Control before ingest

Control data before ingest—with a pipeline model you can review and deploy safely

LyftData turns pipelines into versioned releases you can review, test, and roll out safely. Filter noise, mask sensitive fields, and route the right data to each destination—before ingest.

One server keeps the source of truth for pipeline versions and deployments. Workers run the version you publish near your data, and Run & Trace lets you preview every decision before production.

Explore Capabilities →Open the Docs →

Sources → Actions → Channels → Destinations

A workflow is your pipeline as a versioned graph: sources, actions, channels, and destinations.

Draft it, publish it, deploy it. Published versions are what you roll forward and roll back.

Sources

Files, EDR exports, Windows Events, APIs, buckets — anything producing events.

Actions

Filtering, parsing, masking, enrichment, scripts — applied per event upstream.

Channels

Intentional fan-out lanes so one stream can feed multiple tools, on purpose.

Destinations

SIEMs, observability platforms, analytics systems, archives — each gets exactly what it needs.

Core Concepts →

Core components

Server, Workers, Jobs, and Run & Trace

One control plane, declarative Jobs, stateless Workers, and a truth window to validate every run.

Server (Control Plane)

The source of truth for every pipeline.

  • Stores pipeline definitions, versions, and lineage.
  • Plans deployments and keeps a clear audit trail.
Learn more →

Workers (Execution Engine)

Executors that run pipelines near your data.

  • Pull approved pipeline versions and run them near your data.
  • Scale horizontally without rewriting your pipeline or policy.
Learn more →

Jobs (Your Pipelines)

Versioned pipeline definitions.

  • Inputs, Actions, Channels, and Outputs live in one reviewable graph.
  • Diff, approve, and promote versions between environments with confidence.
Learn more →

Run & Trace

Your truth window before production.

  • Preview what was dropped, masked, enriched, or routed at each step.
  • Use traces for validation, policy reviews, and incident response.
Learn more →

Pipeline walkthrough

Input → Filter → Mask → Enrich → Channel Split → Destinations

A typical pipeline: ingest from a source, remove noise, protect sensitive fields, enrich context, then split into purpose-built outputs.

Input

Read events from EDR exports, APIs, buckets, or streams.

Filter

Drop duplicates and noisy carbon-copy events up front.

Mask

Mask employee IDs and sensitive fields before routing.

Enrich

Enrich IPs with threat intel or contextual metadata.

Channel Split

Split into Channels so one stream can feed multiple tools intentionally.

Destinations

Curated events flow to SIEMs while full-fidelity copies archive to object storage.

Actions reference →

Workflow lifecycle

How workflows become running systems

Here’s the path from draft to production:

  1. 1

    Draft a workflow by wiring steps into a graph and setting parameters.

  2. 2

    Publish a version to lock it for repeatable deploys and easy rollbacks.

  3. 3

    Create a deployment from the published version.

  4. 4

    Plan: preview what will change and where it will run, before anything is applied.

  5. 5

    Deploy: the server packages the release and distributes it to workers to run.

  6. 6

    Stay in sync (ongoing): LyftData can re-plan and redeploy to repair drift and keep workers aligned.

The key idea: workflows describe the desired state, and deployments make it real—safely, repeatably, and with clear diffs.
Read the full workflows overview →

Real pipeline scenario

Before LyftData vs After LyftData

The same EDR-to-SIEM-and-object-storage pipeline, with predictable cost, governance, and auditability.

Before LyftData

After LyftData

Ingest from everywhere without visibility

Multiple regions and tools without a consistent pipeline.

One pipeline governs the flow

Inputs, transforms, splits, and outputs live in one versioned, reviewable graph.

Sensitive fields leak across tools

Masking is inconsistent and depends on per-host configs.

Mask and enrich upstream

IDs and emails are masked, IPs enriched before tools ever see them.

Cost balloons with noise

Duplicates and carbon copies hit expensive destinations.

Intentional splits per tool

Curated events to the SIEM, full-fidelity copies archived predictably.

No single trace of what happened

Routing and transformations are opaque when incidents occur.

Trace every decision

Run & Trace validates the pipeline before production and during incidents.

Integrations → Supported sources & destinations

Deployment model

Run LyftData where you already run your systems

Security, SRE, and Analytics teams can share the same pipeline definition. Outputs are tailored per tool while keeping policy centralized.

“No surprises” by default

Changes are planned and previewed before they’re applied, and disruptive operations are explicit.

Deploy anywhere

Run Server once per environment and place Workers wherever data lives — on-prem, cloud, or VPCs.

Self-managed control plane

Releases and lineage stay in your infrastructure under your governance.

Workers near the data

Keep data local, scale horizontally, and avoid per-tool agents or rewrites.

Deployment → Docs overview

Build your first pipeline → Start Free Pilot

Spin up the server, add workers, define your first pipeline, and preview it before production.

Start Free Pilot →Explore Capabilities →
Get the product overview

A quick tour of what LyftData includes.

Want to see what you can actually build?

Explore the capabilities unlocked by this model.

Check compatibility with your stack

Browse supported sources and destinations.