CHICAGO, IL • SEPTEMBER 28-30, 2026
What magic lies ahead? Peer into the future...
AGENDA
CriblCon at-a-glance
Peer into the future! Take a look at what magical sessions await you.
CriblCon Keynote
Join Cribl’s co-founders and executive leaders for a look at how Cribl, the AI Platform for Telemetry, is helping Security and IT teams unlock the full value of their data in the AI era. Built on an AI-first architecture, Cribl gives teams the choice, control, and flexibility to build the apps and workflows they need for both human analysts and AI agents.
Expect big-picture vision, product innovation, live demos, and a glimpse at how Cribl is shaping what’s next as an open, flexible, and future-proof platform for telemetry. Consider this your first glimpse at the practical spellbook for the AI-ready future.
This is where the future of Agentic Telemetry starts to take shape — and where a little Magic in the Making becomes what’s next.
Customer Panel: From Vision to Reality
Join us for a candid conversation with Cribl customers about what it really takes to move from AI vision to practical action. This session will explore the trade-offs, challenges, and progress teams are making as they navigate AI adoption, telemetry strategy, and the path from where they are today to what’s next.
The Cribl Data Royale
Show off your data skills and come play in our Jeopardy / Capture the Flag style game. It’s your first day as the newest hire at Cribl Coffee Company on the Data for IT and Security (DITS) team. You’re a Cribl pro, and it’s time to prove it.
You and your teammate will race against the clock to close as many tickets as possible, debug frustrating “coffee-stained” puzzles, and out-caffeinate, out-hack, and out-goat the competition. We’ve got prizes, plenty of laughs, and a chance to sharpen your Cribl skills along the way.
App Hackathon
Bring your app, your idea, or just your laptop and agent.
This is dedicated time to build on the Cribl AI platform with Cribl PMs, community members, and the people who know the product best in the same room. If you've been working on something and need to get it across the finish line, this is your moment. If you've been curious about building and haven't started yet, there's no better place to take your first shot at it.
Best apps submitted will be judged at the end of the day and awarded prizes. Fame and fortune can be YOURS!
A Large Financial Enterprise's Journey Modernizing Telemetry Strategy
In this moderated Q&A, a SVP of Cybersecurity - Security Engineering & Data Protection and a Vice President of Enterprise Technology Tooling will discuss how an urgent logging challenge evolved into a broader, multi-year telemetry modernization effort inside a large, regulated enterprise.
The session will highlight not only the technical evolution, but also the partnership that made it possible — how a line-of-business team and a centralized platform owner built trust, aligned on ownership, and expanded the strategy without disrupting the teams closest to the work.
Apps on Cribl: Architecting for the Speed of Vibe Coding
AI-assisted development has collapsed the time from idea to working app from weeks to minutes — but the platforms your team depends on still take weeks to ship a feature, and for good reason. Reliability at scale demands rigor. So how do you give your teams AI-speed iteration without sacrificing the stability you've built your critical workflows on?
This session goes inside the architectural decisions behind building apps on Cribl’s platform: how we separated AI velocity from platform stability using a strict trust boundary, sandboxed execution, and a controlled set of managed backend primitives (state, webhooks, secure proxies). We'll cover what we chose to build, what we deliberately deferred, and how the same model applies to any platform facing the AI-speed shift.
You'll leave with:
- A framework for thinking about the trade-off between customization velocity and platform rigor
- The three architectural principles that make AI-assisted extensibility safe: trust boundaries, sandboxed execution, and managed backend primitives
- Guidance on when to build a custom app, when to extend with a pack, and when to push for first-party capability
Intended for architects, platform engineers, and technical leaders thinking about application building in the AI era.
Speakers:
- Glenn Block, Sr Group Product Manager, Cribl
- Nick Romito, Software Architect, Cribl
From Flow Logs to Flexible Telemetry: How a Global Hospitality Company Scaled for What’s Next
As the organization’s cloud footprint grew, so did the complexity of its telemetry program: inconsistent VPC flow log formats, manual account-by-account setup, compliance gaps, and rising data costs all made it difficult to scale efficiently. In this session, a Global Hospitality Company will share how it matured its centralized logging service with AWS Control Tower to enforce standards, Cribl to centralize and optimize data delivery, and S3 as the storage layer to decouple retention from analysis.
The result was a more auditable, scalable telemetry pipeline that reduced VPC flow log volume by 38%, lowered costs, and made the organization’s data more flexible for future use cases — including AI-ready analytics and whatever tool comes next. This session will walk through the operational and architectural changes that helped move from manual processes to a scalable data strategy built for compliance, efficiency, and reuse.
Attendees will learn:
- Why setting telemetry standards, and a happy path to follow them, is critical at cloud scale
- How to reduce ingest volume and cost while preserving the data that matters
- Why separating storage from analysis creates a more flexible, reusable telemetry foundation
- How to frame telemetry modernization in terms of measurable operational and business value
From Vendor Lock-in to Data Freedom: Velera's Three-Year Logging Maturity Journey
Facing double-digit annual increases in logging costs, Velera broke free from vendor lock-in by shifting from a "rip and replace" strategy to a data pipeline-first approach. By implementing a tiered architecture for collection, transformation, and unified analytics, Velera achieved over $1M in measurable ROI.
In this session, you’ll learn how Velera:
- Cut cloud-based logging OpEx by $500K and freed 100TB of storage.
- Reduced daily log ingestion by 60% using intelligent filtering and deduplication.
- Integrated new tools—including APM and lakehouse engines—without breaking existing infrastructure.
- How a "Cribl-first" mindset turns persistent data challenges into predictable, repeatable success.
- Discover how to stop fighting your tools and start mastering your data strategy.
Speakers:
- Earl Diem, Vice President, Operations Engineering, Velera
- Dhevasenapathy R S, Manager, Monitoring & Logging, IT Operations Engineering, Velera
Hunting Threats with AI: How Cribl's Security Team Uses the Run Investigation Capability in Cribl Search
AI promises to transform security operations, but what does that actually look like day-to-day? In this session, Cribl's own security team pulls back the curtain on how they use Cribl Search’s AI-powered investigation feature to hunt for threats, investigate anomalies, and quickly respond to incidents across their environment. Expect real workflows, honest lessons learned, and concrete examples of threats that AI helped surface that traditional approaches missed. Whether you're evaluating the new tool or already using it, you'll walk away with practical tips and tricks that can help you get to the bottom of incidents faster.
Attendees will learn:
- How Cribl's security team structures AI-assisted threat hunting, including query and prompt strategies that actually work
- Real examples of threats and anomalies surfaced using Cribl’s investigative tools
- Where AI accelerates workflows and where a human still needs to lead
- How data quality in your Cribl pipelines directly affects AI output
Speaker:
- Alexandria Crusco, Staff Security Engineer, Cribl
- Nicole Beckwith, Sr. Director, Security Engineering and Operations, Cribl
Inside Cribl Search and Lake: The Future of Data Access, Storage, Analysis, and Investigations
Your data is everywhere — hot storage, cold storage, across silos — and your investigation tools were never built for that reality. Costs keep climbing, historical data stays out of reach, and analysts waste time chasing down context that should already be at their fingertips.
This session is a full showcase of what Cribl Search and Cribl Lake can do together. We’ll walk through the federated and lakehouse engines, how Cribl Lake provides a cost-effective home for high-volume telemetry without sacrificing queryability, and how teams can access and analyze data across environments from a single search experience.
We'll also dig into one of the biggest shifts this combination enables: a genuine path away from SIEM dependency. Store your data where you want, search it instantly, and gradually evolve toward a more flexible architecture — without losing visibility at any step.
You'll leave with:
- A clear picture of what Cribl Search and Lake can do together across federated and lakehouse engines
- Practical use cases for faster, more cost-effective investigations
- Strategies for reducing SIEM reliance without sacrificing visibility
- A look at what's new and what's coming
For analysts, detection engineers, and security architects looking to modernize how their teams find and act on data.
Speakers:
- Dan Marantz, Sr. Director Product Management, Cribl
- Rick Salsa, Sr. Staff Product Manager, Cribl
Live-Fire Lessons: Accelerating Incident Response with Cribl Search Investigations and Notebooks
Previously, during South Australia Power Networks’ incident response live-fire exercise (based on real-world incidents), we found that tool-switching and query translation challenges consistently slowed down our SOC analyst response times. Our incident documentation fell behind our active threat hunt, making timeline reconstruction a major constraint during our post-incident reviews. We addressed this challenge by building a workflow with Cribl that bridges the gap between active threat hunting and real-time incident logging.
In this session, we will walk you through the highlights of our annual nation-wide live-fire exercise (codename: Trident). We will demonstrate how our SOC analysts utilised the "Run Investigation" feature in Cribl Search to launch natural-language queries and how we leveraged Cribl Notebooks as our live war room. We will share how this combined approach eliminated constant tool-switching, automated our post-incident review reporting, and improved our overall Mean Time to Resolution (MTTR).
Attendees will learn:
- How to use the "Run Investigation" workspace to bypass query translation hurdles and allow analysts to search across diverse security datasets.
- A method for configuring Cribl Notebooks to consolidate active threat hunts, including executable search queries alongside real-time SOC analyst notes to maintain a single, collaborative source of truth during an incident.
- A practical workflow for capturing live investigative steps and search history to automatically reconstruct chronological attack timelines, removing the manual documentation constraints that delay PIR reporting.
Speaker:
- Lindbergh Caldeira, Cyber Security Operations Manager, South Australia Power Networks
Looking Over The Edge — Eliminating Agents and Simplifying Data Collection at PNNL
What happens when endpoint data collection gets too fragmented, too manual, and too hard to manage? Pacific Northwest National Laboratory will share how they tackled that challenge with Cribl Edge, simplifying endpoint data collection and reducing agent sprawl. In this session, attendees will hear how PNNL replaced file monitoring, scripted inputs, and metrics collection from multiple tools across Windows, Linux, and Mac endpoints with a single centrally managed approach.
Attendees will leave with practical lessons learned and clear examples for getting started, organizing Fleets, consolidating agents, improving data quality, and monitoring performance at scale.
Attendees will learn:
- How to get started with Cribl Edge
- Best practices for organizing Fleets
- How to consolidate multiple agents into one approach
- Ways to improve data quality at the edge
- How to monitor endpoint performance effectively
Speaker:
- Justin Brown, Senior IT Engineer, Pacific Northwest National Laboratory
Managing Cribl at Petabyte Scale: Infrastructure Observability in an AI-Driven World
As data volumes grow exponentially, managing observability infrastructure at petabyte scale demands a fundamentally different approach. In this session, Scott Burger from ServiceNow — one of Cribl's largest global deployments — shares how his team has navigated the challenge of operating Cribl at massive scale, and how the rise of AI is reshaping what infrastructure management looks like in practice.
From lessons learned to evolving best practices, Scott will walk through the key shifts his team has made over the past year and what it means to future-proof an observability pipeline when the landscape is changing faster than ever. This session is ideal for anyone responsible for observability, infrastructure, or data strategy at enterprise scale, especially those looking to understand how to operate and adapt in an AI-driven environment.
Attendees will learn:
- What managing Cribl at petabyte scale actually looks like inside a real enterprise environment
- How AI is changing infrastructure and observability strategy in practice
- Practical insights and lessons from one of the world's largest Cribl deployments
- How to think about adaptability and future-proofing when building observability pipelines
Speaker:
- Scott Burger, Lead Security Data Engineer, ServiceNow
Navigating Towards Full Observability: A Telco's Cyber Defense Team Journey
When you're one of the largest telecommunications companies in Portugal, infrastructure doesn't just grow — it accumulates. Years of mergers and acquisitions left NOS's Cyber Defense team with a sprawling, heterogeneous environment: fragmented logging, blind spots, and a legacy SIEM that had become both a single point of failure and a vendor lock-in trap.
In this session, the NOS team shares how they broke that cycle by building a modern observability pipeline with Cribl Stream to unify over 40,000 event sources across hundreds of distinct technologies. We'll walk through four architecture iterations, from an initial deployment to a fully redundant, multi-datacenter design using border gateway protocols (BGP) anycast for transparent failover, Git-backed configuration-as-code, and a universal logging service as simple to consume as DNS or NTP.
You'll hear the real story: onboarding data sources nobody fully documented, navigating the political and technical inertia of a large enterprise, and how Cribl became the connective tissue that made every corner of every datacenter visible, searchable, and actionable.
Attendees will leave knowing how to:
- Achieve extreme scalability and redundancy with IP anycast
- Manage log source diversity in telco environments
- Architect for high-volume rollout: prepare once, scale many
Whether you're dealing with M&A sprawl, legacy SIEM fatigue, or trying to turn logging into a scalable enterprise service — this session delivers the architectural playbook and the hard-won lessons to do it right.
Speakers:
- João Marono, SOC Engineer, NOS Communications
- Miguel Viana, SOC Engineer, NOS Communications
Optimize and ‘Metricsize’
Filtering and dropping data gets you so far, and we’ll do that here. But rolling logs to metrics gets you further.
In this lab, you'll get the basics of data reduction AND get hands-on with converting high-volume log data into metrics inside Cribl Stream. Get better insights at a fraction of the storage with faster search times. You'll learn when it makes sense, how to do it right, and walk away with techniques you can apply to your own data now.
Pack Like a Pro
Building a Cribl Pack is one thing. Building one that works in your environment, someone else's environment, and prod at 2am is a different skill set entirely.
In this lab, VisiCore's Paul Stout brings the hard-won knowledge of someone who has built Packs, broken Packs, and figured out exactly why. You will get hands-on with a REST collector-based Pack and walk through the decisions that separate a Pack that holds up from one that falls apart the moment it leaves your laptop.
Expect real tips on auth, structure, and portability that you won't find in the docs. Leave with a repeatable approach you can trust when you get back to your own environment.
Reducing Complexity and Improving Observability: How UWM Modernized Log, Metrics, and Traces Ingestion with Cribl
As observability environments grow, custom integrations can become difficult to maintain, secure, and scale. In this session, we’ll share how United Wholesale Mortgage evolved from a custom Cribl-to-Dynatrace webhook architecture to a modern observability strategy using native Cribl Destination integrations, OpenTelemetry Protocol (OTLP), semantic normalization, and custom data enrichment. We’ll discuss challenges encountered with custom destinations, lessons learned during migration, operational benefits gained, and how Cribl is helping prepare our organization for future observability initiatives.
Attendees will leave this session:
- Understanding the tradeoffs and failure points encountered with custom integrations, and the practical lessons that made the new model easier to secure, scale, and operate.
- Strategies in Cribl to normalize, enrich, and standardize telemetry data landing in Dynatrace (or other destinations), to promote efficiency of downstream relational context, incident operations, and future automated workflows.
- With a HTTP/OTLP Post-Processing Cribl Pack you can quickly integrate your telemetry into the Dynatrace ecosystem via Cribl.
Speakers:
- Kristen Emmanuel, Observability Administrator, United Wholesale Mortgage
- Byron Kenan, Observability, Event Log Management Lead, United Wholesale Mortgage
- Randy Corelli, Staff Customer Success Engineer, Cribl
Rev Your (Lakehouse) Engine
Ready for a schema aware and lightning fast search experience? We’ve got just the thing: Lakehouse Engine Search. It can ingest your data, recognize its structure, and organize it into queryable datasets automatically.
In this lab, you'll get a Lakehouse Engine running, understand how datatypes and dataset intelligence shape your data, and write KQL queries to pull answers out of it. Or try out natural language queries and let the engine do the work.
By the end, you'll have hands-on experience with every layer: from getting data in to getting results back.
"Seconds, Not Hours": How Copart is Building an AI-Ready Data Plane for Security Operations
How do you move from traditional, human-driven defense-in-depth to an AI-enabled security model that responds in seconds? At Copart, that question is reshaping our approach to security telemetry, with Cribl serving as the foundational data plane.
Explore how Copart transitioned from SIEM log optimization to a centralized telemetry strategy, creating the necessary flexibility to power emerging AI-driven security workflows. We’ll walk through the architecture that provides agility across diverse tools, and the people and process work—governance, change management, and alignment—required to mature AI initiatives into repeatable operations.
This session provides the strategic framework and practitioner insights to help you:
- Architect a centralized data plane to enable dynamic, AI-driven security operations.
- Maintain tool-agnostic flexibility across SIEMs, data lakes, and cloud tools without rebuilding pipelines.
- Operationalize AI through essential governance and organizational alignment.
- Accelerate outcomes by reducing log onboarding from hours to minutes, improving MTTD and MTTR.
- Follow a proven adoption path from SIEM optimization to AI/agent enablement.
Speakers:
- Alexander Ondrick, Cyber Security Operations Senior Manager, Copart
- Aakash Sahu, Senior Cyber Security Engineer, Copart
The Edge Case
We might have 99 problems but our agent shouldn’t be one. Come learn the fundamentals of our data collection agent: Cribl Edge.
In this lab, you’ll learn how to deploy and manage your fleets of agents. Get the lowdown on setting up collection, best practices, and maximizing your license. You’ll use the unique capabilities like teleporting and leveraging Search to interrogate your nodes. If you’re exploring your agent options then this is the lab for you.
The OTEL Pipeline Playbook
Getting OTEL data into Cribl Stream has its tricks. Knowing what to do with it once it's there takes even more know-how.
In this lab, you'll cover how to get OTEL data in the door, what it looks like inside Stream, and how to shape, route, and optimize it through your pipelines. Learn real patterns you can take back and use.
The problem with SIEMs… but you knew that already
Security operations were built for a world where humans investigated alerts after data was already centralized and stored. That model is breaking down.
SIEM costs are exploding, telemetry volumes are surging, and AI is raising the stakes on both sides — attackers are moving faster, and defenders now need enriched, high-quality data available before a query ever runs. Traditional SIEM-centric architectures weren't built for this.
This session makes the case for shifting detections directly into the telemetry stream — evaluating, enriching, and correlating data in motion before it's ever indexed. We'll explore the architectural and operational challenges driving this shift, why AI makes stream-based approaches not just better but necessary, and share something we've been building that brings this vision to life.
You'll leave with:
- A clear picture of what "detections in the stream" actually means in practice
- Strategies for cutting SIEM costs without sacrificing visibility
- An understanding of why AI accelerates the case for architectural change in the SOC
For SOC leaders, detection engineers, security architects, and platform teams modernizing their detection strategy for the AI era.
Speakers:
- Bani Shahbaz, Head of Engineering, Security Products, Cribl
- Jack Coates, Sr. Director Product Management, Cribl
This is Fine.
We're handing you a broken environment. Nothing personal; it's educational.
In this lab, you'll work through real issues pulled from actual customer environments across Cribl Stream, Edge, and Search. Fix bad configs, pipeline problems, and the kind of mistakes that seem obvious in hindsight. For each scenario, you'll see what the problem looks like, understand why it happens, and walk through how to fix it.
Come out knowing what to look for before things go sideways in your own environment.