIST.AC
· drop
OAUTH
· drop
NIST.IA
4xx
IDP
SOC2.CC
· drop
EDR
PCI.10
· drop
API
NIST.AU
⌁ zaun lakeretained 1.4% · dropped 98.6%
zaun.platform / zaun lake explorer
Zaun Lake data hub with ingestion telemetry and pipeline activity
zaun.platform / zaun lake explorer
Zaun Lake data hub with ingestion telemetry and pipeline activity
Sub-secondQuery latency
~ 1.4%Of logs we retain
100+Pre-tagged integrations
NISTMapped on day one
§ P3Detection & Runbooks

Detections you can read out loud.

The library is built on MITRE ATT&CK for technique coverage and MITRE D3FEND for the matching defensive countermeasure. Every rule traces back to a technique ID, every runbook step traces back to a documented defense, and the whole thing reads in plain English so anyone on your team can audit, edit, or version-control it. 1,000+ rules across cloud, identity, endpoint, AI, and SaaS, written for your stack. Allow deterministic-only actions to run automatically, while AI recommends to experts.

Built on
MITRE ATT&CKtechnique IDsMITRE D3FENDcountermeasures
runbooks/oauth_grant_suspicious.zaun● modified
detection oauth_grant.suspicious
  mitre.attack  T1078.004
  mitre.defend  D3-LSAA

  when an OAuth grant is approved
   and scope is "drive.read" or "mail.read"
   and actor is in group "executive"
  then
   pause the grant
   open investigation "credential.exposure"
   ask actor in slack to confirm
   if no confirm in 30m: revoke and notify ciso

severity high
owner    identity
line 12, col 18compiled · 0 errors
Live · last 5firing
oauth_grant.suspicious
via okta·ATT&CK T1078.004
highnow
edr.process.unsigned_dll
via crowdstrike·ATT&CK T1574.002
med12s
iam.role.privilege_escalation
via aws·ATT&CK T1098.003
high47s
agent.tool.unapproved
via openai·ATT&CK T1059
low1m
auth.impossible_travel
via okta·ATT&CK T1078
med2m
zaun.platform / runbook plan
Zaun runbook plan editor for Non-Compliant Device Investigation with detection, entity correlation, enrichment steps, and response actions
zaun.platform / runbook plan
Zaun runbook plan editor for Non-Compliant Device Investigation with detection, entity correlation, enrichment steps, and response actions

Plain-English by default

Every rule reads like a sentence. No DSL to learn. Anyone on your team can read, edit, or comment.

Tuned Autonomously

Automatically adapts to your environment and changes based on events, feedback, or weekly tunings.

Versioned and Auditable

Each rule and step is a Zaun artifact, version-controlled, and observable end to end.

§ P4Investigation

Investigations that show their work.

When a detection fires, Zaun closes most investigations in under a minute: pulls evidence from every connected source, correlates the timeline, scores the verdict, and writes a plain-English narrative your team can audit. Humans approve only what matters; the machine handles the grunt work.

investigation #4271HIGH

OAuth grant from new device on executive account

Auto-summary: actor approved a drive.read grant 14 minutes after a sign-in from an unrecognized device. No matching change ticket. Recommend revoke and rotate.

00:00
detection
oauth_grant.suspicious fired
00:01
collect
pulled actor history (okta, slack, github)
00:03
correlate
matched session anomaly + new device
00:06
verdict
true positive — credential exposure
00:07
runbook
awaiting human approval to revoke
evidence graph6 sources · 14 events
324212INV#4271Okta3 events · sign-inSlack2 events · activityGitHub4 events · push eventsAWS2 events · IAMCrowdStrike1 event · EDRGoogle2 events · mail headers
zaun.platform / investigation detail view
Zaun investigation detail with alert summary, raw payload, investigation results, and a Cyber Investigation Next Steps panel with priority and recommended actions
§ P5Compliance

Continuous compliance, evidence-backed.

Map every control to live evidence from your stack. SOC 2, ISO, HIPAA, PCI, CIS, and NIST tracked continuously, with a permanent audit trail you can hand to your auditor without a screenshot scramble.

92%
aggregate posture
764
controls in evidence
SOC 2

SOC 2 Type II

98%
controls156 / 159
audit-ready
ISO

ISO 27001

91%
controls102 / 112
on track
HIPAA

HIPAA

94%
controls48 / 51
audit-ready
PCI

PCI DSS 4.0

87%
controls218 / 251
on track
CIS

CIS Controls v8

96%
controls146 / 153
on track
NIST

NIST CSF 2.0

89%
controls94 / 106
on track
zaun.platform / controls posture
Zaun Controls Posture dashboard for NIST Cybersecurity Framework 2.0 with evidenced, verified, available, gaps, pending, and drift counts plus per-control coverage and vendor contributions
zaun.platform / controls posture
Zaun Controls Posture dashboard for NIST Cybersecurity Framework 2.0 with evidenced, verified, available, gaps, pending, and drift counts plus per-control coverage and vendor contributions
§ P6Reporting

Reports your board actually reads.

Editorial-grade reports that summarize coverage, posture, MTTR, and incidents in plain language. Generated weekly, ready to hand to leadership, the audit committee, or your customers without retouching.

BOARD

Q2 board readout

May 2026 · Executive summary

AUDIT

SOC 2 evidence pack

Continuous controls report

OPS

Weekly coverage

Week 18 · MTTR, incidents, tuning

Coverage trend · 7 weekscoveragemttr (min)
W14
W15
W16
W17
W18
W19
W20
↑ coverage 71 → 96↓ mttr 38m → 14m
zaun.platform / performance metrics
Performance Metrics dashboard with investigation totals, quality, automation speed, proactive coverage, automated alert closure, and investigation accuracy
zaun.platform / performance metrics
Performance Metrics dashboard with investigation totals, quality, automation speed, proactive coverage, automated alert closure, and investigation accuracy
§ P7Support

An engineer who knows your stack, on call.

Every customer gets a named Forward Deployed Engineer. They learn your environment in week one, ship new detections every week, and answer in your Slack/Teams channel directly. No context lost, no tier-1 analysts.

#zaun-alphacorp5 members · pinned
AK
Asha K.9:14 AM
morning. two platform updates went out overnight: saved-view filters in the lake explorer and bulk runbook export. pinned both in the workspace for you.
MV
Marco V.9:21 AM
also got the new linear integration live. alerts auto-create tickets and the agent threads the verdict back here when it closes.
Y
You9:23 AM
nice. can we refresh the okta detections pack with the new techniques from the v3 release?
AK
Asha K.9:24 AM
already pulled v3.2 yesterday. ~8 new techniques covered, want a quick walkthrough before they go live?
Asha is typing
JY
Johnny Y.
Forward Deployed Engineer
online
CF
Christophe F.
Forward Deployed Engineer
online
TL
Tyler L.
Forward Deployed Engineer
on call
<30min
Median Non-P0 Response Time
24/7
optional 24/7 Human-led Response
platform
new integration
feature
tune
content
billing
Submit a Request
Begin

Catch the threats your stack can't see today.

A 30-minute call. Industry-specific demo. No obligation. Connected to your stack and finding things by next week.

Book a demo →Read the docs
SOC 2 Type II·AWS Marketplace·30-min call·No obligation