Most Cribl partners start at the pipeline. We start at the source. Blue Cycle has built 100+ custom Python and Golang integrations for security products with wonky APIs, unreliable native logging, or event streams too large to ingest raw. If the data isn't getting into Cribl cleanly or reliably, we build the thing that fixes it.
"Left of Cribl" is the engineering that happens before data enters the pipeline. Source configuration, custom collection, API integration, data normalization at the point of creation. Most firms skip this and force-fit data into existing formats — or worse, just accept the gaps.
Security vendors ship APIs that lose events under load. Native logging doesn't capture what your SOC needs. Proprietary formats don't map to anything your SIEM understands. Legacy systems don't have APIs at all. Cribl can't route data it never receives.
Blue Cycle has built 100+ custom Python and Golang integrations that solve the upstream problem for security data sources. These aren't scripts — they're production-grade collectors deployed in Kubernetes, AWS Lambda, or Azure Function Apps, purpose-built for each runtime environment.
We handle the hard cases: vendors with unreliable APIs where lossless logging breaks down, event streams too large to ingest whole that need pre-pipeline filtering, and proprietary systems that don't speak any standard protocol. Every integration is battle-tested, QA'd, and optimized for resilience and cost effectiveness.
Products: Cribl Stream, Cribl Edge
100+ production-grade collectors for security data sources that don't have reliable native integrations. Deployed in Kubernetes, AWS Lambda, or Azure Function Apps — optimized for each runtime's performance characteristics and failure modes.
600+ packs built and counting. We contribute to the Cribl Pack Dispensary on GitHub and engineer packs for security data sources, enterprise systems, and niche platforms. Each pack ships with parsing, normalization, and routing rules ready to deploy.
Detection-as-Code pipelines that connect upstream data collection to downstream analytics. Schema mapping, field normalization, and enrichment at the source — so your detection content works the first time data hits your SIEM.
We don't just talk about custom integrations — we publish them. Here's an example of a creative Cribl integration looks like in practice.
A collaboration between Blue Cycle, Cribl, and GreyNoise. The problem: Cribl Stream processes events at volumes too high for REST API lookups. Our solution: a custom Docker-based Redis integration that keeps a local GreyNoise dataset updated and performs IP enrichment at wire speed — no API rate limits, no dropped lookups.
The pack (link to Cribl Dispensary) enriches source IPs with GreyNoise malicious disposition data in real time, directly inside the Cribl pipeline. It's the kind of engineering that happens when you understand both the upstream data source and the pipeline constraints. Link to pack on Github.
Blue Cycle contributes to the Cribl Pack Dispensary on GitHub — the official open-source repository where Cribl and its partners publish production-ready packs for Stream and Edge.
This is what 600+ packs looks like in practice: real integrations, published code, community contributions. Not marketing claims — deployed solutions you can inspect, fork, and run.
Stack: Python · Redis · Docker · Cribl Stream
Partners: Blue Cycle · Cribl · GreyNoise
Source discovery & gap analysis. API reliability assessment. Data quality audit per source. Runtime environment evaluation. Integration priority mapping.
Custom Python integration development. Cribl pack building & testing. Source-side normalization & filtering. Runtime deployment (K8s / Lambda / Azure). End-to-end integration validation.
Detection content development. Ongoing pack & integration maintenance. New source onboarding playbooks. Performance monitoring & alerting. Quarterly integration reviews.
Custom Python integrations (deployed & production-ready)
Custom Cribl packs for your specific sources
Source integration documentation & runbooks
Detection content aligned to normalized data
Runtime deployment configs (K8s, Lambda, or Azure Functions)
Monitoring & alerting for integration health
Ongoing maintenance & support plan