What Cribl bought, and for how much

The deal moves Cribl from plumbing into detection. On 14 July 2026 Cribl, whose platform routes and reshapes security and observability data, said it would acquire CardinalOps, an AI detection-engineering company. Cribl did not disclose the price; reporting put it at around 100 million dollars. CardinalOps was founded in early 2020 by Michael Mumcuoglu and Yair Manor, veterans of Israel's Unit 8200 whose earlier companies were bought by Palo Alto Networks and Microsoft, and Cribl will open a Tel Aviv office to keep the team.

Clint Sharp, Cribl's co-founder and chief executive, said security teams do not need more disconnected tools, they need a better way to turn telemetry into effective detections. Mumcuoglu said joining Cribl lets his team bring detection directly into the telemetry layer. Javier Garcia Quintela, global chief information security officer at the Spanish energy group Repsol, praised the combination for strengthening detection while controlling cost, which is the whole argument in one sentence.

The SIEM cost model is the real target

The thing being attacked is not a competitor product, it is a pricing habit. A traditional SIEM asks you to ship every log into one central store, pay by the gigabyte to keep it there, and then pay again to run detections on top. As data volumes grew with cloud and AI workloads, that bill became one of the largest and least controllable lines in a security budget, and teams started dropping data they should keep just to manage cost.

Cribl already sits upstream of that store, deciding what telemetry goes where. By adding detection engineering, it can offer to run the detections on the data in place, on the pipeline the customer already operates, instead of forcing everything through a per-gigabyte SIEM first. That is why the company frames the result as an open alternative to legacy SIEM architectures rather than another tool bolted on beside them.

What agentic detection engineering means for your SOC

Detection engineering is the unglamorous work that decides whether an alert ever fires. Someone has to write the rules that catch an attacker, keep them mapped to real adversary behaviour, retire the ones that flood analysts with noise, and find the gaps where nothing is watching at all. In most security operations centres this is done by hand, slowly, and it silently rots as attackers change.

CardinalOps automates that loop with AI agents: it measures your detection coverage against known attacker techniques, flags where you are blind, and proposes or fixes rules. For an owner the practical promise is fewer missed attacks and fewer wasted analyst hours, without hiring a scarce detection-engineering specialist. The practical caution is that an automated rule set still needs human ownership, because a detection you do not understand is a detection you cannot defend.

The trade: a smaller ingest bill, a bigger single vendor

Lower cost and more concentration are the same decision here. Routing detection through the pipeline you already run can genuinely shrink the volume you pay a legacy SIEM to ingest. But it also hands more of your security stack to one supplier: the same vendor now shapes your telemetry, decides what you retain, and increasingly owns what you detect on. That is leverage, and leverage eventually shows up in a renewal quote.

None of this makes the deal a bad one. It makes it a choice an owner should make deliberately rather than drift into. The right question is not whether Cribl's pitch is attractive, it clearly is, but whether you are comfortable with the same company holding the pipe, the storage decision and the detection logic, and what your exit looks like if that bundle stops serving you.

What owners should weigh now

You do not need to act this quarter, you need to read before you renew. Pull your current SIEM contract and separate two numbers: what you pay to centralise and retain data, and what you pay for the detections that actually protect you. The Cribl-CardinalOps model is a bet that those two can be unbundled, and that most buyers are overpaying for the first to get the second.

Under NIS2 and DORA, weak detection is now a compliance exposure as much as a security one, because you must spot and report serious incidents on a clock. That raises the value of better detection engineering and the cost of tolerating blind spots. Treat this acquisition as a prompt to ask whether your SOC is paying for storage or for outcomes, before your next vendor conversation, not after.