Bastion builds trusted stablecoin infrastructure for global enterprises and financial institutions. Their security team uses RunReveal's AI-native platform to run a high-signal detection and response program without the overhead of traditional SIEM tooling.
“
Just shifting to relying on the RunReveal AI chat agent was a mental shift, but it has supercharged what we're able to do.
Josh Mac,
Staff Security Engineer, Bastion Platforms
Bastion builds trusted financial infrastructure for clients that want to securely issue, move, custody, and convert stablecoins. Their full stack solution spans stablecoin issuance, global orchestration services, and secure custody of digital assets.
Before RunReveal, Bastion's security monitoring was distributed across a handful of specialized platforms, one for observability, one for endpoint and runtime detection, and more.
While each platform did its job, Bastion wanted a unified view across its entire stack to better establish a baseline for its activity. "We wanted a 360 degree view across our entire platform," Josh said, "which allows us to be even more proactive in identifying suspicious or abnormal activity."
They wanted a platform that could surface signal proactively, not just one that required constant manual effort to stay oriented.
When Bastion started evaluating vendors, they weren't looking for another point tool: They needed a platform that could handle triage, surface signal without hand-holding, and free up the security team to focus on real threats rather than maintenance overhead.
One of the early things that stood out to Josh about RunReveal was that it runs on SQL. After years of working in SIEMs with proprietary query languages, the difference was immediate.
"They [legacy SIEMs] all have their own learning curve, especially around queries," he said. "Having SQL [in RunReveal] back up all the data sources is very helpful. It lets me hop in and start asking questions directly. And if another engineer has questions they want to ask of the data, they can use SQL too — it's a well-known language."
But over time, Bastion's security team found themselves relying less on raw SQL and more on RunReveal's AI chat agent. The shift happened naturally as they realized what the agent could do. An early example: they knew employees were successfully authenticating and accessing services within the Kubernetes cluster, but the full picture — from login through container-level command execution — had never been reconstructed in one place.
"Other platforms often force the user to stitch together a timeline of activity in their own environment," Josh said. "After just one conversation with the AI chat agent, it was able to answer our questions and create monitoring dashboards, giving our team a full picture of actions from human authentication all the way into the container."
That was the moment the mental model shifted: Less query iteration, and more natural language conversation.
The most immediate operational win came from detection tuning. Bastion runs recurring infrastructure maintenance — Kubernetes upgrades, rolling restarts, routine administrative tasks — and every one of those operations generated high alert volume, even if the activity was expected.
The Bastion security team worked with the RunReveal team to build a detection agent and a tuning agent for its maintenance protocols. The tuning agent learned to identify the patterns, people, and services associated with standard maintenance activity and classify them as expected behavior. The result: roughly 40 to 45% of alerts resolved as maintenance noise, gone from the queue.
The remaining alerts are higher signal. Weekly and bi-weekly agents continue scanning for deviations. And instead of the security team checking in on the alerts manually, the agents surface summaries and push them to them.
"Instead of going into the SIEM every day and sort of poking around, having the output from the detection agent, sharing the summaries — it's just a much more streamlined workflow compared to what a traditional detection and response team would do."
Security teams used to spend hours on individual investigations. Now security teams like Bastion let the RunReveal agent handle the repetitive tuning work, surface the summaries, and ultimately enable the team to focus on what actually needs human judgment.
The next frontier for Bastion's program is user behavior analytics. Bastion's security team is using RunReveal's AI agent to run standard deviation calculations across individual, team, department, and company-wide activity — day over day, week over week, out to 90 days — to establish what normal looks like and flag when something falls outside of it.
"That is always an ongoing process," he said. "You're never done. Having a streamlined way where the agent can learn off of the previous hour, day, week, month is very useful."
Security engineers know what a traditional D&R workflow looks like: constant query iteration, hours spent reconstructing timelines, weeks of fine-tuning that never quite sticks.
RunReveal changed that model for Bastion. Detection agents handle the repetitive tuning work. The AI chat reconstructs timelines in minutes. User behavior baselines update continuously as the company evolves. And when something actually needs human judgment, the Bastion security is ready for it.
Josh's advice to other security practitioners is simple: "Shift away from that mental model of iterating over query after query. Relying on the AI chat agent was a mental shift, but it has supercharged what we're able to do."
For Bastion, that shift isn't just a workflow improvement. It's what makes running a serious detection and response program possible in the first place.