Cribl nibbles up CardinalOps to serve up no quibble AI detection engineering
AI telemetry company Cribl this week acquired CardinalOps, an agentic detection engineering company.
The move is designed to add “detection engineering capabilities” to Crible that help users improve threat coverage, lower data costs and strengthen their security operations centres (SOCs) as they move away from legacy Security Information and Event Management (SIEM) architectures.
Hang on, was that detection engineering capabilities?
Yes, in this context, detection engineering capabilities means the automated creation (and optimisation and maintenance) of precision-engineered security rules within the data pipeline, allowing software engineers operating inside SOCs to identify threats without relying on legacy databases.
Cribl says that security teams are under pressure to process more telemetry, move faster against threats, and control the rising cost and complexity of their environments.
Telemetry validates & improves detections
Injecting CardinalOps into the Cribl platform (it claims) will help users use telemetry to validate and improve detections and do it in a way that lets teams use the tools and architectures that make the most sense for their environment.
“Security teams do not need more disconnected tools. They need a better way to turn telemetry into effective detections and outcomes,” said Clint Sharp, co-founder and CEO of Cribl.
Sharp suggests that CardinalOps strengthens his firm’s platform and by adding deep detection engineering capabilities to the open data infrastructure its users rely on.
“[This new addition also] serves as the foundation for a complete, open alternative to the SIEM stack they’ve outgrown,” said Sharp.
Sharp and team talk of the company’s federated model that lets users search and work across telemetry where it already lives, without forcing everything into another centralised system.
Foundational detection engineering
With CardinalOps, Cribl claims to now be adding foundational detection engineering capabilities to its AI platform, bringing the same open, AI-native model to the SIEM category itself. So that means everything a SIEM does, on telemetry infrastructure customers already own.
That federated foundation also allows Cribl to layer new security and observability solutions on the same shared telemetry foundation, giving customers more flexibility and better economics as they modernise their environments in the AI era.
CardinalOps uses AI to map security controls against real-world adversary behaviour. It automates detection engineering tasks, helping teams identify and eliminate coverage gaps, find and fix broken or noisy rules, and unlock the full value of their existing security stack.
According to Michael Mumcuoglu, co-founder and CEO of CardinalOps, CardinalOps was built so SOC teams could understand and improve coverage instead of just managing more noise.
What should developers think?
The question arises then: what should software and DevOps engineers think about Cribl’s acquisition of CardinalOps?
This move may shine light on a shift: as we know, security is sifting left across (well, leftwards) along the data pipeline. So instead of routing raw, unfiltered logs to older SIEM databases, software application developers can now deploy an automated portion of agentic threat detection, right down at the routing layer, which means developers need to consider detection rules as code… and that in turn means those rules are version-controlled, tested and optimised.
This may lead to less (sorry, fewer) alert-fatigue-inducing false positives and also open the door to a more streamlined level of telemetry management, all of which could enable software programmers to focus on what they like to do – building features – instead of wrangling with security infrastructure.
With this acquisition, Cribl will also establish a new office in Tel Aviv.
