How does Panther work?

Panther provides a fast, flexible and scalable platform for security monitoring, capable of running detections against terabytes of data in real-time.



To start, every Panther customer receives their own instance, which lives in an isolated AWS account (managed by Panther) via a single-tenant deployment model to ensure security isolation. 

Panther collects security logs from the cloud via AWS S3, SQS, SNS, CloudWatch Logs, GCS or direct integrations with SaaS providers. Panther parses the raw logs in JSON, CSV, or free text format. Panther reads and normalizes the data as it comes through, recognizes the log types, extracts important indicators like username, URL, email, IP addresses, and more to support fast detections and SQL queries across all log types.


Ingested logs run through Panther’s Python engine for real-time analysis and alerting. Panther’s Python engine includes 400+ pre-built detection for log sources and security risks at the top of the list for most security teams. 

Teams can also customize, create, and harden detections leveraging Python, unit tests and standard CI/CD workflows to tailor detections specifically for their environment.


Use Panther’s pre-built detection packs and customize them as you like, or craft your own detections in Python to set rules for alerting. 

Dynamically add context to alerts and dispatch them to existing automation workflows via integrations like Slack, PagerDuty and Jira.

In addition, easily automate remediation by sending alerts to downstream SOAR tools like Tines.


Panther pushes normalized data into a security data lake inside Snowflake, where it is readily available for investigation using SQL queries. 

Security logs inside the security data lake are enriched with events and non-event contextual information such as identity context (user, host, IP addresses), vulnerability context (scan reports), business context and more. 

Quickly extract valuable insights from terabytes of data with ad-hoc and scheduled queries.

Deployment Options

Panther is delivered as a cloud-native SaaS, with zero operational overhead for customers. We take care of provisioning, upgrades and all other system administration so your team can focus on higher value security work.

SaaS Deployment

Panther creates and manages the AWS account as well as the Snowflake account, providing full transparency to customers.

Bring your own Snowflake

Panther can be used as a connected-app to store ingested data to your existing Snowflake Data Lake.