Challenges
- Guardant Health’s prior SIEM required a proprietary query language, so getting answers out of their own data meant hiring specialists in that language or training the team to use it.
- A fixed log ingestion budget forced constant tradeoffs about which data to keep, and some logs were cut from the SIEM entirely, reachable only through Athena queries in AWS that ran slowly.
- The SIEM had become a passive log repository with no meaningful detections running against the data, so it added storage cost without adding detection.
- In a live investigation, the team would bypass the SIEM and go straight to the source, pulling an Okta export into a spreadsheet and filtering by hand, because triage otherwise meant moving across disconnected tools to assemble context.
- MDR came from a separate vendor whose investigation outputs were shallow and generic, with little analytical depth, leaving a small team without the response support it needed.
Solutions
- Exabot lets the team query their security data in natural language, removing the proprietary query language and the need to staff dedicated SIEM specialists.
- Exaforce ingests all AWS CloudTrail logs and keeps them searchable in one view, ending the budget-driven data exclusions and the slow Athena lookups they replaced.
- Exabot Detect runs active detections on that ingested data, turning a passive log repository into live detections that provide real, valuable findings.
- The Exaforce real-time knowledge graph cross-correlates identity, endpoint, and cloud telemetry in a single view, so the team triages in one place instead of bypassing the SIEM and pulling Okta exports by hand.
- Exaforce agents and MDR analysts handle first through third-level triage and full investigations with the analytical depth the prior vendor lacked, consolidating SIEM and MDR under one partner.
From a log repository to answers in seconds
Guardant Health is a blood-based cancer detection company, and its mission is to beat cancer with data. That data is patient genomic and clinical information, which makes security a direct extension of patient care. The company carries HIPAA and SOC 2 obligations, and those requirements shape every vendor decision, since Guardant holds its vendors to the same standard it holds itself. At Guardant's size, an internal SOC does not make sense, so the team relies on a managed partner for round-the-clock coverage.
Before Exaforce, Guardant ran a different SIEM, and it created more work than it removed. The product required a proprietary query language, which meant the team had to either hire people who knew it or train its team to learn it. The log ingestion budget forced constant tradeoffs about which data to keep, and CloudTrail logs lost that fight. They were never in the SIEM. To search them, the team had to drop into AWS and run Athena queries, which were brutally slow.
The deeper problem was that no real detections were running on the data. The SIEM had become a repository of old logs that the team consulted after the fact and hoped held what they needed. In a live investigation, the team would skip it and go straight to the source, pulling an Okta export into a spreadsheet and filtering by hand. MDR came from a separate vendor whose investigation outputs were shallow and generic, creating more noise than help.
With Exaforce, the change started with how the team gets answers. Instead of writing queries, the Guardant team asks Exabot in plain language and gets results back faster than the old SIEM could return them. CloudTrail is fully ingested now and correlated against Okta, CrowdStrike, and the rest of the stack in a single view, so data that used to sit behind a slow Athena query is available immediately. Detections run on that data in real time, and the Exaforce MDR team handles first and second-level triage before anything reaches Guardant.
"We never had the budget to keep all of our AWS logs in the old SIEM and make them searchable, so I'd go into AWS and run Athena queries. Anyone who has done that knows it's brutally slow. Now all of my logs are right there at the touch of a button, and I can correlate them across my EDR, my Okta, all of my other tools in one place," said Mike Shannon, Director of Security Engineering at Guardant Health.
The difference showed up clearly on a day when the team was shorthanded. An EC2 alert came in. Guardant's IT team reached out to AWS support to understand it, and AWS came back saying the associated account was compromised. Mike asked Exaforce whether the account AWS had flagged was actually related to the EC2 instance in question. In about 15 seconds, Exaforce returned a complete answer with links to the supporting evidence. The two were unrelated. AWS had made a mistake, and Exaforce saved hours of investigation.
The results are measurable. Mean time to investigate is down to 12 minutes, and over the past 90 days the Exaforce AI agents have completed the equivalent of 30 people's worth of work. The effects reach into planning. The engineering work the team had scheduled for Q2 came off the calendar because Exaforce built it, and Mike's hiring plans are changing based on what the AI agents now cover.
For Guardant's security leadership, the decision came down to what a lean team needs to defend a sensitive environment over time.
"We're in the first steps of an age where the attackers have a lot more power than we do and they're using it.," Shannon said. "Just to keep up, it requires really good people and really good tools, and thankfully, I feel like I have both now with Exaforce."
Guardant Health exists to beat cancer with data, and with Exaforce, the team protecting that data can move as fast as the mission demands.
