The Data Battle
For years, CrowdStrike has been on a mission to build a fully unified security platform, expanding from EDR to cloud security, and identity protection. Lately, one of their largest shifts has been moving towards a unified SIEM and SOAR platform for full lifecycle coverage of data ingestion, enrichment, alerting, and responding.
On August 27th, 2025, CrowdStrike announced a $290 million acquisition of Spanish data pipeline company Onum. The ultimate goal of the acquisition is full platform integration of key features such as increased onboarding and ingestion speed, in-platform filtration and enrichment, and most importantly, alert generation at ingestion time, before logs have even been sent to storage.
Cribl
For the last 4 years, CrowdStrike has been partnered with Cribl, a company that also handles data pipeline streams and data transformation. Their partnership even has a custom integration known as CrowdStream, which leverages Cribl to better merge the two platforms for customer usability. Onum could be considered a direct competitor to Cribl, as both platforms handle many of the same functionalities. While the overlap is not 100%, there is time yet for feature parity. As it stands, Cribl is vendor-neutral, they don’t work just with CrowdStrike, making it a great choice for diverse, potentially multi-SIEM environments.
Onum
Founded in 2022, Onum’s architecture is built for speed and efficiency, bringing innovation to the data management space. Some of their biggest areas of superiority are their notable speeds, and optimizations driving costs down for data handling. These factors led CrowdStrike to make the decision to acquire Onum, and integrate it into the Falcon platform. CrowdStrike claims up to 5x the rate of event processing per second, reduction of cost by up to 50% for data storage, and up to 70% faster incident response with 40% less ingestion overhead.
All of that is to say, CrowdStrike is placing its bets on Onum being their pipeline and filter of choice. However, this does not completely leave Cribl out in the cold. Their partnership may be in for some rocky waters, but it is not likely to spell the end for Cribl by any means.
Partnership Implications
While we do not yet have all the details on this acquisition, we can make some assumptions about the future state of the integration of Onum into the Falcon platform. With the current CrowdStrike-Cribl partnership of CrowdStream, the NG-SIEM data lifecycle is dependent on a third-party service for data processing and transformation. If Onum is integrated into the platform, it will essentially replace the functions that Cribl and CrowdStream serve to NG-SIEM. However, Cribl themselves still have their own standalone platform and can provide connections to a multitude of other SIEMs.
While not a common setup, it is not unheard of for companies to leverage multiple SIEM platforms for various reasons, cost, retention, or data use cases. No official statements have been made by CrowdStrike or Cribl at the time of writing this indicating a splitting of partnerships. Obviously this integration will take some time to make its way to the CrowdStrike platform, but Cribl will still have a strong customer base composed of other SIEM users.
For Multi-SIEM Enterprises Cribl remains essential. Large organizations rarely send all their data to one place. They may route security logs to CrowdStrike, observability data to Datadog, and dense data archives to a data lake like Snowflake. Cribl’s ability to enable multi-destination data handling is a requirement that Onum will be unable to fulfill when integrated with just CrowdStrike alone.
Stalemate?
It is largely up to speculation at this point, and all statements made in my article, as well as the statements by CrowdStrike and Onum are forward looking, meaning things are subject to change. However, this evidence points to Cribl and CrowdStrike being positioned to end their partnership as a result of this move, and in the resulting schism, we will see a shift in customer volume for Cribl, but their purpose and capability will not have changed.
One interesting consequence of this move may be a good opportunity for Cribl. By absorbing Onum, CrowdStrike has removed a key independent player from the market. What happens to Onum’s customers who don’t use the Falcon NG-SIEM?
They will now need a new, independent data pipeline solution. With its primary competitor now owned by a SIEM vendor, Cribl is positioned to become the default choice for any organization seeking a powerful, vendor-neutral data management platform.
The Future of NG-SIEM
This migration seems dramatic due to the pre-existing relationship of CrowdStrike and Cribl, but ultimately, the Falcon customers will be seeing a marked shift in the NG-SIEM platform to even further unification. CrowdStrike has been aiming at complete SIEM lifecycle coverage now for some time, making it a priority to dominate the space.
With the addition of native data processing, transforms and enrichment, and especially real-time alerting on data flows makes this an exciting move for users of the Next-Generation SIEM. This could result in an upset of the SIEM space and tilt the scales more in favor of CrowdStrike, as we have yet to really see pipeline integration like this for a platform of scale such as CrowdStrike.
Only time will tell how this acquisition will turn out, and there is still time for changes to occur, so nothing about this situation is set in stone. Ultimately the SIEM community will respond to this development, and ideally the response will be one of innovation and competition. We may yet see more acquisitions, feature developments, or lifecycle integrations that change the space, but with the speed CrowdStrike is moving with on their platform, it may prove difficult for competitors to keep pace.
Thank you for reading! If you have thoughts on the situation feel free to comment below, I’d be interested to see the thoughts of others on this development.
Leave a Reply