Technology deep-dive

Observability pipelines and the security overlap.

Datadog Observability Pipelines and Edge Delta both route telemetry, both market security capability, and both invite the question many security architects eventually ask: can I run one pipeline for app observability and SOC routing? Sometimes you can, though often you can't, because the engineering looks identical while the buyer centers are different in ways that drive different feature priorities, which is where most of the trouble starts.

Reading time: about 21 minutes. Evidence tier: mixed. Datadog's product capabilities and OCSF positioning are Tier C from vendor documentation. Edge Delta's funding numbers and named customers (Super League, Fama, Webscale) are Tier B from press releases and case studies. The 2025 security pipeline consolidation (SentinelOne–Observo AI, CrowdStrike–Onum) is Tier B from acquisition filings. The "use one pipeline for both" assessment is composite Tier C from practitioner conversations.

The honest taxonomy I work with separates these into four buckets, with vendor overlap explicitly noted:

Observability-first platforms: Datadog Observability Pipelines, Edge Delta, Chronosphere (now Palo Alto Networks via the November 2025 acquisition). Built for APM-shaped problems first; security routing is an added use case. Buyer is platform engineering or SRE.

Security-first platforms: Cribl Stream (in its security configuration), Tenzir, DataBahn, Abstract Security. Built for SOC-shaped problems first; observability routing is sometimes adjacent. Buyer is security data engineering or SOC leadership.

Dual-use: Cribl Stream in its multi-use-case posture, Vector (the open source forwarder Datadog stewards). Both can handle either workload competently because both expose building blocks (sources, transforms, sinks) rather than opinionated security or observability defaults, so the capability is dual-use even though the team running it usually specializes in one side or the other.

SIEM-acquired pipelines: Observo AI (SentinelOne, September 2025), Onum (CrowdStrike, August 2025). Formerly independent security pipeline vendors that have been absorbed into SIEM platforms. The technology continues to exist; the independent vendor relationship doesn't. If you're evaluating these post-acquisition, you're effectively evaluating SentinelOne's data layer or CrowdStrike's Falcon Next-Gen SIEM, not a standalone pipeline product.

The 2025 consolidation matters for the boundary question because it tells you which way the market is moving. Security pipeline vendors are being absorbed into SIEM platforms (Observo AI into SentinelOne, Onum into CrowdStrike), while observability pipeline vendors are extending into security positioning (Datadog OP adding OCSF, Edge Delta publishing security use-cases). The convergence narrative is real; the implementation gap between "we route security logs" and "we offer security- specific features" remains real too.

Edge Delta takes a structurally different approach: agent-based, edge-side processing as the primary architectural bet. Where Datadog OP, Cribl Stream, and Tenzir all assume a centralized pipeline cluster between agents and destinations, Edge Delta pushes processing intelligence down to the agent. The pitch is that filtering, parsing, anomaly detection, and enrichment can happen at collection time, before the data ever leaves the host or cluster, which reduces bandwidth cost and pushes detection latency down toward zero.

The funding picture is clearer than Datadog OP's. Edge Delta has raised about $81M total across three rounds, with the most recent being a $63M Series B in May 2022. I haven't seen evidence of a Series C as of early 2026; the public record is Series B as the latest round. Revenue is reported at approximately $8.3M in 2025 with a 75-person team, which puts Edge Delta in a smaller commercial tier than Cribl ($200M ARR-ish) or Datadog (multi-billion-dollar public company). That's not a knock (early-stage companies can ship excellent products) but it's relevant context for any procurement decision where vendor stability weighs heavily.

Named customers include Super League Gaming (analyzing 100% of telemetry with 99% log reduction before Loki ingestion), Fama (80% Datadog cost reduction in HR-tech background screening), and Webscale (91% reduction in debugging time for e-commerce cloud hosting). All three are observability case studies rather than security case studies, which isn't a criticism, because Edge Delta's commercial center of gravity is observability, the named references reflect that, and the company doesn't pretend otherwise.

The security positioning is real but earlier-stage than the observability story. Edge Delta publishes documentation for Windows Event Log to OCSF transformation, ships pre-built packs for legacy firewalls and networking gear, supports field-level masking and hashing for GDPR / HIPAA / CCPA compliance use cases, and markets a "cut SIEM costs" use-case page that frames the security value proposition. The capability set is credible, and the edge-side architecture suits certain security patterns well, particularly anything where processing at the source is preferable to centralized aggregation (privacy-sensitive workloads, distributed cloud environments with bandwidth constraints, anomaly detection requiring per-host context).

What I cannot verify: named security customers at meaningful scale, because Edge Delta's case studies are observability-flavored, and while the security feature documentation is detailed, the production references that would let me anchor it as Tier B aren't on the public site. That's a real gap if you're trying to evaluate Edge Delta against Cribl (which has Yale New Haven Health as a named public security reference) or Tenzir (which has thinner production validation but at least makes pipeline-based detection a first-class capability).

Where Edge Delta fits naturally: organizations where edge-side processing matters (bandwidth constraints in distributed cloud environments, per-host context for anomaly detection, privacy boundaries that make centralized aggregation undesirable). Where it fits less naturally: SOCs that want a single centralized pipeline with full control-plane visibility, or organizations that require named Fortune-500 security references as a procurement gate.

The pitch for running one pipeline across both observability and security is attractive on paper. Single configuration surface, single operational team, single vendor relationship, shared infrastructure costs, and the same pipeline language used by both platform engineering and the SOC. The vendors most aggressive on this pitch are Cribl (which has historically positioned across both use cases), Datadog OP (which adds security capability to an observability-first product), and Edge Delta (which markets both observability and security use-case pages from the same product surface).

The pros are real, and they compound. Operational consolidation reduces the per-pipeline overhead of maintaining connectors, sources, and parsing rules, while a single team building pipeline expertise in one language scales better than two teams each becoming half-experts. Cost savings at the licensing and infrastructure layer matter too, particularly for mid-market organizations where the security data volume isn't large enough to justify a dedicated pipeline platform, and the buyer-center politics get simpler when there's one budget line instead of two.

The cons are also real, and they cluster in three areas. First, audit and retention requirements diverge. Operational observability logs typically need 30–90 days of retention for SRE incident investigation. Security logs need 90 days to 7 years depending on regulatory regime, and the chain-of-custody integrity requirements for evidence-grade storage are materially stricter than for operational telemetry. A shared pipeline has to satisfy the stricter of the two, which means the observability tenant pays for retention and audit overhead it doesn't need.

Second, data residency for security telemetry is sometimes harder than for app telemetry. EDR telemetry, identity logs, and DLP-relevant logs often have jurisdiction-specific handling requirements that go beyond standard application-log GDPR posture. A pipeline configured for application telemetry residency may not satisfy the residency constraints of the security telemetry sharing it, and retrofitting region-specific routing onto a unified pipeline is harder than building it correctly from the start.

Third, separation of duties is a real security control. NIST CSF 2.0, ISO 27001, SOC 2, and most regulatory frameworks treat separation between operations and security as a meaningful boundary. A shared pipeline can comply (the network and IAM boundaries can be enforced inside one product) but the audit narrative becomes harder. When the same platform-engineering team that operates the observability pipeline also has effective administrative control over the security pipeline, defending the separation-of-duties position to an auditor takes more work, and the work itself consumes the savings the consolidation was supposed to deliver.

None of these are dealbreakers on their own, but they're the trade-offs that determine whether the consolidation pattern is right for a specific organization, so they deserve to be modeled honestly before signing the unified-pipeline contract. The next section walks through where I see the convergence pattern actually working versus where it quietly breaks.

Regulated industries with strict separation

Financial services, healthcare, federal government, and critical infrastructure operations typically have separation-of-duties requirements that go beyond best practice. The audit overhead of running a shared pipeline becomes meaningful: every SOC 2 audit, every PCI-DSS attestation, every FedRAMP renewal eats engineering hours defending the separation argument. At enough scale and audit frequency, two pipelines is cheaper than one with elaborate documentation.

Large SOCs with dedicated security data engineering

When the security team is large enough to staff its own data engineering function (typically 5+ FTE on the data side alone), the shared-pipeline argument starts losing to the feature-depth argument. Cribl's security-specific Packs, Tenzir's pipeline-based detection, the in-stream OCSF normalization depth that security-first platforms provide: these are features the security team will want and platform engineering won't, so forcing both onto a least-common-denominator product tends to produce a pipeline that serves each side adequately without serving either one well.

Detection-latency-sensitive workloads

If the security operation runs pipeline-based detection (OWASP attack detection in stream, C2 beaconing detection at ingestion, impossible-travel detection before the event hits storage) the observability-first pipelines aren't structurally optimized for that pattern. Datadog OP can transform and route, but the in-stream detection capability Tenzir or Onum (pre-CrowdStrike acquisition) offered isn't the focus. Forcing pipeline detection onto an observability-first product loses the latency advantage that justified the architectural choice in the first place.

Two acquisitions reshaped the security-pipeline competitive landscape in late 2025, and both have implications for the observability-versus-security boundary question.

SentinelOne acquired Observo AI in September 2025 for approximately $225 million in a cash-and-stock deal. Observo AI was previously one of the credible newer entrants in the security-pipeline space, alongside DataBahn and Tenzir, with an AI-augmented-operations pitch focused on schema inference and pipeline optimization driven by ML. The acquisition was announced September 8 and completed September 22, 2025. Observo AI now exists as the data-streaming foundation for SentinelOne's AI SIEM ambitions, which means evaluating Observo AI in 2026 means evaluating SentinelOne's Singularity Data Lake and AI SIEM offering, not a standalone pipeline product.

CrowdStrike acquired Onum in August 2025 for approximately $290 million. Onum was a Spanish startup co-founded by Pedro Castillo (previously CTO at Devo for 11 years), built on a proprietary stateless in-memory architecture for real-time pipeline detection. CrowdStrike's positioning frames Onum as the data foundation for Falcon Next-Gen SIEM, with vendor-claimed benefits of 70% faster incident response, 40% less ingestion overhead, and up to 50% storage cost reduction. Like the SentinelOne–Observo AI deal, this collapses an independent security-pipeline option into a SIEM-bundled offering, so Onum now functions as CrowdStrike's data layer rather than as a standalone product.

The pattern matters for the boundary question. Both acquisitions ran in the same direction: SIEM-platform vendors absorbing security-pipeline vendors to consolidate the data layer under the detection platform. That tells you the SIEM platforms see pipeline ownership as strategic, and it leaves a smaller set of independent security-pipeline options (Cribl, Tenzir, DataBahn) for organizations that want to keep the routing layer vendor-separate from the detection layer.

Palo Alto Networks acquiring Chronosphere for $3.3 billion in November 2025 is the third move in the same period, though Chronosphere is an observability platform rather than a security pipeline. The directional signal is the same: the security and observability vendor categories are converging at the platform level, even while the pipeline-product categories remain distinct in practice.

For a CISO or security architect making a 2026 pipeline decision, the consolidation creates two considerations. First, the "independent security pipeline" category is smaller than it was 18 months ago, and the remaining independent vendors are more strategically valuable for organizations that want vendor neutrality at the routing layer. Second, the SIEM-bundled pipeline offerings (SentinelOne + Observo AI, CrowdStrike + Onum) may now be the right answer for SIEM-committed organizations, but they come with deeper lock-in than the pre-acquisition vendor relationships did. The pipeline lock-in risk I covered in pipeline lock-in: how to mitigate it applies with extra force to these new platform-bundled offerings.

Three things to keep in mind when reading vendor marketing in this category.

First, "we route security logs" is not the same as "we offer security-specific features." Every pipeline product in this category can ship CloudTrail to Splunk. The question is whether the product offers the feature depth a security data engineer would expect: OCSF coverage across the major SIEM destinations, threat-intel enrichment with multiple feed types, PII detection calibrated for adversarial-data patterns rather than just GDPR-compliance use cases, in-stream detection where latency matters, evidence-grade audit trails. Datadog OP has built real depth on OCSF and threat intel; Edge Delta has Pack-based normalization but less depth on enrichment. Neither matches Cribl's breadth or Tenzir's in-stream detection focus, so read the data sheets with that gap in mind.

Second, named security customers are the procurement signal that matters most, and they're scarce across this entire category. Cribl has Yale New Haven Health and a long list of NDA references, and Vector has Huntress, but once you get to Datadog OP, Edge Delta, Tenzir, and DataBahn the public named security references at meaningful scale grow thin. That thinness isn't a reason to dismiss any of them, but it is a reason to insist on paid PoC validation against your actual workload before committing.

Third, the 2025 SIEM consolidation moves (SentinelOne–Observo AI, CrowdStrike–Onum, Palo Alto Networks–Chronosphere) shift the competitive landscape in ways that haven't fully played out. Independent security pipeline vendors are scarcer, and the bundled SIEM-plus-pipeline offerings may deliver real integration benefits, or they may produce the deepest vendor lock-in the category has seen. The 12–18 month track record on the integrated platforms will be informative; trusting the post-acquisition marketing without it is speculative.

For broader context on where the security data pipeline platform category is heading, including coverage of DataBahn, Abstract Security, and the other emerging vendors, see the pipeline-layer category snapshot in what's real vs marketed in the agentic SOC. For the deeper architectural argument about what a pipe layer should actually do, see Tenzir and the pipe layer.