Re-run yesterday's traffic into a fresh SIEM.
STACK Replay sandboxes any prior window of your security pipeline — replay into a fresh detection engine, a Jupyter notebook, or a sandbox SIEM, without rehydrating from cold storage.
Investigation that doesn't wait on a rehydrate ticket
Cold-storage rehydration is slow and expensive. Iceberg-native replay turns any window into a queryable, branchable, sandboxable state in minutes.
Iceberg-Native Storage
Columnar Parquet pipeline state, queryable by time, source, identity, asset, or rule outcome.
Sandbox Provisioning
Spin a fresh Splunk, Sentinel, Chronicle, or Elastic. Point Replay at it. See how new rules would have fired against real traffic.
Branch-and-Test
Fork a window. Mutate a detection rule. Re-run. Diff the results — true positives, false positives, missed escalations.
Forensic Snapshot
Investigator-grade pinning. Prove what state was at any moment with chain-of-custody signatures.
Auditor Mode
Replay window with sealed evidence pack. Auditor signs the JSON; you keep the bytes.
Universal Compatibility
Works with any pipeline that writes to Iceberg, or via STACK Beacon's native sink. One-line integration.
→ Window: 6 hours, 14.2M events, 3 sources (CloudTrail, VPC Flow, K8s audit)
→ Storage: Iceberg snapshot pinned — 0 rehydration cost
→ Sandbox: Splunk Enterprise 9.3 provisioned (sandbox-replay-0514) READY
→ Replay: streaming 14.2M events at 48x speed…
→ Rules: 247 detection rules evaluated — 12 would have fired +3 NEW
→ Delta: 3 NEW detections vs. production rule set (lateral-move, priv-esc, exfil)
→ EVIDENCE forensic-snapshot.json signed — chain-of-custody intact
From pipeline tap to first replay, in one week
Replay reads your existing Iceberg-backed security lake. If you use STACK Beacon, integration is one line of pipeline config. No new infrastructure required.
1. Connect
Iceberg sink configured on your pipeline or STACK Beacon. First events indexed in columnar Parquet within hours.
Day 1–22. Index
Seven days of pipeline history queryable by time, source, identity, asset, or rule outcome. Sandbox SIEM provisioned.
Day 3–43. Replay
First end-to-end replay. New-vs-old detection rule comparison delivered. Forensic snapshot signed with chain-of-custody.
Day 5Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
How is this different from Cribl Replay?
Iceberg-native storage and SIEM-sandbox-provisioning built in. Cheaper at scale, queryable from any compute, and works without buying the rest of Cribl.
Do I need STACK Beacon to use this?
No — Replay reads any Iceberg-backed security lake. If you have Beacon, integration is one line of pipeline config.
What does it cost?
Storage cost only. Replay compute is on-demand and serverless — you pay for the minutes you replay, not for standby capacity.
Air-gapped support?
Yes. Single-binary mode runs without outbound. Sandbox SIEM brought up on-prem alongside Replay.