Announcing Query Security Data Pipelines and Query Agents

Working side-by-side with some of the most data-forward security teams in the world, I am excited to share that Query has built two new solutions: Query Agents and Query Security Data Pipelines. 

• Query Security Data Pipelines: A faster way to build your gold layer. Write structured, normalized security data directly to your cloud storage of choice (or Splunk SIEM); no custom defined pipelines, no ETL, no fuss.
• Query Agents: A new way to put your security data to work. Task-specific assistants that use live federated search to gather the right data, normalize it, and return a structured, decision-ready answer.

Both are available now in preview, and both are purpose-built to address the most common, and costly, challenges security teams face when it comes to using their data.

Two Big Blockers to Using More of Your Data

Security jobs are data and use-case driven. Every mission can require different data and different questions to ask of the data, and the ability to get the answers required quickly is the game changer. Our customers made it clear: they want answers fast and delivered in ways that actually help them. That’s why we built Query Agents. Our agents are mission-specific, trained to solve the real data challenges security teams face. They run on the Query Security Data Mesh which feeds them normalized and enriched data from any connected source when they need it.

Teams still need historical context, and compliance doesn’t go away. That’s where Query Security Data Pipelines (QSDP) come in. We already connect to your distributed systems and normalize data to OCSF at search time. Now we can also write that clean, structured, high-value data into your storage of choice, Amazon S3, Azure Blob (ADLSv2), Google Cloud Storage, or even Splunk, so it’s there when you need it. No ETL. No mapping. No duct tape. We’ve done the hard work for you.

If you want to roll your own data pipeline Lego spaceship, this probably isn’t for you. But if you want a gold data layer aligned to modern security data best practices, and available instantly without overhead, we’ve got you covered.

Security Runs on Data. So Why Is It Still So Hard to Use?

Security teams don’t lack data. They lack access to it in the right way, at the right time.

Distributed environments are now the default. So is tool sprawl. Data lives in cloud logs, SaaS tools, identity systems, SIEMs, data lakes, and long-forgotten cloud buckets. Each source has its own schema, syntax, and quirks. Meanwhile, security and SIEM features keep multiplying, with more dashboards, more integrations, and more alerts, but getting to actual answers still takes too long. Many security teams are actively reimagining security data architectures right now.

Teams are stuck pivoting across dozens of tools. They’re stuck asking analysts to become part-time data engineers. They’re stuck shoving data into cloud storage like S3 and calling it a “lake”, but when a real incident hits, no one can actually use that data. It’s not working.

Even when teams try to invest in data pipeline tools, the projects quickly become large plumbing exercises. They might start with ROI charts and cost savings pitches, but the end result is usually the same: data moves around, security operational procedures change but don’t really improve, and analysts are still stuck with more work than they can handle.

You Have The Data, Now Use It

These solutions aren’t hypothetical. They’re built with real teams, for real use cases. Our customers asked for better answers, not more platforms. They wanted less engineering and more decision support. They wanted to stop pivoting between a dozen systems just to understand what an alert meant.

We listened. And we built.

“In my time as a CISO, I’ve watched how the industry’s rush to apply general-purpose LLMs to security operations can create more noise than signal,” said Rudy Ristich, CISO and CPO of Avant. “Query’s approach is refreshingly different—they understand that smaller, purpose-built agents using high-quality, normalized data deliver the precision and context that security operations teams actually need to save time and arrive at answers rather than struggling to ask the right question.”

At Query, our mission remains to enable security teams to gain an advantage through data. Not just access to it. Not just storage of it. Getting answers from it, fast, with high context, and without wasting time.

We’ll continue to build with the teams leading the charge. And we’ll keep breaking the old assumptions that say centralization, complexity, and cost are necessary evils. They’re not.