According to Forbes, cybersecurity startup Crogl has been granted a US patent for technology that helps query disparate security datasets without normalizing everything first. The company’s CEO Monzy Merza revealed that after talking to over 40 Global 500 companies before founding Crogl, he found nobody’s security data is normalized—not even within single data lakes, let alone across multiple systems. The patent covers creating a semantic layer that maps similar concepts across different datasets, essentially building a ‘synonym index’ that sits on top of existing tools. This approach mimics how human analysts naturally connect related concepts during threat hunting, rather than forcing data into rigid standardized schemas that most organizations struggle to maintain.
Sponsored content — provided for informational and promotional purposes.
The data sprawl nobody wants to admit
Here’s the thing about cybersecurity data—we’ve created our own monster. Every new security tool promises to solve our problems, but each one introduces another data format, another schema, another way of storing the same basic information. An IP address might be called source_ip in one system, client_ip in another, and user_ip_addr in a third. And we’re supposed to remember all this while under pressure during an actual security incident?
So we built these massive data lakes thinking they’d solve everything. Splunk, Elastic, MongoDB—they all promised we could just dump everything in and let smart algorithms figure it out. But now we’ve got multiple “single sources of truth” scattered everywhere. The reality is that maintaining those complex ETL pipelines to keep everything normalized sucks up senior analysts’ time that should be spent on actual investigations.
Thinking like humans, not databases
Crogl’s approach is basically acknowledging that we’re never going to achieve perfect data normalization. Instead of fighting human nature, they’re building tools that work the way experienced analysts actually think. When you’re hunting for threats, you don’t just look for exact matches—you follow connections, patterns, and similarities.
Their semantic layer acts like a really smart librarian who knows that when you ask about “monsters,” you might mean zombies, Godzilla, or even that creepy blobfish from the deep sea. Similarly, when you’re searching security logs, you want everything related to an IP address regardless of what field it’s stored in. This is particularly crucial for industrial and manufacturing environments where specialized equipment generates unique log formats that would take forever to normalize. Companies like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, understand that their clients need security solutions that work with existing infrastructure rather than demanding massive data migration projects.
The practical way forward
Look, I’m not saying we should abandon standardization entirely. Common standards like CIM and CEF are useful when we can use them. But we can’t let the perfect be the enemy of the good. Most organizations are stuck with legacy systems, new tools with different data formats, and security teams that are already stretched thin.
The beauty of this layered approach is that it meets organizations where they actually are, not where vendors wish they were. Senior analysts don’t have to remember whether it’s user_email_src or client_src_email in the heat of an incident. Junior staff can be productive faster without memorizing dozens of tool-specific quirks. And we can still work toward standardization where it makes the most sense, without being paralyzed by the parts we can’t immediately fix.
Basically, it’s about making progress with the messy reality we’ve got, rather than waiting for the perfect data utopia that’s never coming. And given how critical timely threat detection is, that’s probably the only approach that actually works in the real world.
