Every security team has the same mandates this year. Cut ingest cost. Get the data infrastructure AI-ready. Modernize the SOC before the next board meeting. And do all of it without taking detection and response offline to get there.
One tiny problem with that though. Security-relevant telemetry is almost always in motion. Telemetry data is growing roughly 30% year over year. New sources come online. Pipelines get reshaped for cost, performance, and new use cases. Data gets filtered, reduced, rerouted, and replayed on its way to a SIEM, a lake, or both. Every one of those moves is healthy for the business. And every one of them ripples downstream into the data that fuels detection and response.
None of that motion is the issue. What has been missing is a layer built to keep detection and response in lockstep with it, one that connects every change back to the rules it touches before a blind spot can form.
Change isn't the risk. Changing blind is.
Security data is always changing, and the real risk is not change itself but losing visibility into what those changes break downstream. Detection rules can stay active while the data underneath them quietly shifts. In practice, Fig often finds that roughly a quarter of detection logic depends on upstream data flows that have moved outside the SOC’s line of sight. That matters even more in an AI-ready SOC, where broken logic scales faster.
Why this matters more in the AI-ready SOC
This matters even more for teams looking to get their data ready for AI.
Boards want AI in the SOC. AI wants accurate, reliable data, and the integrity to trust it. Those two facts are on a collision course unless the foundation underneath is continuously trustworthy.
An agent does not pause to ask whether a feed quietly changed shape last Tuesday. It runs on what it’s given. If you point an agent at a SOC where detections are silently broken, you don’t get a smarter SOC. You get broken playbooks running at machine speed across your whole environment. The value of a continuously validated, continuously mapped data foundation goes up sharply the moment AI enters the picture.
So the goal isn’t to just move the data faster. It is to move it freely and know, at every step, that detection and response will survive the move.
Fig and Cribl: Change your security data without losing coverage
Cribl gives teams a flexible architecture for that move. Cribl, the AI platform for telemetry, helps organizations collect, shape, reduce, route, and replay security data across any source and any destination, for humans and agents alike, at the scale AI requires.
Fig is the live observability and resilience layer above the SecOps stack. Using a deterministic security data lineage engine, Fig maps every data source, every schema, every pipeline, every parser, and every detection rule into one live graph. When the data changes shape, Fig sees it, traces the impact across every detection it touches, and proposes a safe fix the engineer can review and deploy with full version control and one-click rollback.
When you put them together, the equation changes. Cribl gives you control over your data. Fig gives you proof that detection and response hold as the data around them changes. Teams stop modernizing cautiously, one nervous change at a time, and start moving at the pace the business actually needs. With Cribl and Fig, you get a SOC that keeps detecting and responding while everything around it changes to meet the demands of AI (and your board).
What this means for Cribl customers
Three outcomes detection engineering teams see with Fig and Cribl:
Migrate without coverage gaps. Cribl replays your sources into the new detection environment in parallel. Fig proves every detection fires on the new data before you cut over, and shows exactly what would break if it did not. SIEM migrations that used to stretch into years compress into weeks, with parity proven instead of promised.
Cut SIEM cost without cutting coverage. Cribl filters, drops, and reroutes data between detection environments and security data lakes. Fig flags the moment a downstream detection would feel the change, so you can finally answer the question every team is afraid to ask: which sources can we trim with no security impact?
Build an AI-ready foundation you can trust. Cribl manages telemetry for both people and agents at AI scale. Fig keeps the detections, response flows, and underlying security logic that AI depends on intact as that telemetry foundation keeps evolving. The plumbing stays proven, so your agents are not quietly scaling broken logic across the SOC.
Ship changes like software. Model a new detection or a pipeline change, simulate its impact before it touches production, and deploy through CI/CD with full version control and one-click rollback. The careful, multi-week change becomes a tested, reviewable pull request instead of a leap of faith.
A foundation for what's next
Security data is only going to move more, not less. More sources, more pipelines, more rerouting between SIEMs and lakes, more decisions made by agents instead of analysts. The teams that win are the ones who can change their data infrastructure freely and never wonder whether they just opened a blind spot doing it.
That is what Fig and Cribl deliver together. Cribl gives you control over your telemetry, without the lock-in that used to come with it. Fig keeps detection and response resilient as that telemetry changes. Modernization stops being a year you survive and becomes something you ship.
Get started
Run an AI-readiness assessment on your SOC stack. A single read-only API key. no inline interception, no risk to production traffic. Real findings on your real environment within 24 hours.
Catch the Fig + Cribl session at Black Hat for the full joint motion and a live customer story. And request to join our exclusive event — House of SOC — on August 3rd.








