Also a good choice in storing logs. Make a margin but don't be greedy, otherwise you turn into Splunk, where folks don't want to use the product effectively because they can't afford to. Make it easy to route logs to S3 cold storage or other "reliable enough" object storage systems based on criteria, but retaining the capability to retrieve them if needed for forensics or compliance/audit sampling. Log storage intervals are traditionally some variation of 30, 60, 90 days, a year, seven years, etc. Architect accordingly based on your customers' record retention schedule(s), control/compliance requirements, etc.

My large financial (and many in our peer group that I've talked to) see "open incidents elsewhere" (WorkDay in our case) as minimum table stakes. YMMV.

Well...that's a problem you need to think about. If all you see is how startups or SMB do this (or what people tell you on HN), you're going to be massively missing the mark when you talk to more large/enterprise customers. Things like "well of course Discord" will be met with "we use Teams", or even worse "yeah...we're still on Notes". I had one vendor recently who said "why would we ever need to integrate with Archer?"...well, we have a GRC requirement to attest to certain actions your tool is supporting, and our auditors look at Archer as a source-of-truth, and noone wants to manually update Archer with the output of your tool. Lightbulb moment.

Tl;dr - make integrations drop dead easy, because you never know what baroque workflow you're going to need to dovetail with the make the sale.

Tracecat is still in alpha, but would be great to have your thoughts / opinions / feedback in our Discord community. We are anon-friendly. There's still a lot more we can innovation on.