Your alert firehose, collapsed into incidents
and explained.
Culprit ingests your alert firehose, correlates noise into a handful of real incidents, writes the probable root cause, and routes it where your team already lives. Customer hostnames, emails, and API keys are tokenized at the edge before any of that touches an LLM — so you get the AI without the breach-disclosure risk.
Alerts · live
firehose- 13:47:02checkout-apiHTTP 500 — connection refused (×4)
- 13:47:02postgrespgbouncer: <HOST_a3> exhausted — no_connections (max=512)
- 13:47:03cart-apiHTTP 503 — upstream timeout
- 13:47:03checkout-apip95 latency 4200ms (SLO 800ms)
- 13:47:04shipping-apidependent service cart-api returning 503
- 13:47:04deploy<SVC_b1> rolled out — git@<COMMIT_d2>
- 13:47:05rediseviction storm — 15k keys/s
- 13:47:05cdn-edgep99 latency 1.2s (SLO 200ms)
- 13:47:06auth-apitoken refresh storm — 412 retries/s
- 13:47:06auth-api<USER_e8> failed login (×9)
- 13:47:07inventoryHTTP 502 — backend unreachable
- 13:47:07checkout-apiHTTP 500 — connection refused (×2)
- 13:47:02checkout-apiHTTP 500 — connection refused (×4)
- 13:47:02postgrespgbouncer: <HOST_a3> exhausted — no_connections (max=512)
- 13:47:03cart-apiHTTP 503 — upstream timeout
- 13:47:03checkout-apip95 latency 4200ms (SLO 800ms)
- 13:47:04shipping-apidependent service cart-api returning 503
- 13:47:04deploy<SVC_b1> rolled out — git@<COMMIT_d2>
- 13:47:05rediseviction storm — 15k keys/s
- 13:47:05cdn-edgep99 latency 1.2s (SLO 200ms)
- 13:47:06auth-apitoken refresh storm — 412 retries/s
- 13:47:06auth-api<USER_e8> failed login (×9)
- 13:47:07inventoryHTTP 502 — backend unreachable
- 13:47:07checkout-apiHTTP 500 — connection refused (×2)
Incidents · 5
from 84+ eventsDatabase connection pool exhausted — db-primary-west-2.prod.internal
CRITICALdb-primary23 events2m
Deploy regressed checkout flow
HIGHshipping-api14 events5m
Cache eviction storm
MEDIUMredis8 events3m
Auth token refresh storm
MEDIUMauth-api5 events5m
CDN edge p99 latency drift
LOWcdn-edge3 events8m
Memory across incidents.
Most AI ops tools analyze each incident in isolation. Culprit cites the most similar resolved incidents on the same service, so each analysis builds on your team's own operational history. Mark an analysis wrong and it stops showing up next time.
Incident · live
Database connection pool exhausted — db-primary-west-2.prod.internal
CRITICALdb-primary23 events2m
db-primary-west-2.prod.internal. Commit a3f7b92 (config/db.ts, 18 minutes before first event) reduced pool.max from 100 to 20. 23/23 events occurred after deploy.Probably the same root cause as Connection pool exhausted — db-primary-west-2.prod.internal (post-deploy) — resolved 2026-04-25.
01 / 03 — Tokenization
Built to never see your data.
Your 3am database alert contains a real hostname, a real IP, maybe a real username in a stack trace. Forwarded to an LLM provider as-is, that text becomes training-accessible context you no longer control. Culprit encrypts payloads at the edge and tokenizes them before any downstream system — log lines, notifications, LLM prompts see placeholders only. Rehydration is scoped to authenticated users with matching tenant scope.
How tokenization worksWhat Culprit sends
alert: auth_failure host: <HOST_a3f9> email: <EMAIL_c44b> ip: <IP_b217> auth: Bearer <APIKEY_d8e9>
c4a81b. Token validator rejects requests issued > 30s ago.02 / 03 — Correlation
AI clusters noise into incidents.
Correlation happens on tokenized events, so the model never sees raw customer names, IP addresses, or ticket contents. You see a single incident with a ranked root-cause summary — not a page of alert notifications.
03 / 03 — Aligned incentives
$49 per service, flat.
Usage-based pricing creates an incentive to send less data — the wrong incentive when correlation quality depends on seeing the full picture. Culprit charges a flat rate per service, not per event: an outage week costs the same as a quiet one.
per service · per month
Flat · No overage · No caps
04 — Frequently asked
Questions we answer on every call.
$49 per service per month, flat. No metered overage and no tier jumps from heavy days — we bill for the connection, not the data volume. Sustained volume above ~500,000 events per service per month is a fair-use envelope where we'd suggest an Enterprise conversation, but almost no one hits it.
Your payload is encrypted at our edge the moment it arrives, then tokenized — hostnames, IPs, usernames all become placeholder IDs. Only the tokenized version flows to correlation, storage, LLM analysis, and notifications. Real values never leave your workspace in plaintext unless an authenticated user in your workspace explicitly reveals them. Compliance details (SOC 2 / HIPAA / BAA) available on request.
Point your existing alerting tools at our ingest endpoint — anything that can POST JSON over webhook. Setup runs ~15 min per service.
Encrypted payloads live in a vault. We store tokenized copies of events for correlation and display. Your PII never leaves your workspace in plaintext — not to logs, not to notifications, not to LLMs.
Flat pricing, tokenization at the edge, and AI correlation as a native capability rather than a paid add-on. Your sensitive data never leaves your workspace — we correlate patterns, not identities.
build d9b5312updated 2026-06-09no trackersno analyticsno third-party scripts