Re-run yesterday's traffic into a fresh SIEM.
STACK Replay sandboxes any prior window of your security pipeline — replay into a fresh detection engine, a Jupyter notebook, or a sandbox SIEM, without rehydrating from cold storage.
Investigation that doesn't wait on a rehydrate ticket
Cold-storage rehydration is slow and expensive. Iceberg-native replay turns any window into a queryable, branchable, sandboxable state in minutes.
Iceberg-Native Storage
Columnar Parquet pipeline state, queryable by time, source, identity, asset, or rule outcome.
Sandbox Provisioning
Spin a fresh Splunk, Sentinel, Chronicle, or Elastic. Point Replay at it. See how new rules would have fired against real traffic.
Branch-and-Test
Fork a window. Mutate a detection rule. Re-run. Diff the results — true positives, false positives, missed escalations.
Forensic Snapshot
Investigator-grade pinning. Prove what state was at any moment with chain-of-custody signatures.
Auditor Mode
Replay window with sealed evidence pack. Auditor signs the JSON; you keep the bytes.
Universal Compatibility
Works with any pipeline that writes to Iceberg, or via STACK Beacon's native sink. One-line integration.
Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
How is this different from Cribl Replay?
Iceberg-native storage and SIEM-sandbox-provisioning built in. Cheaper at scale, queryable from any compute, and works without buying the rest of Cribl.
Do I need STACK Beacon to use this?
No — Replay reads any Iceberg-backed security lake. If you have Beacon, integration is one line of pipeline config.
What does it cost?
Storage cost only. Replay compute is on-demand and serverless — you pay for the minutes you replay, not for standby capacity.
Air-gapped support?
Yes. Single-binary mode runs without outbound. Sandbox SIEM brought up on-prem alongside Replay.