From Getting Rickrolled by Canaries to AI-Native Security
From honeypot rickrolls to AI-native security: RunReveal's journey building the future of SIEM alternatives.
Two and a half years ago, we started RunReveal in Evan's spare room with a simple mission: Build better security tooling. What we didn't expect was getting rickrolled through user-agent strings when we tweeted AWS keys as honeypots. It was a humbling reminder that hackers are often just out to get a laugh.
That was January 2023. We'd just raised $2.5M from Costanoa Ventures and some incredible angels and we thought canaries and honeypots were the missing link to better detection. But, after dozens of conversations with security teams though, we realized canaries weren't it. Teams needed help leveling up their entire detection and response game with better tools all around.
So in March 2023, right as SVB was having its liquidity crisis (memorable timing since we'd literally just chosen them as our bank), we pivoted; we took the Go and ClickHouse pipeline we'd built and asked: What if we created a detection and alerting system that was actually fast and efficient?
Turns out we could. And it was faster and better than anything we'd seen.
The foundation year
We started with just streaming detections and storage. Then our first SWE Michael joined in May and built our scheduled query detections: His first project that opened the floodgates to hundreds of other features we needed to ship.
July 11th, 2023 marked our official launch. But we never really believed in stealth mode, so "launch" really just meant opening the doors for anyone to sign up and use the product. That week we got our first customer, who was looking for something simple and efficient to alert them when someone logged in with the AWS root account among other detections.
Fast forward through months of rapid building, and we brought on Andrew as our first sales hire in January 2024. He helped us close our first enterprise deal with Temporal, proving that our approach could scale beyond simple use cases.
The enterprise evolution
2024 became our year of enterprise features. We shipped the core capabilities that large teams need: RBAC and team management in January, PQL (our pipelined query language) in February, and destinations in March so customers could truly own their data.
By April, we'd launched cross-source alert correlation to cut through the noise. We sponsored BSidesSF in May, shipped Detection as Code in June, and added blob destinations for archiving in July. The same month we brought on another engineer who immediately got to work on enrichments and shipped them in August.
The pace didn't slow: SSO in a day (August), Sigma detections (September), threat feeds (October). Then we went heads down for a few months, onboarding some really big customers who were pushing our platform in new directions.
The AI-native future
This year has been transformative. In March, we released our Model Context Protocol (MCP) server, enabling customers to investigate logs with AI clients like Claude. The response was immediate: Questions that used to take security engineers hours started taking seconds.
But we realized we needed to go further. In May, we launched our Remote MCP Server with OAuth support, then in June announced our AI native agent and chat which was purpose-built for security investigations and deeply integrated into the platform. The vast majority of our customers now rely on these features daily.
The momentum culminated in July when we announced $7M in seed funding led again by Costanoa Ventures, with participation from Runtime Ventures, Modern Technical Fund, Okta Ventures, and several angels. This investment is fueling our mission to replace the tool sprawl of legacy SIEM with AI-native detection and response workflows.
What's next
From getting rickrolled by honeypots to AI-native security investigations serving security teams at Harvey, ClickHouse, Flexport, and many more, it's been quite the journey. We've built a unified platform that handles ingestion, detection, and response without the complexity and vendor lock-in of traditional SIEMs.
But honestly? We're just getting started. The future of security operations is agentic, and we're building the data infrastructure and AI workflows that will power it. Every log tells a story, and now AI can help security teams read them faster than ever before.
This is what happens when you combine deep security expertise with modern data architecture and AI-first design. The result isn't just another SIEM, it's the future of how security teams will work.