Technology deep-dive
Cribl vs Tenzir vs alternatives: choosing your security data pipeline.
The Route component decides whether your lakehouse stays in budget. Pick the wrong pipeline and the cost savings the lakehouse was supposed to deliver evaporate into licensing fees, operational overhead, or vendor lock-in. The market has narrowed to a handful of credible options, and the right call depends on scale, ecosystem fit, and whether pipeline-based detection matters to you.
Reading time: about 22 minutes. Evidence tier: mixed. Cribl carries the only named-customer Tier B security references I can cite publicly (Yale New Haven Health). Vector is Tier B via the Huntress production teardown. Tenzir, DataBahn, and Observo AI are credible on capability but their security-specific scale claims are Tier C (vendor-documented, not independently audited). Cost-saving percentages are composite Tier C from practitioner interviews unless otherwise noted.
The Route decision
Pipelines are not log forwarders.
The single most common analytical mistake I see in pipeline RFPs is the category error of comparing Cribl to Logstash on market share. The two products belong to different categories. Logstash, Fluentd, and Vector are log forwarders: they ship events from a source to a destination with limited transformation, usually to a single sink. Cribl, Tenzir, DataBahn, and Observo AI are security data pipeline platforms; they route by value, transform across multi-tool ecosystems, and (in some cases) run detection inside the stream.
Comparing Cribl to Logstash on customer count is like comparing Snowflake to MySQL on database market share, which is technically true but analytically useless, because Logstash has more deployments simply because it's free and adequate for simple log shipping, while Cribl has fewer customers because the value proposition only kicks in above a scale and ecosystem complexity that most organizations never reach.
The framework in this essay separates the two categories deliberately. If your problem is "ship 500 GB/day from one place to another," skip to the open-source forwarder section. If your problem is "route 5+ TB/day across SIEM, lakehouse, and compliance archive with intelligent value-based filtering," the conversation is genuinely Cribl vs Tenzir, with DataBahn and Observo AI as credible but earlier-stage alternatives.
Option 1
Cribl Stream and Edge.
Cribl is the market leader in enterprise security data pipelines. The numbers the company publishes ($200M ARR, 50+ Fortune 100 customers, $600M+ total funding, $3.5B Series E valuation) put it in a different commercial tier than any other vendor in this category. Those are vendor-published figures (Tier C), but they're consistent enough across analyst coverage and customer-confirmable references that I treat them as directionally accurate.
The capability that matters most for security is route-by-value. A pipeline that can inspect an event, evaluate it against a routing rule, and send the high-value subset to a $3-10/GB SIEM while the low-value bulk goes to $0.023/GB object storage is the mechanism that makes the lakehouse economics work. Cribl runs this pattern at Fortune 100 scale, with 100+ documented integrations, OCSF normalization via Cribl Packs, and the operational maturity (24/7 support, distributed architecture, RBAC, monitoring) that regulated industries require.
Named public security reference: Yale New Haven Health uses Cribl in production for healthcare security data routing. That's the strongest publicly nameable Tier B reference I can cite in this category. Most other production deployments at the enterprises I've worked with sit under NDA. The Cribl customer base skews Fortune 500, and the use-case patterns are remarkably consistent: cut Splunk ingestion costs by 70-90%, extend retention from 90 days to 1-7 years, preserve detection coverage by keeping high-value events in the SIEM hot tier.
Pricing is consumption-based per GB processed. Practitioner-confirmed ranges sit around $0.10-0.30/GB with volume discounts dropping toward $0.05-0.10/GB at 50+ TB/day. For a 10 TB/day deployment, that's roughly $45K/month in licensing plus $5-15K/month in self-hosted infrastructure, or $60-120K/month for Cribl Cloud (managed). The comparison that matters is that ingesting that same 10 TB/day directly into Splunk at $3-10/GB runs $900K-3M/month, so the licensing-versus-savings math is the decision driver, and at enterprise scale it consistently favors Cribl.
Where Cribl is the wrong call: anywhere under 1-2 TB/day, where open-source forwarders are operationally cheaper; anywhere requiring pipeline-based detection as a first-class capability (Cribl routes, then relies on downstream SIEM or lake queries to detect); anywhere where the open-source preference is a hard requirement, because the Cribl pipeline language is proprietary and migration off Cribl means rewriting transformation logic in whatever you migrate to.
Choose Cribl when you're 5+ TB/day, running a multi-tool ecosystem (multiple SIEMs, security tools, cloud platforms), need commercial support with SLAs, and have the budget to license the operational maturity rather than build it. The full vendor profile sits in the Cribl Search component teardown.
Option 2
Tenzir.
Tenzir positions itself as the open-core alternative to Cribl with a specific bet: pipeline-based detection. Where Cribl routes events to a SIEM that runs detection rules on stored data, Tenzir runs detection inside the stream. Events are evaluated against pipeline-defined rules at ingestion, and only signals (plus sampled raw data for context) land in storage. The structural advantage is latency (sub-second detection vs minutes-to-tens-of-minutes for query-based detection) and storage cost (70-90% reduction by writing signals instead of raw events).
The capabilities I can verify from Tenzir documentation: OCSF-native normalization (no separate Pack required), Tenzir Query Language for pipeline definitions, embedded Parquet storage with optional external Iceberg or Delta Lake sinks, Apache 2.0 open-source core with commercial features (clustering, RBAC, support) layered on top. The open-core exit strategy is real; if Tenzir as a company fails, the core platform is forkable.
The OCSF-native claim is the part I can actually run, and I did: in the MOAR reference stack I routed the
same raw Okta event to OCSF Authentication through three open routers (Vector, Tenzir, and Fluent Bit) and
the contract came out identical across all three (class_uid 3002, activity_id 1
or 2, user, src_ip), so a team can pick the router on operational fit and keep
the OCSF contract stable when they switch (the ./moar swap-router check in docker/, 2026-06-07).
The honest framing matters here: this is a contract-equality check on a single host, not a throughput
ranking, and Cribl isn't in the stack because it's commercial and I didn't run it, so the swap I'm
showing is across the three open routers and any Cribl throughput or cost figures in this essay stay
practitioner-reported rather than first-party.
The capabilities I cannot independently verify: Tenzir's claimed security-specific deployment scale. Tenzir's blog and documentation describe pipeline-detection patterns and OCSF integration in detail, but I have not seen named public security customers at Fortune-500 scale. The deployment count is plausibly under 100 based on the company's stage. That's Tier C evidence: credible vendor positioning, not independently validated. The technical architecture is sound; the production-validation track record is thinner than Cribl's.
Pricing: core is free. Enterprise features are not publicly disclosed; my estimate, based on open-core benchmarking against comparable platforms (Elastic, Confluent, Databricks open-core tiers), is $50K-150K/year for a mid-market deployment. For 10 TB/day self-managed, total annual cost lands around $210K-270K (open-core enterprise bundle plus $120K/year infrastructure) versus Cribl's $660K/year at the same scale. The 60-70% lower run-rate is the open-core dividend; the cost of admission is self-management expertise and a less mature integration ecosystem (20-30 connectors vs Cribl's 100+).
Choose Tenzir when pipeline-based detection is a first-class requirement, when OCSF is the canonical schema you're committing to, when you have data engineering expertise on the team, and when the open-core exit strategy genuinely matters to you. Don't choose Tenzir if you need 24/7 commercial support against a written SLA, if you require 100+ integrations out of the box, or if "smaller vendor" is itself a procurement blocker.
Option 3
DataBahn and Observo AI.
Two credible newer entrants belong in the conversation but with caveats. DataBahn positions on AI-augmented data pipeline operations: schema inference, parser generation, and pipeline optimization driven by ML on customer data. Observo AI takes a similar angle with stronger emphasis on cost reduction and intelligent sampling. Both are venture-backed (DataBahn raised a Series A in 2024; Observo AI raised seed in 2023), both publish credible capability documentation, and both name a handful of public customers. The named customers I can find are not, as of early 2026, the kind of Fortune-100 named security references that anchor my Cribl confidence.
I treat DataBahn and Observo AI as Tier C on security-specific deployment scale. The technical pitch is coherent and the AI-augmented operations angle is differentiated. Automated parser generation for new log sources is the operational pain point both products target, and Cribl's manual Pack configuration is where that pitch lands. But the production-validation gap with Cribl is roughly the same gap Tenzir has, and the open-core advantage Tenzir offers is not part of the DataBahn or Observo AI story.
Where they fit in an honest framework is as shortlist candidates for organizations doing pilot evaluation between three or four pipeline vendors, particularly when AI-augmented operations is a top-three buying criterion, but they aren't the default recommendation, because the decision narrows back to Cribl-or-Tenzir for most security operations decisions in 2026, with DataBahn and Observo AI as credible-but-prove-it third options.
Option 4
Open-source forwarders: Vector, Fluentd, Logstash.
For deployments below 1-2 TB/day, or for organizations where simple log shipping is the actual problem, open-source forwarders are the right answer. The three credible options have different shapes:
Vector (CNCF, originally built by Datadog before being donated and now governed by the Cloud Native Computing Foundation): modern Rust implementation, 40+ sources and 50+ sinks, memory-safe and high-performance at low resource cost, built-in observability. Vector is the production-validated forwarder in the Huntress security operations teardown. Huntress runs Vector for telemetry collection across 3M endpoints, with the pipeline feeding ClickHouse on the analytical side. That's the strongest Tier B reference for any open-source forwarder in this analysis, and it's why I default to Vector for new starter deployments where Kubernetes-native isn't a hard requirement.
Fluentd (CNCF): cloud-native, Kubernetes-native, lightweight resource footprint, 500+ community plugins. The right default when the deployment shape is "DaemonSet on a Kubernetes cluster shipping container logs to a sink." Fluentd's plugin ecosystem is the largest in this category, and the Kubernetes-native operational story is mature.
Logstash (Elastic): mature (10+ years), large plugin ecosystem, tight Elasticsearch integration. Logstash is the right default if you're already inside the Elastic stack and your destination is Elasticsearch; the integration is best-in-class. The downsides are real: JVM overhead drives higher resource consumption than Vector or Fluentd, performance degrades above 5 TB/day without significant tuning, and there's no native clustering or HA story.
The TCO trap with open-source forwarders is operational overhead, because licensing is $0 and infrastructure is modest ($1-3K/month for 1 TB/day), so engineering time is the variable that decides the number, and at scale or with complex pipelines it grows quickly: 0.5-1 FTE data engineer at $150-300K fully-loaded, plus monitoring tools at $5-10K/year. True 3-year TCO for 1 TB/day open-source pipelines lands around $186-408K, depending on how much engineering time you allocate, which is competitive with Cribl at the same scale but with much less operational maturity included.
Choose open-source forwarders when the scale is small (under 1 TB/day), when the use case is simple log shipping rather than intelligent routing, and when you either have engineering capacity to self-manage or your scale is small enough that the operational burden is negligible. Don't choose them if you actually need route-by-value: these tools cannot do what Cribl does, and bolting it on yourself is a multi-quarter engineering project.
At a glance
Cribl vs Tenzir vs forwarders, side by side.
The headline differences across the three categories. Every row is expanded in the prose above with sources and the conditions that change the answer.
| Dimension | Cribl Stream | Tenzir | Vector / Fluent Bit |
|---|---|---|---|
| Category | Security data pipeline. Route-by-value across multi-tool ecosystems. | Security data pipeline with pipeline-based detection in-stream. | Log forwarders. Move bytes from source to sink with limited transformation. |
| Licensing model | Commercial only. Consumption-based ~$0.10-0.30/GB, dropping toward $0.05-0.10/GB at 50+ TB/day. | Apache 2.0 open-core. Commercial features (clustering, RBAC, support) layered on top; enterprise pricing not publicly disclosed. | Fully open source. Vector under CNCF (originally Datadog); Fluentd CNCF; Logstash Elastic-governed. |
| Deployment topology | Control plane (leader nodes) plus stateless worker data plane. 8-12 m5.2xlarge for 10 TB/day; Edge agents for remote collection. | Streaming analytics engine. Stateful pipeline detection (windowing, aggregation). Clustering is an enterprise feature; node loss can affect in-flight detection state. | Single-binary forwarder configured via TOML (Vector). No native clustering or central control plane; ~8x m5.large for 10 TB/day. |
| OCSF native support | Via Cribl Packs (normalization library, not native semantics). | OCSF-native normalization built into the pipeline language. No separate pack required. | No native OCSF. Manual transformation in pipeline config. |
| Pipeline-based detection | No. Routes events; relies on downstream SIEM or lake queries to detect (5-30s latency). | Yes. Sub-second detection in-stream (~15-50ms end-to-end). The structural fit for OWASP, C2 beaconing, impossible-travel. | No. Forwarders move data; detection happens downstream. |
| Ecosystem maturity | 100+ integrations. $200M ARR, 50+ Fortune 100 customers, $3.5B Series E (vendor-published Tier C). | 20-30 connectors. Smaller production surface; deployment count plausibly under 100. Tier C on security-specific scale claims. | Vector: 40+ sources, 50+ sinks. Fluentd: 500+ community plugins. Logstash: large plugin set, JVM overhead at scale. |
| Named security reference | Yale New Haven Health (Tier B). Strongest public reference in the category. | No named public Fortune-500 security reference I can cite as of early 2026. | Vector: Huntress (3M endpoints, ClickHouse pipeline), Tier B. |
| In-place transformation | Mature. Proprietary Cribl pipeline language; migration off means rewriting transformation logic. | Tenzir Query Language (TQL) for pipeline definitions. Open-core means the core is forkable if the company fails. | Limited. TOML config (Vector) or plugin-based filters; not designed for complex multi-destination value routing. |
| Recommended fit | Fortune 500, 5-50+ TB/day, multi-tool ecosystem, commercial support with SLA required. 3-yr TCO ~$1.1-2.0M at 10 TB/day. | Mid-market 2-5 TB/day, pipeline detection as first-class requirement, OCSF commitment, data engineering capacity on the team. 3-yr TCO ~$330-720K. | Under 1-2 TB/day, simple log shipping, no route-by-value need. Vector for non-K8s defaults; Fluentd for Kubernetes DaemonSet. 3-yr TCO ~$186-408K. |
Decision framework
Four scenarios, four answers.
Fortune 500 enterprise SOC (10-50 TB/day)
Multi-tool ecosystem, $200K+/month current SIEM costs, 24/7 operations, regulatory compliance. Default to Cribl Stream. The licensing premium pays for operational maturity that's prohibitively expensive to build in-house, and the 100+ integrations cover the breadth of Fortune 500 security tooling sprawl, so the three-year TCO lands around $1.1-2.0M against $10-30M for SIEM-only ingestion, which is not a close call at this scale.
Mid-market with detection priority (2-5 TB/day)
Pipeline-based detection matters, OCSF is the schema commitment, data engineering team available, budget is constrained. Tenzir's open-core model is the right fit here, with three-year TCO around $330-720K against Cribl's $1.1-2.0M at the same scale, though the trade-off is real, because you get fewer integrations, a smaller vendor, and less production track record. If the security-specific deployment claims matter to you (they should), build your evaluation around running Tenzir against your actual workload in a paid PoC rather than trusting the vendor positioning.
Startup or small SOC (under 500 GB/day)
Limited budget, small team, Kubernetes-native deployment preferred. Vector or Fluentd, depending on whether the destination story is "ship to S3 plus an analytical engine" (Vector, with Huntress as the production reference) or "Kubernetes-native DaemonSet to a sink" (Fluentd). Total annual cost under $50K including infrastructure. Plan to upgrade to Cribl or Tenzir when scale crosses 2-5 TB/day, which is the break-even point where the operational burden of self-managed forwarders starts losing to the licensing cost of a commercial pipeline.
Hybrid: Cribl plus Tenzir
For organizations that genuinely want route-by-value cost optimization and pipeline-based detection, the hybrid pattern works: Cribl handles the multi-destination routing layer, Tenzir runs detection on the high-value subset Cribl routes to it. The architecture is more complex (two vendors, two pipeline languages, two operational surfaces), the cost is additive (roughly $1.3-2.2M over three years for 10 TB/day), but the capability is real. I'd recommend this only when the security operation has the data engineering depth to run both products well. Most don't, and the simpler "Cribl-and-store-then-query" approach is the right default.
Routing patterns
Where the cost savings actually come from.
Generic "70-90% cost reduction" claims don't help an architect design a pipeline. The savings come from specific routing patterns applied to specific data sources, and the percentage varies dramatically by data type. Five patterns I see consistently in production deployments:
EDR telemetry: 90% reduction typical
EDR agents generate 1,000-5,000 events per endpoint per day. At 50,000 endpoints that's 50-250M events/day. The routing pattern that consistently delivers 90% cost reduction: send process executions matching ATT&CK high-risk binaries, network connections to threat-intel-flagged IPs, and file modifications on critical paths to the SIEM hot tier (5% of total). Send the remaining 95% to the lakehouse at a 10% sample rate for baseline analytics and threat-hunt context.
The composite practitioner example I trust: a Fortune-500 financial services organization with 75K endpoints reduced EDR-related Splunk costs from roughly $180K/month to $18K/month with this pattern. That's a 10x reduction, not a 90% reduction in absolute terms; the math is the same but the framing matters for executive conversations.
Network flows: 98% reduction possible
NetFlow, IPFIX, and Zeek logs generate 100M-1B flows per day at moderate enterprise scale. The signal rate is low: 1-5% of flows are security-relevant (lateral movement on SMB/RDP/SSH/WinRM ports, large outbound transfers to non-CDN destinations, traffic to known-bad IPs). The routing pattern: detect lateral movement in-stream (Tenzir's strength) or filter to SIEM (Cribl's), flag potential exfiltration to a security lake, and sample the remaining 93% at 1% for baseline.
The cost reduction is genuinely 98%-ish at scale because the baseline flow volume is so dominated by benign traffic, but the trap is that aggressive sampling makes hindsight investigation harder, since the 1% sample is adequate for ML training and baseline analytics while it isn't adequate for "show me every flow involving this IP six months ago." Compliance and incident-response retention requirements should be modeled before the sample rate is set.
Cloud audit logs: compliance pattern
AWS CloudTrail, Azure Activity, GCP Audit generate 10M-100M API calls/day across multi-cloud. The tension is compliance retention (often 7 years) versus detection retention (90 days). The right pattern is multi-destination: high-value identity and permissions changes go to SIEM plus compliance archive plus cloud SIEM, read-only API calls go straight to S3 Glacier for 7-year retention at $0.004/GB, everything in the middle lands in security lake plus compliance archive. Both Cribl and Tenzir support this multi-destination pattern natively.
Application security: OWASP detection
WAFs and API gateways generate 100M-1B requests/day with a 1-5% attack rate. The pattern that pays off: OCSF-normalize, enrich with attack signatures, route detected attacks to SIEM with high priority, sample legitimate traffic at 0.1% for baseline. Tenzir's pipeline detection is structurally well-suited to this workload. The latency advantage matters because OWASP attacks often pivot quickly. Sub-second detection before the attacker moves laterally is the security argument for pipeline-based detection, and it's the place I'd most expect Tenzir to outperform Cribl on capability, not just cost.
SaaS security: SSO and file-share signal
Okta, Microsoft 365, and Google Workspace generate 10M-100M authentication and activity events/day. The high-value signal is sparse: impossible travel, failed MFA, suspicious OAuth grants, anomalous external file sharing. The pattern: enrich with geolocation and impossible-travel detection, route flagged events to SIEM with alert priority, send file-download events to security lake for exfiltration investigation, sample routine corporate logins at 5%. Cribl's enrichment library is mature here; Tenzir can match it but requires more pipeline-author work.
Feature comparison
The honest matrix.
This is the public summary version of the comparison. The full scored matrix with per-criterion weighting and per-vendor evidence references is the paid product. See the matrix paywall page for the positioning. The summary version answers "which vendor for which scenario" but doesn't show the scoring work behind it.
| Capability | Cribl | Tenzir | Vector | Fluentd | Logstash |
|---|---|---|---|---|---|
| Route-by-value | Yes | Limited | No | No | No |
| Pipeline detection | No | Yes | No | No | No |
| OCSF native | Via Packs | Yes | No | No | No |
| Integrations | 100+ | 20-30 | 50+ | 500+ | 50+ |
| Commercial support | 24/7 SLA | Limited | CNCF | CNCF | Elastic |
| Open-source | No | Core only | Yes | Yes | Yes |
| Validated scale | 50+ TB/day | 10-20 TB/day | 10 TB/day | 5 TB/day | 5 TB/day |
| Named security ref | Yale NHH | - | Huntress | - | - |
| 3-yr TCO (10 TB/day) | $1.1-2.0M | $330-720K | $186-408K | $186-408K | $186-408K |
Two cells in that matrix deserve a note. "Named security ref" is restrictive on purpose; I'm only counting public, named, Tier B security references, which excludes the customer cases vendors keep under NDA. Tenzir, DataBahn, Observo AI, Fluentd, and Logstash all have security customers; they don't all have public named ones. "Validated scale" reflects production deployments I can point to publicly, not vendor upper bounds.
Architecture notes
What the underlying systems look like.
Cribl Stream splits into a control plane (leader nodes managing configuration, deploying pipelines, coordinating monitoring) and a data plane (stateless worker nodes that parse, filter, transform, and route). Workers are CPU-bound and horizontally scaled: 8-12 m5.2xlarge nodes for 10 TB/day, scaling to 30-50 c5.4xlarge nodes at 50 TB/day. Edge agents handle remote collection. The stateless worker design means losing a node loses throughput but not data, which is the operational property regulated industries actually need.
Tenzir is a streaming analytics engine. Single Tenzir nodes ingest, run pipelines (filter, enrich, detect, route), and optionally write to embedded Parquet or external Iceberg or Delta. Clustering is an enterprise feature. The stateful nature of pipeline detection (windowing, aggregation, state-tracking across events) is a real operational difference from Cribl's stateless workers. Losing a Tenzir node can mean losing in-flight detection state, which has to be designed around.
Vector is a single-binary forwarder, configured via TOML. The Rust implementation makes it memory-efficient and resource-light at 8x m5.large nodes for 10 TB/day, materially less hardware than either Cribl or Tenzir. The trade-off: no native clustering, no centralized control plane, manual topology design when you scale beyond a single deployment. Vector is the most resource-efficient forwarder in the category; it's also the most operator-dependent for non-trivial topologies.
For the full reference architecture of how these components fit into a security data pipeline platform stack, see the security data pipeline platforms vendor blueprint.
Performance directions
What the benchmarks suggest, with caveats.
Vendor-published throughput numbers for security pipeline platforms are best treated as directional. The methodology-disclosed independent benchmark I most wanted for this category I ended up running myself: a single-host ingest bench (sdw-lab, Tier B) put Tenzir at about 89.6k events/sec, in the same band as rsyslog (93.7k) and well ahead of Vector (26.1k) — but the result that changed how I read the category was the reliability one, the Tenzir 6.0.0 static build segfaulting on roughly one run in six at the 1M-event mark, a cliff a peak-throughput number never shows. Even with that, workload sensitivity stays high: throughput swings 2-3x depending on pipeline complexity, regex usage, and enrichment lookups. The directional ranking that practitioner discussions consistently produce:
| Platform | Throughput (10 TB/day workload) | P99 latency |
|---|---|---|
| Cribl Stream | ~1M events/sec | 50-100ms |
| Tenzir | ~800K events/sec | 100-200ms |
| Vector | ~700K events/sec | 50-150ms |
| Fluentd | ~500K events/sec | 100-300ms |
| Logstash | ~400K events/sec | 200-500ms |
Three reads of that table matter. First, Cribl's throughput leadership reflects mature C++ pipeline processing plus a distributed worker architecture; that's an engineering investment that's hard to replicate. Second, Vector's open-source Rust implementation hits roughly 70% of Cribl's throughput at a small fraction of the resource cost, which is why Huntress runs Vector. Third, the detection-latency story is where Tenzir actually wins: pipeline-detection latency (Tenzir) is roughly 15-50ms end-to-end versus 5-30 seconds for the query-based pattern (Cribl routes to SIEM, SIEM queries every 5-30 seconds). That's a 100-600x detection-latency advantage in the workloads where in-stream detection actually matters.
Don't choose a platform on throughput unless you're certain your workload is at the upper edge of what these numbers represent, because most of the security operations I've seen are bottlenecked on cost and detection latency well before they're bottlenecked on events-per-second.
Common pitfalls
Three traps I've watched teams fall into.
Choosing on market share
"Logstash has 8,000+ deployments and Cribl has 400+, so Logstash is the safer bet." This is the category-error trap. Logstash's customer count reflects its role as a free, adequate log forwarder for simple Elasticsearch deployments, while Cribl's customer count reflects its role as a paid, enterprise-grade pipeline for complex multi-tool security operations, so the comparison set that actually informs the decision is Cribl against Tenzir, DataBahn, and Observo AI rather than Cribl against Logstash.
Underestimating operational overhead on open-source
"Vector is free, so total cost is just infrastructure." This ignores 0.5-1 FTE of engineering time at $150-300K fully-loaded plus monitoring tooling. Honest open-source TCO at 1 TB/day lands around $186-408K over three years. That's still competitive at small scale, but the gap with Cribl narrows fast above 2-5 TB/day, and at 10+ TB/day Cribl's operational maturity is genuinely cheaper than building equivalent capability in-house.
Skipping pipeline detection
"We'll detect threats after storing data in our lakehouse." For some workloads (slow-moving, historical analysis, threat hunting) that's correct. For OWASP attacks, C2 beaconing, and impossible-travel SSO patterns, the query-based detection path adds minutes of detection latency that an attacker can use to pivot. If those workloads are in scope, pipeline-based detection (Tenzir) is the structural fit, and forcing it through a route-to-SIEM-then-query pattern is a real capability loss.
Migration shape
Phasing a pipeline deployment.
Regardless of which platform you choose, the migration shape that consistently works is parallel deployment with phased cutover rather than a rip-and-replace, and the pattern is dull on purpose, because pipeline migrations tend to fail when they're treated as event-driven cutovers instead of gradual re-routing.
Months 1-2 (pilot): deploy the new pipeline alongside existing forwarders. Route 10-20% of data through the new pipeline, ideally non-critical sources. Validate cost savings, latency, and detection coverage, and train the team on the new platform's pipeline language, because at this stage you're building operational confidence rather than proving out TCO.
Months 3-6 (expansion): migrate 50-70% of data sources to the new pipeline. Implement route-by-value (Cribl) or pipeline detection (Tenzir) on the high-volume sources first (EDR, network flows, cloud audit) where the cost savings concentrate. Measure actual cost savings against the original projections; the gap between projection and reality is informative for the next phase.
Months 7-12 (full migration): migrate remaining data sources, decommission old forwarders, optimize multi-destination routing, finalize detection logic. The decommission step is the one most teams underfund: running two pipelines in parallel for too long burns budget without delivering value, but cutting over before the new pipeline is genuinely stable burns trust.
Migration risk stays low because the parallel-deployment pattern allows rollback at every phase, whereas the higher-risk pattern is the one that skips parallel deployment to save infrastructure cost, which is where I see migrations fail and also where the lock-in risk to whatever pipeline you chose becomes most acute.
Conclusion
Pick by scale, ecosystem, and detection priority.
Cribl is the right call for large enterprises with multi-tool ecosystems and budget to license operational maturity. The named-customer evidence (Yale New Haven Health), the production track record, and the integration breadth are the most defensible positions in the category. The lock-in is real (Cribl's pipeline language is proprietary) but the alternative at Fortune 500 scale is rebuilding equivalent capability in-house, which most security teams have neither the budget nor the engineering headcount to do well.
Tenzir is the right call when pipeline-based detection is a first-class requirement and the open-core exit strategy genuinely matters. The capability story is differentiated and the cost story is favorable; the production-validation gap is real but closeable through a paid PoC against your actual workload. Don't trust the vendor's security-specific scale claims without testing them.
Vector (CNCF, originally Datadog) is the production-validated open-source choice: the Huntress security operations teardown is the strongest Tier B reference for any forwarder in this analysis, and at small scale or simple log-shipping use cases Vector beats both commercial alternatives on TCO, so the plan is to upgrade as scale crosses 2-5 TB/day.
DataBahn and Observo AI are credible newer entrants with differentiated AI-augmented operations stories that should be on shortlists for organizations actively comparing three or four vendors. The production-validation gap is roughly the same as Tenzir's, without the open-core dividend.
The Route component is where the security lakehouse's cost story stops being a projection and starts showing up on the invoice, so pick the pipeline that matches your scale and ecosystem, run it through a paid PoC against your actual workload, and don't let either Cribl's marketing or open-source-purity preferences override the operational fit. For the broader argument on pipeline lock-in risk and how to mitigate it, see pipeline lock-in. For the public summary of the scored vendor matrix, see the matrix page.