Customer Story: Cribl
Using Push, Cribl confirmed and remediated unmonitored login paths across critical business apps — risks that had previously gone unquantified.
About Cribl
Cribl is an American company developing a data platform for information technology and security operations teams. Their solutions give organizations control and flexibility over their observability and security data.
Why Cribl chose Push:
- Cribl, a leader in data management for IT and security teams, wanted a security solution that could support its proactive approach to identity and browser security in a fast-moving, remote-first environment. Their goal was to enhance the security of identities and applications beyond what traditional IdP and SSO tools could cover, without slowing down their work.
- Push helped Cribl validate and quantify hard-to-detect risks, including misconfigured login pages for key business applications that were allowing a significant number of users to bypass SSO.
- The Cribl security team used Push's flexible, high-fidelity data to scale their existing detection and response workflows, reduce manual effort, and enforce policy with confidence, without introducing friction for end users.
0
Protected by Push since 2024
0
Users protected
0
+
Hours saved per investigation
Business Challenge
As a remote-first company, Cribl empowers its employees with the flexibility to innovate quickly. This freedom, though, creates a common challenge for security teams in remote-first environments: the inherent difficulty in gaining deep visibility into the browser-based attack surface, even with a robust security stack.
"I threat-modeled every single thing that we could think of that could possibly go wrong, and identity was high on that list," said Alex Crusco, Staff Security Engineer at Cribl. "There are many ways attackers can manipulate users and gain access without triggering traditional alerts."
The team needed a solution that wouldn't slow the business down but could deliver concrete high-confidence data about identity hygiene and risky app behavior. "Without the right data, this problem was just a theory," said Aaron Thummel, Senior Security Analyst. "Push gave us the data to quantify the risk and drive real change. It's hard to get a security initiative off the ground without solid numbers to back it up."
Without the right data, this problem was just a theory. Push gave us the data to quantify the risk and drive real change. It's hard to get a security initiative off the ground without solid numbers to back it up.
Cribl
Technical Challenge
Visibility limitations beyond the IdP
Before Push, the security team relied on correlating data from their IdP and other tools to investigate potential threats. This process was time-consuming, and it often lacked the browser-level context needed to trace incidents back to their source.
"I didn't have visibility into the browser before, so there was no way for me to determine what actually happened or how it started," explained Alex. "It's more like backwards tracing, rather than, ‘How did it happen?’"
Validating hidden risks
Those limitations came into sharper focus when Cribl deployed Push. Early on, the team identified a misconfigured login page on a core business application that was still accessible, and in use.
"We found that a significant number of users were still logging in with just their username and password, bypassing SSO entirely," recalled Alex. "Our team's diligence discovered this issue and, with the power of Push, addressed this hidden, previously unquantifiable risk."
Equipped with this new telemetry, the team proactively reviewed login activity across other high-use apps. They discovered a similar misconfiguration on another widely used business platform, where password reuse and insecure login methods posed added risk. These discoveries confirmed what the team had long suspected, that some risks are only visible from inside the browser.
Cribl
Solution
Cribl chose Push to build on their existing security strategy and extend protection into the browser, the control point where users interact with critical apps every day. Push’s browser extension gave the team real-time visibility into SaaS usage, authentication methods, and identity posture. Rather than introducing new overhead, Push enhanced the workflows the team already had in place.
From manual triage to automated remediation
Initially, Cribl analysts manually triaged Push alerts. But as they operationalized the data, they began building their own automations, starting with a custom Slack bot that notifies employees about issues like password reuse, in line with Cribl’s culture of positive, proactive security engagement.
This shift from manual investigation to structured automation saved the team hours of effort per incident.
“Now we can focus our efforts elsewhere,” said Aaron.
Push’s structured telemetry also gave the team the confidence to work cross-functionally, partnering with IT to deprecate risky login paths and fully enforce SSO where needed.
Using Push, Cribl confirmed and remediated unmonitored login paths across critical business apps, risks that had previously gone unquantified.
Cribl
Integration spotlight
As the Cribl team operationalized Push’s browser-native telemetry, they found it incredibly useful for detection, enrichment, and investigation. So useful, in fact, that they built official Cribl packs to help other teams get the same benefits, without needing to write custom code.
The result:
- Cribl Stream Pack for Push: Easily ingest, normalize, and route Push telemetry to your SIEM, SOAR, or data lake—while reducing event volume and cost.
- Cribl Search Pack for Push: Pre-built dashboards for Push detections, posture, and browser activity, enabling faster investigation and historical analysis.
Both are available via the Cribl Dispensary, and designed to help security teams operationalize browser-based detection and response with minimal effort.
This native integration is part of Push’s broader strategy to work with the tools security teams already use, and get powerful telemetry into their hands, fast.
