Log Lens

Detection engineering at the speed of thought.

Describe a threat in plain language. Get mapped ATT&CK techniques, the exact log sources you need, and SIEM-agnostic detection logic — in seconds, not hours.

Start Free → See How It Works ↓
log-lens session
user › "Attacker uses living-off-the-land
  binaries to move laterally"

analyzing threat description...

T1218.010 — Regsvr32
T1218.011 — Rundll32
T1047 — WMI
T1021.006 — WinRM

log sources needed (windows):
Sysmon EventID 1 (Process Create)
Windows Security 4688
PowerShell 4104 (Script Block)
WMI-Activity/Operational

log sources needed (linux):
auditd (execve syscall)
/var/log/auth.log (SSH, sudo)
syslog / journald

4 techniques · 7 log sources · 2 gaps detected
How it works

From threat to detection in three steps

01

Describe the threat

Enter a TTP description in plain language — a threat intel report snippet, an incident finding, or a hypothesis. No ATT&CK IDs needed.

02

Get the mapping

Log Lens maps your description to relevant ATT&CK techniques and sub-techniques, identifies every log source needed to detect them, and flags gaps in your coverage.

03

Export & implement

Get SIEM-agnostic detection logic, Sigma rules, or formatted output for your platform. Copy to your detection library and deploy.

Capabilities

Everything a detection engineer needs

Built from real-world detection engineering workflows across Fortune 500 security operations.

🗺️

ATT&CK Mapping

Natural language threat descriptions mapped to MITRE ATT&CK techniques and sub-techniques with confidence scores.

📋

Log Source Identification

For each mapped technique, get the exact log sources, event IDs, and data fields required for detection.

🔍

Gap Analysis

See where your logging coverage falls short. Know which sources you're missing before the adversary finds out.

📐

Detection Logic

SIEM-agnostic detection rules that translate to Splunk SPL, Microsoft KQL, Elastic EQL, or Sigma format.

🗂️

Detection Library

Build and manage a searchable library of detection rules organized by ATT&CK tactic and technique.

📊

Coverage Heatmap

Visual ATT&CK matrix showing your detection coverage — green where you're covered, red where you're exposed.

201+
ATT&CK Techniques
600+
Sub-techniques
100+
Log Source Mappings
<5s
Avg. Response Time
Pricing

Start free. Scale as you grow.

No credit card required for Free tier. Upgrade when your team needs more.

Free
$0
For individual analysts exploring detection engineering workflows.
  • 10 queries per month
  • ATT&CK technique mapping
  • Log source identification
  • Basic detection logic output
  • Detection library
  • Coverage heatmap
  • Team collaboration
  • API access
Get Started Free
Pro
$49/user/mo
For detection engineers and analysts who need full capability.
  • Unlimited queries
  • ATT&CK technique mapping
  • Log source identification
  • Full detection logic (SPL, KQL, EQL, Sigma)
  • Personal detection library
  • Coverage heatmap
  • Team collaboration
  • API access
Start Pro Trial
Most Popular
Team
$199/mo
For security teams up to 5 users. Additional users $39/mo each.
  • Everything in Pro
  • 5 users included
  • Shared detection library
  • Team coverage dashboard
  • Priority support
  • Bulk export (CSV, JSON)
  • SSO / SAML
  • Dedicated support
Start Team Trial
Enterprise
Custom
For large organizations with compliance, integration, and support requirements.
  • Everything in Team
  • Unlimited users
  • SSO / SAML integration
  • API access
  • Custom integrations
  • SLA & dedicated support
  • On-premises deployment option
  • Custom detection rule packs
Contact Sales

Map your first threat in 30 seconds.

Free tier — no credit card, no sales call, no demo request. Just start.

Start Free →