Cribl Buys CardinalOps to Close the Gap Between Collecting Security Data and Acting on It
The $3.5 billion data-pipeline company moves beyond simply gathering security information, adding AI-powered tools that tell defenders where their defences are actually failing.

Key points
- Cribl, a San Francisco security-data company valued at $3.5 billion, announced the acquisition of CardinalOps on Tuesday.
- CardinalOps uses artificial intelligence to find gaps in a company's security detection rules and map them to a widely used attack framework called MITRE ATT&CK.
- Cribl's platform is already used by more than half of the Fortune 100, the hundred largest companies in the United States.
- Cribl grew from $1 million in annual recurring revenue to over $300 million in under seven years.
- An industry analyst warns the deal only delivers value if the two products are tightly integrated, not simply bundled together.
Cribl built its name solving a surprisingly expensive problem: companies collect enormous amounts of security data, send it to too many different tools, and pay a fortune to store information they cannot properly use. More than half of America's hundred biggest companies now run Cribl's platform to sort, route, and control that data flood.
Buying CardinalOps is a different kind of move. It pushes Cribl from the plumbing into the decision-making.
What does CardinalOps actually do for ordinary security teams?
CardinalOps uses AI to inspect a company's detection rules, which are the instructions a security system uses to recognise an attack, and checks whether those rules cover the full range of known criminal tactics. It does this by mapping the rules to MITRE ATT&CK, a publicly maintained catalogue of real-world hacking techniques used by security teams worldwide as a benchmark for measuring how well-protected they are.
When a rule is broken, out of date, or generating so many false alarms that staff ignore it, CardinalOps flags it. Nicole Beckwith, Cribl's senior director of security engineering and operations, says the result is concrete: "They find and fix those broken and noisy rules and then unlock the value of your entire security stack."
Beckwith herself previously ran detection and response at Kroger, the US grocery giant, which used both Cribl and CardinalOps before the deal. She joined Cribl specifically because she believed in the direction the company was heading.
Sean Sosnowski, research director at Software Analyst Cyber Research, calls the acquisition logically sound. He says combining data control with detection-gap analysis helps security teams move from the vague complaint of "we have too much data" to the specific answer of "we know which data matters for the detections we need." That is a meaningfully stronger position for a security operations centre, the team inside an organisation responsible for spotting and responding to attacks.
Sosnowski does add a practical caution. If the two products stay loosely connected rather than becoming a genuinely unified tool, the real-world benefit will be limited. Integration depth matters.
Cribl was founded in 2018 by former engineers from Splunk, a well-known data analytics company. It crossed $100 million in annual recurring revenue in under four years, then kept climbing past $200 million and later $300 million. A funding round led by GV in 2024 raised roughly $320 million and set the company's valuation at $3.5 billion. CEO Clint Sharp has said publicly that he sees Cribl eventually going public on a stock exchange.
For employees at companies that run Cribl, CardinalOps, or competing SIEM products (SIEM stands for Security Information and Event Management, software that collects and analyses security alerts from across an organisation), the practical takeaway is straightforward: security teams using Cribl should expect new tools designed to automatically surface detection blind spots, ideally before attackers find them first.



