The pipe layer: what's missing from your AI security platform.

Matthias Vallentin, Tenzir's CEO, has a one-line version of this argument that's worth quoting because it captures the asymmetry I see across the AI security market: "Everyone's building the policy layer. Nobody's talking about the pipes." That's vendor framing and I treat it as Tier B evidence, but the shape of the observation matches what I find in customer architectures.

The policy layer is the part of the stack security teams have been buying aggressively for the last three years, and it covers a lot: DSPM (data security posture management) platforms like Cyera and Securiti, DLP (data loss prevention) platforms like Netskope, AI security posture management offerings from Palo Alto and others, and SIEM detection rule packs. All of them are doing legitimate work, whether that's classification, policy enforcement, alerting, or posture tracking, but none of that work can happen until the underlying telemetry is in a shape the policy engine can consume.

The pipe layer is the part of the stack that gets the telemetry into that shape, which means streaming ingestion at the throughput your environment produces, schema normalization at ingest rather than as a batch post-process, intelligent routing so the expensive SIEM only gets the data that justifies the cost, and lineage tracking so compliance auditors and ML model decisions can both be defended later. The pipe layer is unglamorous, but it's the foundation that everything above it depends on.

My argument here isn't that Tenzir is the right pipe layer, but rather that any AI security platform without a real pipe layer underneath is making claims the infrastructure can't honor. Tenzir is the named example I'll work with because the company is most explicit about positioning at this layer, though the analysis applies just as well to Cribl, Vector, DataBahn, and whatever else surfaces over the next two years.

When I sketch what a real pipe layer needs to do for an AI security platform to deliver on its marketed capabilities, the list is short and stubbornly specific, and these are the four responsibilities that, in my experience, separate a pipe layer from a glorified log forwarder.

1. Streaming ingestion at environment-relevant throughput

The pipe layer needs multiple protocols (syslog, Kafka, S3 events, HTTP APIs, agent-generated structured logs) converging into a single streaming runtime, and it needs zero-copy transformations using Apache Arrow buffers so the serialization tax I describe in the Arrow and ADBC piece doesn't re-appear here. It also needs to be streaming-first rather than micro-batch, because micro-batch is where the latency story silently breaks for AI security workloads.

The throughput number matters, but only in context. A 5,000-person enterprise running comprehensive telemetry produces 1–10 TB/day, which is well under 1 Gbps sustained. A 100,000-person enterprise running comprehensive logging may peak at 50–100 Gbps during incidents. Tenzir markets 100+ Gbps ingestion, which is Tier B evidence (vendor claim, no independently audited benchmark I've found), and I'd treat it as a directional capacity claim rather than a number a procurement decision should rest on. So the right question for an architect isn't whether the pipe can do 100 Gbps, but whether the pipe handles your P99 burst without dropping events. My own ingest bench puts a measured floor under that question rather than a marketed ceiling: on a single host (sdw-lab, Tier B) Tenzir sustained about 89.6k events/sec, in the same range as rsyslog at 93.7k and well ahead of Vector at 26.1k, but the result that actually matters for a procurement decision is the reliability one — the Tenzir 6.0.0 static build segfaulted on roughly one run in six at the 1M-event mark, a cliff you find by measuring sustained behavior, not by reading a peak-throughput number off a datasheet.

2. Real-time schema normalization at ingest

Here the pipe layer needs native OCSF (Open Cybersecurity Schema Framework) mapping with automatic field detection, streaming normalization rather than post-processing, and schema-on-read flexibility for the long tail of vendor formats that haven't yet been mapped. The reason this is non-negotiable is that every downstream policy layer assumes a single, stable schema, and every fragmented pipeline that normalizes per source produces schema drift that eventually breaks the assumption. Centralizing normalization at the pipe layer is the only way I've seen this stay tractable over a multi-year deployment, with the normalization contract held fixed and the router behind it left replaceable (the ./moar swap-router check in docker/, with the OCSF mapping check in gate/).

I ran that check on the MOAR reference stack on 2026-06-07 (single host, ./moar swap-router): the same raw Okta event routed to OCSF Authentication through Vector, Tenzir, and Fluent Bit produced the identical OCSF Authentication contract across all three routers, down to class_uid 3002, the activity_id of 1 or 2, and the same user and src_ip fields. That's the point of centralizing the contract at the pipe layer rather than per router: the normalization output is the fixed point an architect can design against, while the router that produces it stays swappable, so a later migration from one engine to another doesn't ripple a new schema into every downstream policy platform. I want to be precise about what this is, because it's a contract-equality check on a single host (a portability proof that three routers agree on the OCSF output), not a throughput measurement, and the Tenzir 100+ Gbps capacity number stays a vendor-reported claim I haven't audited.

3. Intelligent routing

Here high-signal events go to the SIEM where the licensing cost is justified, bulk telemetry goes to the lake where it's cheap to retain, and threat intelligence enrichment happens once, at the routing layer, rather than independently in three downstream platforms. Cribl is the most production-validated example of this responsibility, because the company built its business on "route, reshape, reduce" and the third-party validation (RiverSafe's ~40% reduction in SIEM ingest is one example I've seen cited) is real. Tenzir markets the same routing capability with a stronger emphasis on Arrow-native transformation and TQL (Tenzir Query Language) as the routing-rule surface.

4. Lineage tracking

Here the pipe layer needs metadata that survives schema migrations, along with the ability to point at a specific detection decision and trace it back to the raw telemetry, the enrichment steps, the normalization version, and the routing rules in effect at the time. This is the responsibility that has the least vendor marketing attention and, in my view, the most compliance-driven future demand, because ML-driven detection without lineage isn't auditable, and an unauditable AI security platform is one regulator audit away from becoming a procurement crisis.

There are four vendors I'd put on a serious evaluation list today, each occupying a different point in the design space, and I'm naming them because vague references to "the pipe layer market" hide the actual trade-offs.

Tenzir

Tenzir is the vendor that markets most explicitly at the architectural layer I describe in this piece. The product centers on streaming ingestion with native OCSF support, Apache Arrow as the internal data shape, and TQL as the transformation and routing language. Differentiation against Cribl, in Tenzir's own framing, is the columnar-native internal pipeline and the schema-first approach to normalization. Evidence tier is B: Vallentin's CEO framing plus production deployment claims, no independently audited benchmark I've seen against security-shaped telemetry.

What I'd flag for an architect evaluating Tenzir today: the architectural claim is strong, the production reference list is smaller than Cribl's, and the 100+ Gbps capacity claim should be validated against your actual workload before a procurement decision rests on it. The Cribl vs Tenzir piece works through the head-to-head comparison in more detail.

Cribl

Cribl is the production-validated pipe layer for the cost-optimization use case. The "route, reshape, reduce" pattern reduces SIEM ingest cost by routing low-value telemetry to a cheaper store before it hits Splunk. Cribl Search adds a federated query capability across the routed data. Evidence tier is A on cost reduction (third-party validation, including RiverSafe's ~40% SIEM-ingest reduction reference, plus a long list of customer references). What Cribl doesn't aggressively market (and where I'd push on the architecture) is the schema-normalization and lineage-tracking responsibilities, because routing is the strongest piece while the rest is improving without being the headline.

Vector (Datadog)

Vector is the open-source pipe-layer tool that came out of Timber.io and is now stewarded by Datadog. It's high-throughput, written in Rust, and widely deployed in observability stacks. The honest framing for security architects: Vector handles the routing and transformation responsibilities well, doesn't have first-class OCSF support out of the box, and gets you off the Logstash treadmill if you're stuck there. It's the right answer when the problem you're solving is "I need a faster, more reliable pipe than Logstash," though it's a poorer fit when the problem is "I need a security-specific schema and lineage layer." The Datadog acquisition (2021) hasn't materially changed Vector's posture as an open-source project, though long-term governance is worth watching.

DataBahn

DataBahn is the newer entrant marketing AI-native security data fabric: automated parsing, schema drift detection, OCSF normalization, and pre-SIEM routing. The pitch is closest to Tenzir's in shape, with more emphasis on "AI agents handle parsing changes" as the differentiator. Evidence tier is C right now (vendor marketing, limited public production references in early 2026). I include DataBahn on the evaluation list because the category is moving quickly and the automated-parsing claim is the kind of capability that, if it holds up under real schema drift, materially changes the long-term cost of running a pipe layer. I would not bet an architecture on DataBahn today without proof-of-concept work against a representative slice of your telemetry.

Francis Odum's framing of the current AI security market is that AI security is becoming the control layer that merges DLP and DSPM into a single category. That's analyst commentary (Tier B), and I think the directional argument is correct: the boundary between "preventing data loss" and "managing data security posture" was always artificial, and AI-driven classification is the lever that collapses it.

The implication for the pipe layer is that the data layer underneath the merged control layer has to be unified too. You can't have one schema for DLP-classified events and a different schema for DSPM-classified events when the same policy engine is making decisions about both. The merged control layer requires a pipe layer that produces a single, consistent, lineage-aware view of all telemetry, and that requirement is what turns the pipe layer from a nice architectural cleanup into a structural precondition for the platform to work at all.

The honest counterargument is that the merger may not happen on the timeline analysts are projecting, or may happen with the merged category absorbing pipe-layer responsibilities into the policy platform itself, and both are possible. So the conservative architectural choice is to assume the pipe layer remains a distinct concern and to invest accordingly, because the cost of a clean pipe layer is much lower than the cost of retrofitting one underneath a policy platform that assumed it already existed.

If the audit surfaces gaps (which it will, in nearly every architecture I've evaluated), the investment order matters more than the choice of vendor. I'd prioritize as follows.

First, streaming ingestion with sub-second latency. This is the foundation everything else depends on. Without it, every downstream improvement is bounded by the worst-case latency of the slowest batch step. Vendor options range from Vector (open source, no security opinionation) to Cribl (production-validated, routing-first) to Tenzir (security-opinionated, Arrow-native), and you should pick based on what your team is going to operate rather than on whose marketing is most aligned with my framing.

Second, OCSF normalization at the ingest layer. Centralize the schema concern. Even if the policy layer above can handle multiple schemas, the operational cost of letting schema drift propagate compounds over time.

Third, lineage tracking. Build the metadata layer that lets every downstream decision be defended. This is the responsibility most likely to become a compliance requirement within two to three years, and the responsibility hardest to bolt on later. Iceberg V3's row-level lineage is one piece of the answer (the Iceberg vs Delta piece goes into detail), but it's not the whole answer at the pipe layer.

Fourth, intelligent routing. Cost optimization comes last not because it's unimportant (Cribl's customers will tell you it pays for the rest of the pipe layer), but because routing rules on top of an unreliable pipe just route unreliable data faster, so you want the foundation right before you optimize the economics.

The AI security platform market is crowded at the policy layer. The pipe layer is where the infrastructure gap sits, and where most architectures I evaluate are betting their DSPM, DLP, and AISPM investments without naming the bet.

The argument I'd make to a security architect today is straightforward, because your policy platform's "sub-100ms latency" or "real-time AI Guardian" claims may be technically accurate at the platform boundary, but they can only be as real-time as the pipes that feed them. If the pipes are batch ETL with hourly aggregation, then the policy platform is doing post-facto review, which may still be valuable even though it isn't the enforcement the marketing implies.

The work, in order: audit your end-to-end latency, centralize schema normalization at ingest, add lineage tracking, and then optimize routing economics. Pick a vendor (Tenzir, Cribl, Vector, DataBahn, or whatever ships next) based on which set of responsibilities you weight most. The vendor choice matters less than the architectural decision to treat the pipe layer as a distinct concern that the rest of the stack depends on.

The policy layer is crowded while the pipe layer is the gap, so fixing the pipes is what lets the policy platforms deliver what they promise.