SEGARK Pipeline
Open-core · AGPLv3 — the free tier is actually free

Stop paying your SIEM to store noise.

SEGARK Pipeline normalizes every security source to OCSF, cuts ingestion volume before it costs you, and routes the rest to any SIEM, lake, or sink you choose. Detection runs in the pipeline — so threats surface before the storage bill does.

  • Open-core · AGPLv3 — the free tier is actually free
  • OCSF-native normalization
  • 14+ destinations, zero lock-in
  • Detection in the pipeline, not after the bill
The problem

Most of what you ingest is noise — and you're paying SIEM rates to store it

Your SIEM bill grows every quarter, but most of what you're paying to ingest is noise — verbose logs, duplicate events, and low-value telemetry that never triggers a detection. Meanwhile, every new data source means another brittle, vendor-specific connector, and the more you standardize on one platform, the harder it gets to ever leave. You're paying premium per-GB rates to store data you'll never query, locked into tooling you've outgrown.

Runaway ingestion costs

You pay top-dollar SIEM rates on full-fidelity firehoses, including the 60–80% of volume that has no detection or investigation value.

Vendor lock-in

Collection, normalization, and routing are all welded to one SIEM, so switching tools or adding a data lake means re-plumbing everything.

Slow, brittle onboarding

Each new source (EDR, firewall, cloud, identity) is a custom integration with its own schema, delaying coverage and leaving blind spots.

How it works

One control point between your sources and your SIEM

The result: a single, vendor-neutral control point between your security data and wherever it needs to go — so you cut ingestion cost, keep full control of your data, and onboard new sources without re-plumbing your stack.

1

Connect your sources

Point SEGARK Pipeline at Wazuh, Microsoft Defender, CrowdStrike, FortiGate, Windows Event Log, syslog, or push-ingest — onboarding is plugin-driven, so new sources come online in minutes, not sprints.

2

Normalize, reduce, and route

Every event is normalized to OCSF, stripped of redundant and low-value data, and routed by rule to the destinations that actually need it — across 14+ sinks, fully vendor-neutral.

3

Detect in-pipeline, then tier to cheap storage

Run detections as data flows through — not after it lands — and tier the full-fidelity stream to low-cost object storage so you keep everything for compliance and search without paying SIEM rates to store it.

Outcomes

What your team actually gets

Cut your SIEM bill, not your visibility

Reduce, filter, and route security data before it hits your SIEM — so you stop paying ingestion rates for noise while keeping every event you need for detection and compliance.

Own your data, skip the lock-in

Vendor-neutral routing to 14+ destinations — Splunk, Elastic, Sentinel, ClickHouse, S3, Kafka, LogScale and more — so you move sources and sinks freely instead of being trapped by any one vendor's format or contract.

Built for MSSPs, isolated by default

Multi-tenant hierarchy with reseller and partner management gives every customer hard-walled isolation from one console — onboard new tenants fast without spinning up separate stacks.

Detect and normalize in the pipeline

Every event is normalized to OCSF and run through in-pipeline detection as it flows — so threats surface in transit and downstream tools receive clean, consistent, analysis-ready data.

Why SEGARK Pipeline

Open-core honesty, security-grade engineering

The differences that matter when you put a pipeline in front of every security source.

A free tier that's actually free

SEGARK Pipeline is built on CentralOps, its open-source engine — full AGPLv3, self-hosted, and recompilable, with complete ingestion, routing, 14+ sinks, in-pipeline detection, and an OCSF base, and no feature held hostage behind a license check.

No SSO tax

SSO, OIDC, and RBAC ship in the free core. Access security is table stakes, not an upsell.

Detection happens in the pipeline

We don't just forward data and hope your SIEM catches it — detection runs in-stream, so signal is surfaced and enriched before storage, on its way to wherever you send it.

OCSF-native, end to end

Normalization to the Open Cybersecurity Schema Framework is built into the core path — not a bolt-on adapter — giving you consistent, portable events across every source and destination.

MSSP-grade multi-tenancy

A real tenant and reseller hierarchy with enforced cross-tenant isolation, designed for managed-service scale from day one rather than retrofitted onto a single-org product.

Secrets handled like you'd expect

Credentials and keys are managed through KMS / HashiCorp Vault — no plaintext secrets sitting in config — with offline-verifiable, air-gap-friendly licensing for the most restricted environments.

Pricing

Start free. Scale when you do.

The Community core is free forever. Pay only when you need a commercial posture, MSSP multi-tenancy, or Enterprise scale.

Community

Security engineers and single-team SOCs who want a real, self-hosted pipeline without a sales call.

Free, forever
Get started free
  • Full ingestion from any source — Wazuh, Defender/Sentinel, CrowdStrike, FortiGate, syslog, Windows Event Log, push-ingest
  • Vendor-neutral routing to 14+ destinations — Splunk HEC, Elastic, ClickHouse, S3, Sentinel, Kafka, LogScale, and more
  • In-pipeline detection and volume reduction — act on and shrink data before it hits your SIEM
  • OCSF-native normalization out of the box
  • SSO/OIDC + RBAC + KMS/Vault secrets — included, free
  • OTel-native observability; self-host on Docker Compose or Kubernetes

Starter

A single organization that's running SEGARK Pipeline in production and wants a supported, commercial posture.

From a flat monthly fee
Start with Starter
  • Everything in Community
  • Commercial license (no AGPL copyleft obligations)
  • Supported, single-tenant production posture with defined SLAs
  • Priority bug fixes and security patches
  • Onboarding assistance and version-upgrade guidance
  • Email/ticket support
Most popular

MSSP

Managed security providers and resellers running many customers from one platform.

Talk to sales
Talk to sales
  • Everything in Starter
  • Multi-tenant hierarchy with hard cross-tenant isolation
  • Reseller / partner management and per-org administration
  • Per-tenant routing, detection, quotas, and reporting
  • Scoped org-admin roles (delegated tenant management)
  • Onboard new customer orgs fast, without new deployments
  • MSSP-grade support and onboarding

Enterprise

Large security orgs and regulated environments needing federated search, compliance-grade audit, fleet scale, and air-gapped operation.

Talk to sales
Talk to sales
  • Everything in MSSP
  • Federated cross-source, async search across all tenants and sources
  • Cross-tenant audit & compliance reporting
  • HA / fleet operations at scale
  • Offline-verifiable, air-gapped-friendly licensing
  • Data residency / data-control controls
  • Premium support with named contacts and priority response

Need the full comparison? See detailed pricing →

FAQ

Answers before you ask

Everything teams want to know before they run SEGARK Pipeline in production.

Stop paying to store noise.

Spin up the free Community core in minutes — no sales call, no credit card. Upgrade to Starter, MSSP, or Enterprise whenever you're ready.