Stop paying your SIEM to store noise.
SEGARK Pipeline normalizes every security source to OCSF, cuts ingestion volume before it costs you, and routes the rest to any SIEM, lake, or sink you choose. Detection runs in the pipeline — so threats surface before the storage bill does.
- Open-core · AGPLv3 — the free tier is actually free
- OCSF-native normalization
- 14+ destinations, zero lock-in
- Detection in the pipeline, not after the bill
Most of what you ingest is noise — and you're paying SIEM rates to store it
Your SIEM bill grows every quarter, but most of what you're paying to ingest is noise — verbose logs, duplicate events, and low-value telemetry that never triggers a detection. Meanwhile, every new data source means another brittle, vendor-specific connector, and the more you standardize on one platform, the harder it gets to ever leave. You're paying premium per-GB rates to store data you'll never query, locked into tooling you've outgrown.
Runaway ingestion costs
You pay top-dollar SIEM rates on full-fidelity firehoses, including the 60–80% of volume that has no detection or investigation value.
Vendor lock-in
Collection, normalization, and routing are all welded to one SIEM, so switching tools or adding a data lake means re-plumbing everything.
Slow, brittle onboarding
Each new source (EDR, firewall, cloud, identity) is a custom integration with its own schema, delaying coverage and leaving blind spots.
One control point between your sources and your SIEM
The result: a single, vendor-neutral control point between your security data and wherever it needs to go — so you cut ingestion cost, keep full control of your data, and onboard new sources without re-plumbing your stack.
Connect your sources
Point SEGARK Pipeline at Wazuh, Microsoft Defender, CrowdStrike, FortiGate, Windows Event Log, syslog, or push-ingest — onboarding is plugin-driven, so new sources come online in minutes, not sprints.
Normalize, reduce, and route
Every event is normalized to OCSF, stripped of redundant and low-value data, and routed by rule to the destinations that actually need it — across 14+ sinks, fully vendor-neutral.
Detect in-pipeline, then tier to cheap storage
Run detections as data flows through — not after it lands — and tier the full-fidelity stream to low-cost object storage so you keep everything for compliance and search without paying SIEM rates to store it.
What your team actually gets
Cut your SIEM bill, not your visibility
Reduce, filter, and route security data before it hits your SIEM — so you stop paying ingestion rates for noise while keeping every event you need for detection and compliance.
Own your data, skip the lock-in
Vendor-neutral routing to 14+ destinations — Splunk, Elastic, Sentinel, ClickHouse, S3, Kafka, LogScale and more — so you move sources and sinks freely instead of being trapped by any one vendor's format or contract.
Built for MSSPs, isolated by default
Multi-tenant hierarchy with reseller and partner management gives every customer hard-walled isolation from one console — onboard new tenants fast without spinning up separate stacks.
Detect and normalize in the pipeline
Every event is normalized to OCSF and run through in-pipeline detection as it flows — so threats surface in transit and downstream tools receive clean, consistent, analysis-ready data.
Open-core honesty, security-grade engineering
The differences that matter when you put a pipeline in front of every security source.
A free tier that's actually free
SEGARK Pipeline is built on CentralOps, its open-source engine — full AGPLv3, self-hosted, and recompilable, with complete ingestion, routing, 14+ sinks, in-pipeline detection, and an OCSF base, and no feature held hostage behind a license check.
No SSO tax
SSO, OIDC, and RBAC ship in the free core. Access security is table stakes, not an upsell.
Detection happens in the pipeline
We don't just forward data and hope your SIEM catches it — detection runs in-stream, so signal is surfaced and enriched before storage, on its way to wherever you send it.
OCSF-native, end to end
Normalization to the Open Cybersecurity Schema Framework is built into the core path — not a bolt-on adapter — giving you consistent, portable events across every source and destination.
MSSP-grade multi-tenancy
A real tenant and reseller hierarchy with enforced cross-tenant isolation, designed for managed-service scale from day one rather than retrofitted onto a single-org product.
Secrets handled like you'd expect
Credentials and keys are managed through KMS / HashiCorp Vault — no plaintext secrets sitting in config — with offline-verifiable, air-gap-friendly licensing for the most restricted environments.
Start free. Scale when you do.
The Community core is free forever. Pay only when you need a commercial posture, MSSP multi-tenancy, or Enterprise scale.
Community
Security engineers and single-team SOCs who want a real, self-hosted pipeline without a sales call.
- Full ingestion from any source — Wazuh, Defender/Sentinel, CrowdStrike, FortiGate, syslog, Windows Event Log, push-ingest
- Vendor-neutral routing to 14+ destinations — Splunk HEC, Elastic, ClickHouse, S3, Sentinel, Kafka, LogScale, and more
- In-pipeline detection and volume reduction — act on and shrink data before it hits your SIEM
- OCSF-native normalization out of the box
- SSO/OIDC + RBAC + KMS/Vault secrets — included, free
- OTel-native observability; self-host on Docker Compose or Kubernetes
Starter
A single organization that's running SEGARK Pipeline in production and wants a supported, commercial posture.
- Everything in Community
- Commercial license (no AGPL copyleft obligations)
- Supported, single-tenant production posture with defined SLAs
- Priority bug fixes and security patches
- Onboarding assistance and version-upgrade guidance
- Email/ticket support
MSSP
Managed security providers and resellers running many customers from one platform.
- Everything in Starter
- Multi-tenant hierarchy with hard cross-tenant isolation
- Reseller / partner management and per-org administration
- Per-tenant routing, detection, quotas, and reporting
- Scoped org-admin roles (delegated tenant management)
- Onboard new customer orgs fast, without new deployments
- MSSP-grade support and onboarding
Enterprise
Large security orgs and regulated environments needing federated search, compliance-grade audit, fleet scale, and air-gapped operation.
- Everything in MSSP
- Federated cross-source, async search across all tenants and sources
- Cross-tenant audit & compliance reporting
- HA / fleet operations at scale
- Offline-verifiable, air-gapped-friendly licensing
- Data residency / data-control controls
- Premium support with named contacts and priority response
Need the full comparison? See detailed pricing →
Answers before you ask
Everything teams want to know before they run SEGARK Pipeline in production.
Stop paying to store noise.
Spin up the free Community core in minutes — no sales call, no credit card. Upgrade to Starter, MSSP, or Enterprise whenever you're ready.