Packetman saysWelcome to the integrations page. I'm Packetman. The honest framing first: DataStun is pre-commercial, and the integration philosophy reflects that. We chose open formats and universal escape valves first — HMAC-signed webhooks to any HTTPS endpoint, RFC 5424 syslog over TLS, JSON Lines exports, PDF compliance binders, and a Common Schema for findings that includes severity, MITRE ATT&CK technique IDs, and stable finding IDs for downstream deduplication. That escape-valve combination covers every modern logging, alerting, and SIEM pipeline today, including Splunk, Elastic, Datadog, Sentinel, Sumo Logic, Loki, and the long tail. Native plugins for the major SIEM and GRC products are on the roadmap and will land tier-by-tier as the early customer base asks for them. We name what ships today and what is roadmap explicitly so a buyer evaluating us doesn't read "Splunk integration" as a shipped checkbox when the answer is really "Splunk receives our webhooks today, and a native Splunk app lands when an early customer needs it." The page below covers the integration philosophy, the per-category native integrations, the by-tier capability matrix, the named roadmap of plugins on the way, and the deliberate "we don't host plugin code" boundary statement that comes from running an agent on every machine in the customer fleet.Open formats first. Native plugins second. Today: HMAC-signed webhooks, RFC-5424 syslog, JSON Lines exports, PDF binders, SAML / OIDC SSO. Plus a Common Schema with severity, MITRE ATT&CK technique IDs, and stable finding IDs so downstream tools can deduplicate. Native plugins for Splunk, Elastic, Datadog, PagerDuty, Vanta, Drata, Secureframe, and Microsoft Sentinel are roadmap — tier-by-tier as the early customer base asks.
Native plugins are convenient. Open formats are universal. A finding sent as an HMAC-signed JSON webhook lands in Splunk today, in Datadog today, in Sentinel today, and in any new logging hub that ships next year — with no plugin work on our side. The native-plugin layer is the convenience pass on top of the universal pass underneath. We ship the universal pass first because it covers everyone; we ship the native plugins as the customer base names which one needs the convenience pass next.
Operational tip: POST /your/sink with our webhook payload, or point a syslog forwarder at our Business+ syslog endpoint. Either of those works today against any SIEM you can name.
Each category names the partners that work today through shipped paths, and the partners that arrive when a native plugin lands.
LinkedIn OAuth ships today across all tiers. SAML / OIDC SSO + SCIM provisioning land on the Enterprise tier; in active rollout. Group-claim → tenant-role mapping is in scope for the SSO release so deactivated identity-provider accounts auto-deactivate in DataStun.
Per-day deduplication per rule so a persistently bad flow sends one notification, not a thousand. Webhook payloads are HMAC-signed so a downstream SIEM can verify provenance. Critical exposed-service hits fire from ingest in < 60 seconds; non-critical alerts batch on a 30-second sweep.
Today: HMAC-signed JSON webhook to any HTTPS endpoint and RFC 5424 syslog over TLS to any collector. Findings carry severity, MITRE ATT&CK technique tag, and a stable finding ID. Native Splunk app + Sentinel connector + Datadog integration are roadmap — sequenced by which customer asks first.
Today: per-framework PDF binders + JSON export with notarized timestamps. Auditors and GRC platforms ingest these directly. Native “evidence push” integration with Vanta / Drata / Secureframe is roadmap. Compliance crosswalk →
Today: webhook the alert into your on-call ingest URL; PagerDuty + Opsgenie both accept HMAC-signed JSON natively. Native PagerDuty “incident”-shaped events are roadmap so the routing rules use first-class fields rather than parsing the body.
The reputation and executable-verdict pipelines query these sources as part of normal operation; per-source attribution is visible on every dashboard row. Subprocessor purpose + customer data exposure is documented on /security-review.
Which integration capability is available on which tier. Open formats and universal escape valves are deliberately on the lowest practical tier so even small deployments can wire the alerts into wherever they live.
| Capability | Individual | Tribe | Business | Enterprise |
|---|---|---|---|---|
| Email alerts | ✓ | ✓ | ✓ | ✓ |
| LinkedIn sign-in | ✓ | ✓ | ✓ | ✓ |
| In-product privacy controls | ✓ | ✓ | ✓ | ✓ |
| HMAC-signed webhooks | — | — | ✓ | ✓ |
| Slack / Teams alerts | — | — | ✓ | ✓ |
| RFC-5424 syslog over TLS | — | — | ✓ | ✓ |
| JSON Lines flow export | — | — | ✓ | ✓ |
| SAML / OIDC SSO | — | — | — | ✓ |
| SCIM provisioning | — | — | — | ✓ |
| Compliance binders (PDF + JSON) | — | — | — | ✓ |
| Per-tenant dashboard subdomain | — | — | ✓ | ✓ |
Native plugins arrive tier-by-tier as the early customer base asks. This list is the public commitment.
Native dashboard + alert connector. Ships when the first Splunk-using customer asks.
Connector + analytic rules pack. Sequenced after Splunk.
Datadog Marketplace integration with metric + log forwarder.
Beats input + Kibana saved-search pack.
Native incident-shaped events with first-class severity routing.
Direct evidence push into the Vanta evidence library.
Direct evidence push + control-mapping sync.
Direct evidence push.
Critical exposed-service alerts route to ServiceNow incident records.
Want a specific plugin sequenced higher? Tell us which one — the queue is shaped by what early customers actually run.
The agent runs on every machine in your fleet next to your real EDR; it cannot become an extension surface for arbitrary code from us or anyone else. That rules out the “plugin marketplace inside the agent” pattern that some platforms use. Integrations live above the agent — in the platform’s alerting + export paths, in the dashboard’s GRC binder generators, in the SSO layer — not inside it.
The architectural rule (end-user experience): the agent never causes the problem it’s measuring. Plugin runtime would do exactly that. So the integration story stays at the platform layer where it belongs.
Sign up free, enroll one agent, point the Business-tier webhook at your existing alerting URL. The findings start landing in your SIEM the same day. Roadmap plugins are bonuses on top, not prerequisites.