Cribl buys CardinalOps for detection engineering, edges into SecOps

Erstwhile Splunk nemesis adds a "SIEM-like" experience, with IP and engineering from CardinalOps folded into its "Bring Your Own Agent" pitch to IT buyers.

Observability challenger Cribl laid the groundwork for expansion into SecOps tools this week by acquiring CardinalOps, as the company competes for enterprise attention amid a crowded AI data management landscape.

Cribl, which started as a log management system that reduced the data users sent to Splunk's analytics backend, has since pivoted toward an IPO, focusing on AI-based telemetry management and data routing tools that plug into multiple observability and security systems.

This is Cribl's first step beyond data routing and management into providing data analytics content. In this case, CardinalOps, which has offices in Boston and Tel Aviv, will contribute content in detection engineering, the process of mapping the observed behavior of users and systems to recognized attack signatures documented by standard frameworks such as Mitre ATT&CK.

Detection engineering is a key component of security information and event management (SIEM) systems. Cribl is headed in that direction with the acquisition of CardinalOps' IP and some 200 security engineers, according to Cribl CEO and co-founder Clint Sharp in an interview with TechTarget this week.

Clint Sharp, CEO and co-founder, CriblClint Sharp

"We needed to bring that DNA into the company as we continue to expand, responding to the pull we're seeing from our customers to be a more full-stack security company," Sharp said.

Detection engineering fits well with Cribl's experience at the data control layer, said Sean Sosnowski, a research director at Software Analyst Cyber Research in Toronto, in an email to TechTarget this week.

"Security teams are no longer only asking how to collect and route telemetry more efficiently; they are asking whether their data architecture actually improves detection coverage," Sosnowski wrote. "CardinalOps adds a detection posture layer that can identify coverage gaps, rationalize SIEM content, map detections to frameworks like Mitre ATT&CK, and help teams understand whether they have the right detections for the threats they care about."

Standing out from the AI data management crowd

This move by Cribl sits at the nexus of multiple industry trends as enterprises struggle to move AI agents into production at scale: emphasis on a strong telemetry and data foundation for agent context; consolidation of observability and security monitoring data, tools and companies; expanded "Bring Your Own Cloud" support for SaaS observability tools; and AI's effect on software UX, where end users increasingly use bespoke agents instead of packaged user interfaces.

In an agentic future, what customers are going to be looking for is a place where they can put petabytes of telemetry data, but they don't necessarily want the user experience a vendor designed for them.
Clint SharpCEO and co-founder, Cribl

Given those multiple industry inflection points, Cribl also faces a broad array of potential competitors -- some of them its partners -- as it integrates CardinalOps. In addition to established SIEM and security platform vendors such as Splunk, Microsoft Sentinel, Palo Alto Networks, Google SecOps, Elastic and Datadog, Cribl must also differentiate itself from data management generalists such as Snowflake, which bought the observability startup Observe in January, and Databricks, which acquired the AI security operations center company Panther Labs in June.

None of that is lost on Sharp, who said Cribl plans to compete on its existing strengths in observability with a flexible, customizable approach to SecOps tools.

"We're giving you the same output as you are getting from a SIEM, hopefully significantly more cost-effective, and then with a platform-first approach, you can start to build your own experiences," Sharp said. "In an agentic future, what customers are going to be looking for is a place where they can put petabytes of telemetry data, but they don't necessarily want the user experience a vendor designed for them."

 As Splunk and other vendors have in the past, Cribl charges based on data volume, but Sharp claimed its pricing also significantly undercuts competitors' rates.

"We're trying to give [customers] double the data for the dollar," he said. "There's an old [Jeff] Bezos adage: 'Your margin is my opportunity.' That's just what we're doing."

Meanwhile, Cribl also offers a more purpose-built, packaged backend for telemetry data than general-purpose data analytics systems such as Snowflake or Databricks, Sharp said.

"Our buyers don't have time to write ETL jobs," he said. "They just need to be able to collect log data and metric data and tracing data [with] all the properties of a data warehouse, but [they] don't want to have to manage schemas and data definition language and all the stuff that goes along with doing databases."

SIEM scaffolding, not a full structure

Still, Sharp and a company press release this week were careful to call CardinalOps' initial integration "SIEM-like" rather than positioning it as an immediate replacement for a full SIEM platform.

While detection engineering is a major piece of the puzzle, Cribl would still need a few other key components to become a full-fledged SIEM. Threat intelligence and threat-hunting workflows are the most significant gaps Cribl must fill to reach full SIEM status, said Michelle Abraham, an analyst at IDC, in an interview with TechTarget.

"With Cribl Search, they have that part of the capability -- with all of the data that they have in there, you know, you can do proactive threat hunting by querying it yourself," Abraham said. "Many of the SIEM vendors have their own threat intelligence teams in addition to being able to bring in threat intelligence from outside providers."

Established SIEMs also offer stronger native analytics, investigation workflows, case management, detection content, alert triage and response workflows, and analyst experiences, Sosnowski wrote.

"Cribl is approaching the market from a different control point," he wrote. "Its near-term role is more likely to be a vendor-neutral layer that helps enterprises decide what telemetry matters, where it should go, and how it supports detection coverage across the tools they already use."

Other emerging security vendors have tried to differentiate with the "Bring Your Own" approach in the past, which often works well for early adopters with the expertise to build tools in-house, Abraham said. But established SIEM vendors also support AI agents as an interface; as SecOps processes mature, "Bring Your Own" often migrates back toward outsourcing to a vendor, she said.

"In my experience of looking at this from the outside, an enterprise may build something themselves, thinking, 'We can do better than what's in the market,'" Abraham said. "The thing is, are you able to maintain it to be better than what's in the market? That tends to trip a lot of organizations up when, two years later, they're looking at what they built versus what's in the market, and they're going, 'Oh.'"

Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism. Have a tip? Email her or connect on LinkedIn. 

Dig Deeper on IT systems management and monitoring