Today we're announcing that RunReveal supports on-premise and in-VPC deployments using Kubernetes. This is the full RunReveal platform, every feature and capability from RunReveal Cloud, deployed as infrastructure you own and operate. We've been running Kubernetes-based deployments with customers since early 2025, and we're excited to make this a formal offering.

Why this matters

The security data market has a strange gap: the "modern" SIEMs are all cloud-only SaaS products. They ingest your logs, store them in their infrastructure, and charge you to query your own data. If you want to leave, your data stays behind. If you need to keep logs in your own environment for compliance, regulatory, or sovereignty reasons, these products can't help you.

That's why Splunk and Elastic remain dominant in environments where data control matters. They're complex and expensive to operate, but they run where you tell them to. For security teams at regulated companies, in sensitive industries, or with strict data residency requirements, that tradeoff has been worth it.

We think you shouldn't have to choose between a modern platform and data ownership. RunReveal on Kubernetes gives you both: a platform built for how security teams work today, running entirely within infrastructure you control.

And there's a broader principle at stake; the future of AI-driven security depends on having well-managed, private data. If your security telemetry is locked in someone else's cloud, your ability to build on top of it is limited to whatever they decide to offer. Owning your data pipeline means owning your options.

How does RunReveal's Kubernetes offering work?

Kubernetes has become the de-facto interface for running services in cloud environments. It abstracts away the specifics of where your workloads run, whether that's AWS, GCP, Azure, or bare metal in your own datacenter. That portability is what makes it the right foundation for RunReveal's on-prem offering: you bring a cluster, we bring the platform.

RunReveal deploys as a single Helm chart. The chart packages every service that makes up the RunReveal platform: the API server, the log processing pipeline, the scheduler, and the web frontend. You configure a values file for your environment, run helm install, and you have a working RunReveal instance.

The deployment is designed to run on any Kubernetes cluster that provides a few standard building blocks:

• An ingress controller for routing traffic to the API and frontend
• S3-compatible object storage for log data, query results, and webhook buffers
• PostgreSQL and ClickHouse databases (managed or self-hosted)
• A fast, reliable StorageClass for any persistent volumes
• SQS or an equivalent message queue for the processing pipeline

No proprietary infrastructure requirements, no vendor-specific Kubernetes distributions. If your cluster can run standard workloads, it can run RunReveal.

The Helm chart uses a service selector model: you enable exactly the services you need in your values file, and the chart renders only those components. A minimal deployment might run the API, a single queue processor, and the frontend. A high-throughput deployment can scale each service independently, with horizontal pod autoscaling configured per-component. The chart also works with ArgoCD out of the box, so teams already practicing GitOps can manage RunReveal the same way they manage everything else.

All configuration lives in your values file and a handful of Kubernetes secrets. Everything is explicit and auditable. There's no external dependency on RunReveal infrastructure at runtime. Your data stays in your environment, full stop.

Updates

RunReveal ships updates as new container image tags. Your cluster pulls new versions directly from RunReveal's container registry via a pull secret provisioned during on-boarding. We version every release, and you choose when to upgrade. Or you can let us manage and monitor it for you in your cloud with our bring-your-own-cloud offering.

Updating is a one-line change in your values file:

# Before
image: images.runreveal.com/rrd:v2026.2.45

# After
image: images.runreveal.com/rrd:v2026.2.46

Then apply:

helm upgrade runreveal ./helm/runreveal -f your-values.yaml

Database migrations are managed through RunReveal's admin portal that ships with the product, giving you visibility and control over schema changes before they take effect. Most updates roll out with no downtime via Kubernetes rolling deployments, though some releases with migration steps may require a brief maintenance window.

Wrapping up

RunReveal on Kubernetes is the full platform, deployed as infrastructure-as-code, running entirely within your AWS account. Our software is processing petabytes of data today in environments ranging from tech giants to small companies with strict regulatory requirements.

When we started RunReveal, we built it to work both as a cloud service and as software you can run yourself. There's no one-size-fits-all for security data infrastructure, and we didn't want to pretend there was. We're glad to have reached the point where the entire platform can be stood up in a single afternoon.

We have a lot more planned for RunReveal on Kubernetes. The ease of deployment is improving over time, and could potentially be deployed on a single host down the line. If you're a security team that needs to own your infrastructure, or you're just the kind of person who wants to run things yourself, get in touch or subscribe to this blog for more.