Self-Hosted Security Operations Platform — What Anubis Memphis Does Differently in 2026

If you've evaluated the modern security operations stack — Drata or Vanta for compliance, Datadog or Splunk for observability, CrowdStrike or SentinelOne for endpoint, plus a few other point tools — you've probably noticed the same thing we have. Almost everything in the space is now SaaS, and your security telemetry is the product they're aggregating. For most businesses, that's fine. For some, it's an architecture mismatch that costs real money to work around.

Anubis Memphis is the platform Aftershock Network ships through its Anubis Security division. It's self-hosted by design — every agent, every log, every alert, every compliance evidence artifact stays inside the customer's network. This article is the architectural argument for the platform, the buyer profile it's built for, and the comparison with the SaaS alternatives.

The structural problem with SaaS-only security operations

The way modern SaaS security tools work:

1. An agent on your endpoint or in your VPC collects telemetry — system logs, network flow, authentication events, configuration state.
2. That telemetry is shipped to the vendor's cloud.
3. The vendor's cloud aggregates, correlates, alerts, and presents the dashboard.

This works great when:

• Your security telemetry isn't sensitive on its own.
• You don't operate in a regulated industry that treats telemetry as in-scope data.
• You're comfortable with vendor lock-in on data egress.
• SaaS pricing scales with your business in a way you're happy with.

For a lot of mid-market businesses, all of those are true. For some businesses, none of them are.

The break points we see:

• Healthcare operations where authentication and access logs themselves contain PHI references (which patient records were accessed, by whom, when) — shipping that to a SaaS observability vendor creates BAA-level vendor management overhead at minimum, and outright compliance exposure in the worst interpretation.
• Defense contractors and any operation handling ITAR or CMMC-scoped data, where the telemetry from systems handling regulated information is itself in scope.
• Financial services where transaction logs in your security pipeline contain regulated information.
• High-volume environments where SaaS observability pricing — typically $0.50-$3.00 per GB ingested — produces a five-figure-a-month bill at moderate scale.
• Air-gapped or low-bandwidth environments where SaaS SecOps simply isn't viable.

If any of these apply, the standard SaaS stack creates a tax — either compliance work to make it acceptable, ongoing cost, or both.

What Anubis Memphis does

Anubis Memphis is built around the inverse architecture. Same outcomes, different deployment model:

Agent-based collection. Lightweight agents deploy to endpoints, servers, and cloud workloads. They collect the standard telemetry — system logs, security events, configuration state, network flow.

Local log store. Telemetry lands in a local time-series store (we use Postgres for structured event data, ClickHouse for high-volume time-series logs, configurable depending on volume). Retention policy is yours to set, not the vendor's pricing tier.

Correlation and detection. Detection rules run against the local store. Rules are version-controlled, customizable, and ship with a default set covering common attack patterns, compliance-relevant controls, and operational drift indicators.

On-prem AI triage. When an alert fires, an LLM running locally (Ollama by default, vLLM in higher-throughput deployments) summarizes the underlying telemetry, suggests classification, and proposes a triage action. The log data, alert, and AI response all stay inside your perimeter.

Compliance evidence pipeline (Maat agent). The Maat agent continuously collects evidence relevant to SOC 2, HIPAA, ISO 27001, and similar frameworks — access logs, configuration snapshots, control attestations, change records. Evidence is organized by control, timestamped with RFC 3161 cryptographic anchors, and produced as an audit-ready package on demand.

Incident response integration. Alerts route to existing IR tooling — PagerDuty, Opsgenie, Slack, custom webhooks, email, SMS via Beacon (our own SMS infrastructure if you want it self-hosted end-to-end).

Audit-ready reporting. Compliance dashboards, control evidence packages, attack-path investigations, and operational reporting all generate inside the platform. Reports export as PDFs or structured data. No vendor dashboard you can't access during a connectivity outage.

How it compares to the SaaS alternatives

| Capability | Anubis Memphis | Drata / Vanta | Datadog SIEM | Splunk Cloud |
|---|---|---|---|---|
| Deployment model | Self-hosted in customer environment | SaaS | SaaS | SaaS (Splunk Enterprise also self-hosted) |
| Telemetry leaves perimeter | No | Yes (to vendor cloud) | Yes (to Datadog) | Yes (Cloud version) |
| Compliance evidence collection | Yes (Maat agent) | Yes (primary purpose) | Limited | Via add-ons |
| Real-time alerting | Yes | Limited (compliance focus) | Yes (primary purpose) | Yes |
| AI triage | Yes (on-prem) | Limited | Yes (cloud AI) | Yes (cloud AI) |
| Per-employee pricing | No | Yes | Partial | Partial |
| Per-GB ingestion pricing | No | N/A | Yes | Yes |
| BAA / regulated industry overhead | None — vendor doesn't process telemetry | Vendor BAA required for HIPAA | Vendor BAA required | Vendor BAA required |
| Time to deploy | 3-8 weeks | 2-4 weeks | 1-2 weeks | 2-6 weeks |
| Approximate annual cost (mid-market) | $40K-$120K | $25K-$150K + auditor | $50K-$300K | $75K-$400K |

The trade-offs are real:

• SaaS options deploy faster. Drata or Vanta can be ingesting evidence within 2 weeks; Anubis Memphis needs 3-8 weeks because we're deploying infrastructure into your environment.
• SaaS options spread their cost across customers, so very small operations may find SaaS cheaper.
• SaaS options ship feature updates continuously without operational work on your side; self-hosted means we (or you) manage upgrades.

The cases where self-hosted wins decisively:

• Regulated industries where vendor-as-business-associate is structurally painful.
• High-volume environments where SaaS ingestion pricing breaks the budget.
• Air-gapped or low-bandwidth environments where SaaS isn't viable.
• Multi-tenant or sovereignty-sensitive situations (EU operations, gov contractors) where telemetry residency matters.
• Environments where the security team values control over data and tooling above operational simplicity.

How Anubis Memphis is deployed

Standard deployment phases:

Week 1-2: Scoping. We map your environment — endpoints to instrument, log sources to ingest, compliance frameworks in scope, existing IR tooling to integrate with. Output is a deployment plan and a clear answer on what Anubis Memphis will and won't replace.

Week 2-3: Pilot deployment. Agents deploy to a representative subset — typically a handful of endpoints, one or two server fleets, key cloud accounts. The platform comes up in your environment with a default detection rule set and the Maat compliance agent active.

Week 3-5: Tuning. Detection rules tune to your environment. False positives get suppressed or refined. Compliance evidence collection maps to your specific control framework. AI triage prompts adjust to your alert volume and team workflow.

Week 5-7: Rollout. Full agent deployment, full evidence collection, full alerting. Integration with PagerDuty / Slack / email / SMS for incident response. Initial compliance evidence package generated.

Week 7+: Operate. Either your security team operates the platform, or we operate it for you under a managed service. Compliance packages generate on demand. Detection rules evolve with your environment.

Complex environments — multi-region, FedRAMP-flavored, M&A integrations — can extend the timeline. Most engagements land in the 4-8 week range.

When Anubis Memphis is NOT the right answer

The honest answers:

• You're under 25 employees, single-region, no regulated data. A combination of CrowdStrike Falcon (or similar EDR), Datadog Lite, and a manual compliance approach is probably cheaper. Come back when you scale.
• You need a SaaS dashboard your customers or auditors can log into directly. Some auditors prefer cloud-based evidence repos with their own access. Self-hosted means evidence packages are exported to them, not lived-in by them.
• Your security team is purely SaaS-native and doesn't want operational ownership of the platform. Managed operation is available, but if the team's posture is "we don't run infrastructure," that's a real signal.
• You have an existing SaaS contract with three years remaining. The economics rarely favor breaking a sunk-cost contract early.

What this costs

Typical Anubis Memphis engagements:

• Deployment: $25,000-$80,000 one-time, depending on environment scope, integration complexity, and compliance framework breadth.
• Annual license + maintenance: $12,000-$48,000, depending on agent count and platform features.
• Optional managed operation: $3,000-$8,000/month, depending on volume and response SLAs.

For most mid-market deployments, total 3-year cost runs $120,000-$280,000 including managed operation. The equivalent SaaS stack (compliance + observability + SIEM + endpoint at the same scope) typically runs $300,000-$900,000 over 3 years, plus the vendor management overhead.

For businesses that want to spread the deployment cost over time, the Aftershock Operator Model offers smaller upfront + monthly installments. Terms are agreed during the discovery call once we understand your situation.

When to talk to us

If you're evaluating SaaS security operations and the data egress is bothering you, or you've already hit the SaaS pricing wall, we'll walk through your specific environment in a discovery call. We'll tell you honestly whether Anubis Memphis is the right fit or whether SaaS is still the better answer for your specific situation. No pitch, no obligation — we'd rather not deploy where it doesn't fit.