Cribl adds CardinalOps' Israeli security team in estimated $100 million deal
The deal adds about 20 security engineers and detection technology as Cribl builds toward an open alternative to legacy SIEM platforms.
By Ryan Merket · Published
Why it matters
Cribl is moving up the security stack, using CardinalOps' founders and detection engineers to turn its telemetry foothold into a broader SIEM challenger.

Cribl acquired CardinalOps on July 14th, adding an Israeli detection-engineering team as co-founder and CEO Clint Sharp pushes the telemetry vendor into security operations. The companies did not disclose financial terms, though CTech estimates the purchase price at about $100 million.
The acquisition moves Cribl beyond collecting, routing and storing security data. CardinalOps gives Cribl software that evaluates whether customers' existing security tools can detect known attacker behavior, identifies gaps and helps repair broken or noisy detection rules. Cribl plans to use that technology as the detection layer for an open alternative to traditional security information and event management, or SIEM, platforms.
CardinalOps founders Michael Mumcuoglu and Yair Manor built the company around a recurring problem they encountered during previous cybersecurity ventures: companies kept buying security products without knowing whether the resulting collection of tools provided adequate threat coverage. Both founders served in the Israeli military's Unit 8200, where they worked together on offensive and defensive cybersecurity.
Mumcuoglu previously founded LightCyber, which Palo Alto Networks acquired in 2017. He then spent three years helping launch Palo Alto Networks' Cortex XDR platform. Manor co-founded IoT security vendor Netonomy, acquired by Allot in 2018, and previously led research and development at disaster-recovery software vendor Zerto, according to CardinalOps' company history.
CTech reported that CardinalOps employed about 25 people, mostly in Israel. Sharp separately told TechTarget that Cribl was acquiring CardinalOps' intellectual property and about 20 security engineers. The employees will join Cribl, which is opening a Tel Aviv office and expects to expand its operation there.
From telemetry routing to detection
Cribl initially built its business by helping enterprises filter and route logs before sending them into costly analytics platforms. That made Cribl a control layer between customers' telemetry sources and products from vendors including Splunk, Microsoft, Palo Alto Networks and Elastic.
Sharp is using CardinalOps to move closer to the security decisions made on top of that data. He told TechTarget that customers were pulling Cribl toward becoming a fuller security provider, making the acquisition partly a product expansion and partly a talent purchase. CardinalOps brings engineers who have already built detection content around the MITRE ATT&CK framework, which catalogs techniques used by threat actors.
CardinalOps maps an organization's existing detection rules and security controls against that framework. Its software is designed to show which attack techniques a customer can detect, where coverage is missing and which rules are generating excessive noise. Cribl says the combined system will connect those findings to its telemetry infrastructure, letting customers change what data they collect, retain and analyze without moving everything into one SIEM vendor's storage layer.
That gives Cribl a credible entry into SIEM functions, though the acquisition does not produce a complete SIEM on its own. Analysts interviewed by TechTarget identified threat intelligence, case management, alert triage, investigation workflows and response tooling among the capabilities Cribl would still need to match established platforms. Near term, the combined product is better understood as a vendor-neutral control and detection layer spanning tools customers already operate.
Cribl's larger security bet
Cribl says it passed $300 million in annual recurring revenue during 2025, up from $200 million in December 2024. The privately held company also says more than half of the Fortune 100 use its products. Those figures are company-reported, but they show why Cribl can use acquisitions to expand from telemetry infrastructure into the applications that consume telemetry.
CardinalOps publicly announced $24 million in total funding through its March 2022 Series A. CTech reports that CardinalOps ultimately raised about $40 million from Viola Ventures, Glilot Capital, Battery Ventures, IN Venture, XT Hi-Tech, Gefen Capital, Symbol and other investors. The difference reflects financing that CardinalOps did not announce with a disclosed amount. Neither Cribl nor CardinalOps disclosed CardinalOps' revenue, valuation or the mix of cash and stock in the acquisition.
The reported $100 million price buys Cribl an established detection product, a specialized engineering group and a foothold in Israel's cybersecurity labor market. It also gives CardinalOps distribution through a buyer that already sells telemetry infrastructure to large enterprises, removing the need for the 25-person vendor to build that distribution independently.
Mumcuoglu framed the combination around moving security spending away from raw data ingestion and toward detection outcomes. That pitch has a tension: Cribl also charges according to data volume, Sharp told TechTarget, although he argues that Cribl can process substantially more data per dollar than incumbent platforms.
Cribl now has to prove that an open collection of telemetry, search and detection products can deliver the integrated workflows customers expect from a SIEM. CardinalOps supplies an important piece of that system. The acquisition leaves Cribl with several more pieces to build or buy.