Pipeline Friendly Use Case
Most enterprises already have a data pipeline: Cribl, Fluentd, Vector, Logstash — routing, transforming, and filtering data before it hits the SIEM or lake. These tools are great at moving data. They do not detect threats.
Cribl's #1 use case is reducing volume before Splunk to control license costs. That means dropping data. The VPC flow logs, the DNS queries, the Sysmon event types that are too expensive to ingest — they get routed to cold storage or /dev/null. You're already paying to collect this data. You're just throwing it away before anyone looks at it.
What survives the filter goes to the SIEM for batch detection. What doesn't survive goes to the data lake for compliance — with zero detection. The pipeline is efficient. The detection has gaps the size of everything you dropped.
How spotr.io does it?
spotr.io plugs into any point in the pipeline — before your SIEM, after your SIEM, or alongside it. Native integration with Kafka, Cribl, Vector, Fluentd, Logstash, syslog, HTTP, S3, Snowflake, Databricks, Splunk, Elastic, Sentinel.
Three deployment positions, one architecture:
Before SIEM: Sources → spotr.io → SIEM/Lake. Detect on the stream first, then forward enriched data downstream. Your SIEM becomes a search tool, not a detection engine.
In the pipeline: Sources → Cribl/Kafka → spotr.io. Tap the stream in parallel. No disruption. No migration. The data Cribl was about to drop? spotr.io detects on it first.
After SIEM: Sources → SIEM/Lake → spotr.io. Forward from your existing infrastructure. Add real-time detection to data you've already collected.
No rip-and-replace required. Keep your pipeline, keep your SIEM, keep your lake. Add real-time detection to all of it.
Our pipeline, your pipeline, any pipeline….
The Conversation
"What data are you routing to cold storage without any detection?" — If they're using Cribl, the answer is "a lot."
"You're already paying to collect that data. What if you could detect on it before you drop it — for a fraction of your SIEM cost?" — That's the Cribl play.
"Do you need to replace anything to deploy spotr.io?" — No. It plugs in wherever you are today.