Introduction

Overview

VAST is an engine for network forensics at scale. It enables security operations centers (SOCs) to build a high-performance stack for real-time incident response.

Features

  • Built for network forensics: VAST’s data store is purpose-built to support common queries in the domain, such as checking indicators over the entire time spectrum, and not just the last two months.

  • Interactive queries: VAST’s multi-level indexing approach delivers sub-second response times over the entire data set—a perfect fit for the explorative workflows of of incident responders and threat hunters.

  • High-throughput streaming: VAST relies on end-to-end streaming to ingest massive amounts of data. Dynamic backpressure ensures that the system does not keel over when stuffing too much data into it.

  • Rich and typed data model: VAST’s type-rich data model helps to retain domain semantics during ingestion of the data and also manifests in the query language. All types support meaningful operations, e.g., IP address support top-k prefix search and containers membership queries. Moreover, VAST’s typed expression syntax allows you to search over fields having a particular type or attribute.

  • Seamless integrations: we are working on embedding VAST deep into systems for big data analytics, without inefficient JSON over REST APIs.