Architecture

Patent-pending compression. Operator-friendly architecture.

Edge agent compresses losslessly inside your cluster, severity-routes hot events to your real-time SIEM, and drops cold chunks straight into your bucket. Five components, two paths, one number on your invoice.

edge-native·patent-pending·air-gap capable·BYO cloud + KMS
Get a demoCompression pipeline
System topology
YOUR CLUSTERPodsOTLP receiversEdge agentSASQUATCH SERVICESControl planeRetrieveQueryYOUR CLOUDS3 / GCS / Azure
Sasquatch servicesCustomer cloud
Five components

What runs where, and what it sees.

The control plane never receives your raw event data. Compressed chunks live in your bucket, encrypted with your KMS key. Tap Out and Snowman queries decompress on demand.

Edge Agent
Inside your cluster

Tails logs, receives OTLP, classifies severity, compresses every event losslessly into your bucket, and additionally mirrors errors and criticals to your real-time SIEM.

Control Plane
sasquatchlabs.io

Tenant configuration, model calibration, routing rules, telemetry rollups. Never sees your raw event data.

Cold Storage
Your S3 / GCS / Azure

Compressed chunks land in your bucket with your KMS key. Your data, your egress, your retention rules.

Retrieve Service
retrieve.sasquatchlabs.io

Decompresses on demand for Tap Out audits and ad-hoc rehydration. Streams responses, never buffers.

Query Service
query.sasquatchlabs.io

Snowman engine speaks LogQL, SPL, TraceQL, PromQL. Queries run against your cold storage — egress + a sliver of compute.

Two paths

Every event goes cold. Critical ones also fire hot.

The cold path is the foundation — every event your stack emits flows through the lossless compression pipeline and lands in your bucket. The hot path is an overlay: ERROR and CRITICAL events are additionally mirrored to your real-time SIEM uncompressed, so alerts fire instantly without sacrificing the complete cold-storage record.

Cold path · every eventthroughput-first
1. event arrives at agent
2. parse + classify
3. compress losslessly (multi-pass)
4. buffer into upload chunk
5. flush to S3 / GCS / Azure bucket
cycle time: edge → bucket ~30s · 100% retention
Hot mirror · errors onlylatency-first
1. cold path runs unchanged (above)
2. severity ≥ ERROR? → also clone
3. forward clone to Datadog / Splunk / etc.
4. ack + log telemetry
cycle time: ~50ms p99 · alerts on the same byte
Why the ratios are real

Three principles do the work.

The internal pipeline is patent-pending and the specifics live in the filings. What you can verify from the outside is the outcome — lossless ratios on the corpora published in our benchmarks page, reproducible against your own data.

Schema-aware

Calibrated to your environment.

The compression model adapts to the shape of your telemetry, not a generic baseline. That calibration is what makes 15–30× ratios real instead of theoretical.

Multi-pass

Several strategies, layered.

Each pass addresses a different kind of redundancy that exists in modern Kubernetes and OTLP traffic. None of them depend on dropping data — every byte survives.

Verifiable

SHA-256 chain on every chunk.

Lossless isn't a marketing claim. The integrity manifest on each chunk is the proof — round-trip the bytes, the hash matches, full stop.