Cybersecurity company SentinelOne has announced its intent to acquire Observo AI, a data streaming platform focused on AI-native telemetry pipeline management. The acquisition is expected to strengthen SentinelOne’s AI-driven security offerings, particularly its AI Security Information and Event Management (SIEM) product.
Eran Ashkenazi, Chief Business Officer at SentinelOne, noted that artificial intelligence has been central to the company’s approach from the beginning. “For SentinelOne, we were kind of using AI before it was called AI,” he told AIM Media House. “From the get-go, we took a completely different approach. We wanted to take all the intelligence and put it on the edge device itself.”
According to Ashkenazi, the company’s use of machine learning and neural networks dates back more than a decade. “We created machine learning algorithms and used neural networks in order to put that brains inside the agent, initially with our behavioral-based detection and eventually also with static detection,” he said. “That pedigree has been lasting for quite some time.”
The decision to acquire Observo AI followed an evaluation of multiple vendors. “Our initial hunt actually started with us looking for ways to improve our AI SIEM ingestion capabilities and have a better, easier way to add a lot of connectors,” Ashkenazi said. “As we were going through that process, we started to realize that perhaps we need more than just an OEM, perhaps we need to have that capability in house.”
After assessing nine potential vendors, SentinelOne narrowed the list to three before selecting Observo. “We were looking at a lot of different things: performance, connectors, deployment flexibility, open standard supports, in-stream anomaly detection, PII masking,” Ashkenazi said. “Observo just came as the clear winner.”
Data Reduction and Cost Implications
One of the main benefits of Observo’s technology is its ability to reduce data volumes before they reach a SIEM. Ashkenazi described customer experiences during due diligence: “I’ve spoken with multiple customers, some of them Fortune 500, that are using Observo and seen reductions that are in the realm of 60 to 70% or even more. In some cases, that actually translates to huge savings.”
The reduction in data volumes directly affects expenses. “Storage and ingestion cost money. Specifically on Splunk, if you go and you ask a customer, ‘Are you happy with what you’re paying Splunk?’ they’ll tell you no,” Ashkenazi said. “So reducing that footprint by 60 or 70% for some organizations could mean savings of millions of dollars.”
Ashkenazi also highlighted the flexibility Observo offers in data management. “Observo allows CISOs and CIOs to decouple the data ingest and the streaming from the actual SIEM or data lake solution they’re using,” he said. “You are no longer hostages of your existing SIEM technology. You can decouple it and control your own destiny, whether that destiny is with SentinelOne or with any other SIEM provider.”
The Observo platform will remain available as a standalone product. “Observo and Prompt, for that matter, continue to be independent business units,” Ashkenazi said. “The reality is that Observo’s solution is available today to both SentinelOne and non-SentinelOne customers as early as today.” He added that integration with SentinelOne’s AI SIEM is already underway: “There are some releases that are going to be available within a matter of probably around a month and a half with the beta program starting in the next two weeks.”
For security operations teams, Ashkenazi said the impact will be practical. “When you talk about data filtration, it’s actually non-interfering at all. It will be just an additional capability of having less garbage data in the SIEM to allow not just less space usage and lower bills, but also more fine-tuned queries,” he said.
He added that Observo’s enrichment and anomaly detection features could shift detection timelines. “You’re basically elevating your detection capabilities more to a real-time fashion,” Ashkenazi explained. “The idea of having more detection capabilities in the streaming itself allows you to take some of those detection capabilities into real time, even if you’re using an older SIEM solution.”
Ashkenazi also described the acquisition as aligned with the company’s practice of supporting interoperability. “SentinelOne has always believed in an open ecosystem approach,” he said. “Being open is the way to go these days because telling customers, ‘Bring everything to me, being a vendor,’ I don’t think that’s actually relevant. It works for very few, but it doesn’t work for the most.”
The acquisition, which will be completed through a mix of cash and stock, is expected to close in SentinelOne’s third quarter of fiscal year 2026, subject to regulatory approvals and customary conditions.
