Vendor blueprint · SDPP category
Security data pipeline platforms — the in-flight tier
The pipeline tier has two shapes. Warehouse ELT (Fivetran + dbt) extracts, loads, then transforms in the warehouse. SDPP route, reduce, reshape, and normalize telemetry in flight — before it lands — sitting between sources and the lake/SIEM. This is where volume economics and OCSF-on-ingress actually happen. The category is crowded and mostly vendor-claimed for security specifics; the public evidence concentrates in one or two players.
What the category is
An in-flight tier between sources and the store: route, reduce (drop / sample / aggregate), reshape, mask PII, normalize to OCSF before landing. Players: Cribl, Vector (CNCF, Datadog-stewarded), Datadog Observability Pipelines, Tenzir, DataBahn, Observo AI, Monad, Abstract Security. Distinct from warehouse ELT — pre-landing, not in-warehouse transform.
Where the public evidence is
Concentrated, not broad. Cribl has named public security cases (Yale New Haven Health, 30K endpoints) — it carries its own component reference in this catalog. Vector is production-validated inside the Huntress teardown on this site (the routing tier at 200K rec/sec). Those two are real and independently citable.
Where it isn't
Datadog Observability Pipelines, Tenzir, DataBahn, Observo AI, Monad, and Abstract Security are credible and largely GA, but their security-specific production validation is vendor-claimed or analyst-relayed, not a named public security case. Treat the newer entrants as unproven for security until a public case names them — the same discipline applied to Fivetran/dbt.
What it changes for architects
The SDPP tier is where 30–70% volume reduction and OCSF-on-ingress land, ahead of SIEM/lake economics. The honest critique: a fast-consolidating category with heavy vendor claims and thin independent security validation. Choose on measured reduction against your telemetry and on pipeline-config portability — not logo count. Cribl and Vector are the proven anchors; the rest are bets.
Sources: Cribl engineering blog; Yale New Haven Health published case (see the Cribl Search component reference); Vector (CNCF / Datadog) production-validated in the Huntress teardown on this site; Datadog Observability Pipelines product documentation; Tenzir / DataBahn / Observo AI / Monad / Abstract Security vendor materials and analyst commentary — security-specific production validation vendor-claimed pending a named public case.