The BottomLine Logs reads your raw firewall, IDS, and SIEM logs and outputs ROSI — calibrated to your revenue and your sector. Hosted. Auditable. Built for the boardroom.
Licensed hosted platform · OIDC-gated end-to-end · Built on enterprise-grade open-source foundations.
Every renewal cycle, the CFO asks: "What did our $250k firewall actually save us last year?" Your SIEM shows blocked events. Your EDR shows blocked malware. None of them show dollars avoided or dollars saved. The BottomLine Logs fills that gap — by reading the exact same syslog stream your existing tools produce, and pricing every event in your company's own dollars.
Your team aren't finance experts, don't ask them to be.
A four-stage workflow that takes an executive or consultant from raw company data to a board-ready ROI report in a single session.
What it does Models your company's per-gigabyte data value from revenue, employees, records, data volume, years of history, and sector
What you get A defensible per-GB data value and Expected Annual Loss baseline anchored to your business, not a vendor average
What it does Runs the full attack-vector catalog against your data-valuation anchor, sector-adjusted
What you get Annual Expected Loss per attack category with a transparent audit trail
What it does Ingests live firewall/IDS/SIEM syslog and prices each blocked event in real dollars — the same model, applied per alert
What you get Live "cost avoided" counter; per-event valuation shown in a streaming feed
What it does Combines Stages 1–3 into the single number the boardroom asks for
What you get ROSI %, payback months, annual savings, and a printable executive summary
The platform retains every session, every priced event, and every ROSI number over time. Long-term dashboards surface how ROSI, attack volume, and cost-avoided evolve week-over-week, month-over-month, and quarter-over-quarter — so executives and consultants can track how security posture is changing, validate the ongoing impact of investment decisions, and present multi-period trends to the board.
Whether the source is a pasted log file or a live agent feed, every dollar value passes through the same valuation engine. One model. Auditable. Built to support a CFO conversation.
Quantify your company's data per gigabyte to a dollar amount — modeled from your own revenue, sector, records, employees, and data volume. This isn't a one-size-fits-all classifier. The result is unique to your organization, and only yours — no two companies will produce the same number.
Inputs to your per-GB calculation
Every category ships with built-in classifier coverage and pre-tagged sample logs from real vendor formats — no rule-writing required on day one.
A single lightweight ingest service accepts standard syslog (UDP/TCP), WebSocket streams, and JSON-over-HTTP. Once it's running against a syslog source, events begin flowing into the platform and get priced in the dashboard.
Syslog formats parsed natively:
SIEM webhooks accepted directly:
Two dozen+ sectors pre-tuned with loss-ratio overlays — Healthcare, Finance, Manufacturing, Utilities, IT services, Government, Retail, Media/Telecom, Education, and more.
A hospital and a hardware distributor with identical revenue do not get identical risk profiles. The engine knows that.
Dashboards arrive pre-built in your tenant the moment you sign in — hourly attack stats, attack summary by category, daily timeline, source activity, and session overview. Customise them; they survive every platform upgrade.
| Step | What happens | Where |
|---|---|---|
| 1. License | Get credentials and an agent install token | Web |
| 2. Install the agent | Single lightweight binary on a syslog-receiving host; point it at the firewall, IDS, or SIEM | Customer network |
| 3. Log in | Stages 1–4 are available in the customer's tenant; ROSI populates as events flow | Browser |
The customer-side footprint is one binary. The database, dashboards, identity, and analytics run on the managed platform.
Customer-side footprint: one lightweight syslog agent. That's it.
Vendor-side platform: edge gateway, web app, dashboards, identity, and analytics database — all operated, monitored, patched, and upgraded by us.
every platform URL passes through an identity gate before the application sees it
every priced row carries audit metadata so reviewers can trace any number back to its inputs
standard SaaS isolation between customer tenants
You don't operate any of this — we do. But buyers (especially CISOs and procurement) want to know what's under the hood. The platform is built on a deliberately boring, deliberately open foundation — components that have been widely deployed across the industry for years.
| Layer | Technology | Why it matters to a buyer |
|---|---|---|
| Operating System | openSUSE Leap Micro / SLE Micro | Immutable, transactional OS from SUSE — atomic upgrades, tiny attack surface |
| Container Runtime | Podman + systemd quadlets | Daemonless, rootless containers — no central daemon to compromise; OCI-standard |
| Identity & SSO | Keycloak | Mature open-source identity provider with OIDC, SAML, and LDAP federation; your team brings its own directory |
| Edge Auth Gateway | nginx + oauth2-proxy | Platform URLs gated by OIDC before they reach the app — auth at the edge |
| Database | PostgreSQL | Decades of production hardening; the boring choice that scales |
| Dashboards | Apache Superset | Open-source BI, SQL-native, drag-and-drop |
| Application Layer | FastAPI (Python) + Go | Python for readable business logic; Go for the ingest path — single static binaries, easy to audit |
The foundation layers are independently auditable and widely deployed in the industry.
OIDC at the edge gate. SAML or LDAP federation into your existing directory. Three default roles (Admin / Analyst / Viewer) map cleanly into your access-review process. Bring-your-own identity from day one.
None of the foundation layers are experimental — the platform builds on components that have been in production use across the industry for years.
Container images built on openSUSE Leap Micro and SUSE BCI base images — minimal, shell-free runtime layers, fast to patch, hard to exploit. The platform's supply chain is intentional.
Standard Postgres, standard OIDC, standard SQL underneath the dashboards — familiar tooling end to end, no proprietary file formats locking the data in.
Powered by PostgreSQL · Keycloak · Apache Superset · Podman · openSUSE — the same enterprise-grade open-source foundation that runs Fortune 500 production workloads.