Sacra Logo
View PDF
View Model
San Francisco, CA
Clint Sharp
Home  >  Companies  >  Cribl
Cribl is a software company building observability and data pipeline solutions.







Growth Rate (y/y)








Sacra estimates that Cribl hit $120M annually recurring revenue (ARR) at the end of 2023, up 100% year-over-year, for a 21x forward revenue multiple on their $2.5B valuation (2022)—they grew from $1M to $100M faster than other infrastructure companies like Datadog, MongoDB and Twilio, with 145% net retention.

Compare to Datadog (NASDAQ: DDOG) at $2.4B ARR, up 26%, for a 18x multiple and $42B market cap, Elastic (NYSE: ESTC) at $1.3B ARR, up 19%, for a 7.6x multiple and $10B market cap, and Splunk (NYSE: CSCO) at $4.2B ARR, up 15%, for a 6.6x multiple and $28B acquisition by Cisco.



Founded in 2017, Cribl operates as the “Switzerland” of data pipelines, allowing teams to pull data from anywhere and then process, enrich, and pipe that data into any destination tool.

Organizations started as a tool letting companies take their data from Splunk, Kafka, Kinesis, Elastic Beats, and other sources, and then route it through Cribl into any number of destination apps: Snowflake, S3, Elastic, Hadoop, Datadog, and so on.

Cribl got started focused on observability, and selling into high-volume data teams that need help with their log analytics.

As of the mid-2010s, adding a new destination for your data meant rebuilding your data pipelines. The way this was solved was with each destination app vendor launching their own agent to capture your data automatically, and eventually you’d have each of your endpoints crowded with 3-5 agents all collecting the same data redundantly. What Cribl does is enable you to reuse your existing infrastructure for collecting data and then add new destinations much more quickly.

However, Cribl’s focus has shifted towards security. Cribl benefits from big tailwinds from the rise of ransomware and cyber attacks. With the rise in demand for data security tools comes a corresponding rise in the need to move data into many different tools. If a company decides they want to try e.g. CrowdStrike, Cribl makes it much easier to start sending their app and customer data into CrowdStrike.

Cribl is indexed on the best-of-breed approach to observability and security, where companies pick out the tools that are best for their particular use case, and then use Cribl to stitch together the system. That’s opposed to the all-in-one model followed by companies like Datadog that look to handle all observability and security tasks for their customers.

Business Model


Cribl is a subscription SaaS company that prices based on the amount of data a customer needs to ingest and process.

There are two paid editions of Cribl—Standard and Enterprise. Standard offers up to 5TB per day in data volume, one worker group, 50 max worker processes, and limited support hours. Their Enterprise plan is fully unlimited on data volume, worker groups, max worker processes, fleets, and all major usage components. Support is available 24 hours a day, 7 days a week.

Standard and Enterprise differ slightly on their individual billing rates for ingest and infrastructure: on Standard, ingest costs $0.27 in credits per GB while it costs $0.32 in credits per GB on Enterprise.

Lastly, the Cribl Free plan allows teams to sign up and try the product with a limit of 1TB per day in data ingest and processing, but access to unlimited pipelines and routes and data sources.


Cribl has few direct competitors, but there are a few key products that DevOps teams tend to look at alongside Cribl, and Cribl has “frenemy” dynamics that can be both complementary and competitive with Splunk.


Splunk launched in 2003 to allow companies to collect the massive amounts of machine data constantly being generated in their business—from everything from servers to software to factory equipment—and correlate and index it for analysis purposes.

WIth Splunk Enterprise, Splunk customers can then visualize that data through charts and dashboards and use it to look for security threats, identify site optimization opportunities, diagnose customer experience issues, and more.

Splunk’s usage-based pricing charges customers based on the amount of data that flows into Splunk. The downside of that, for many Splunk customers, is that their billing has grown out of control as the amount of data they’re generating as a business has increased over the last several years. Since 2010, the total amount of data being generated globally has increased roughly 75x.

Many Splunk customers log duplicate events and log voluminous categories like “every Windows event”, inflating the number of TB that they send into Splunk and inflating their bill as a result.

Cribl initially found product-market fit as a Splunk-compatible connector that could help teams using Splunk send less data into Splunk, saving them roughly ~30% on their total bill.

According to Splunk’s 2022 lawsuit against Cribl, however, Cribl has also succeeded in converting Splunk customers to using Cribl altogether.

Open source

Cribl is often compared to general purpose stream processing engines and open source log shippers like Apache NiFi, Fluentd, and Logstash.

In published benchmarks, Cribl Stream significantly outperformed Logstash and Fluentd in throughput and efficiency. Stream processed 7x more events per second than Logstash and Fluentd in a full pipeline test

A key strength of Cribl Stream is its ability to filter and reduce data before forwarding to destinations. Features like suppression, sampling, and dropping events can significantly cut costs.

While Logstash and Fluentd have some filtering capabilities, they are not as robust as Stream's data reduction features built for the observability use case.

Stream can also be deployed in multiple ways—as a worker group, an edge node, or even embedded in an application—while Logstash and Fluentd deployments are more standardized and lack the edge and embedded capabilities Stream provides.


The cloud monitoring and security platform Datadog acquired Timber Technologies in 2021 and with it, the Vector open-source project. Vector is an observability data pipeline product that allows users to collect, transform, and route logs and metrics.

While Cribl offers a broader set of features like edge collection and search, Vector’s primary purpose is to make it easier and less expensive for prospective and current Datadog customers to get their log data into Datadog.

Similar to Cribl, Vector has a free tier up to 1 TB/day of ingest.

Overall, the Vector acquisition allows Datadog to provide a flexible onramp for observability data, strengthening its position as a leading end-to-end platform. Vector also provides an element of vendor-agnosticism, as it can continue sending data to other platforms as needed, positioning Datadog as a platform that can serve many different observability tools.


Expanding ARPC

Cribl can increase revenue from existing customers by offering additional products and services, much in the same way that Splunk expanded its offerings over time from simple data ingest and indexing to search, security, application performance monitoring, and more.

Cribl has already expanded from its initial Cribl Stream product to include Cribl Edge for automatic detection of data on the source side and Cribl Search for a Splunk-like search experience. 

With Cribl's usage-based pricing model, customers naturally spend more as their data volumes grow—with additional products, they can increase customer usage even further by unlocking new capabilities. 

Introducing self-service capabilities with Stream Projects will allow a wider variety of users within 

an organization to access Cribl's products, potentially increasing usage and revenue per customer by going wall-to-wall throughout the organization.

New markets

While Cribl has seen strong adoption among large enterprises, with one-third of the Fortune 100 as customers, there is likely opportunity to expand further into the midmarket and smaller enterprises facing similar data challenges.

Geographically, Cribl is investing in expanding its presence and in EMEA and Asia-Pacific, making global expansion a big priority with their $200M Series C in 2021.

Cribl's Cribl for Startups program aims to seed future expansion by supporting early-stage companies in the observability and security markets with access to Cribl's products.


While Cribl has focused primarily on the observability and IT operations market to date, it is increasingly describing itself as "the Data Engine for IT and Security", signaling an expansion into cybersecurity use cases.

Partnerships with security-focused companies like CrowdStrike and Exabeam reinforce this push into security.

The core reason why cybersecurity has emerged as a big “second phase” opportunity for non-security companies like Cribl as well as others like Rubrik is that organizations today are struggling to effectively collect the right security data to detect and respond to modern security threats.

The volume of log and security data is exploding, making it expensive to collect, process and store everything. Cribl's products allow filtering and routing of data to control what gets ingested into expensive storage and analytics platforms.

There’s also a trend in cybersecurity towards more open and interoperable platforms rather than relying on a single vendor, providing a tailwind to vendor-agnostic data pipelines like Cribl’s.


This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.

This research report has been prepared solely by Sacra and should not be considered a product of any person or entity that makes such report available, if any.

Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.

Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.

All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.