Authors:
Raimundo Alcazar, Google Cloud Security Partner Ecosystem Lead
McCall McIntyre, Group Product Manager and Head of Product Partnerships
Security teams are frequently burdened with manually stitching together telemetry, alerts, and response playbooks. This fragmentation can limit visibility, increase alert fatigue, and slow down investigations.
Defending the modern enterprise requires tools that work together. Today at Google Cloud Next, we are thrilled to announce a robust cohort of new partner integrations for Google Security Operations as part of the Google Cloud Security integration ecosystem.
Designed to deliver high-fidelity security workflows right out of the box, our newest partners to join our ecosystem with more than 300 vendors include: Beacon Security, Contrast Security, Darktrace, Gigamon, GreyNoise, Intezer, Prophet Security, SAP, Synqly, Thinkst, Tidal Cyber, Torq, and Vali Cyber.
Here’s how our partners are building in the Google Security Operations ecosystem, the integration types supported, and how security operations centers (SOC) can use them.
Specificity and depth: Supported integration types
The Google Security Operations platform supports several distinct integration patterns. Here is how our current cohort is using these architectures to deliver specific technical capabilities:
1. Data feed integrations for deep visibility across your stack
These integrations pipe crucial telemetry directly into the Google Security Operations data lake, pre-mapped to our unified data model (UDM) schema so your team doesn't have to write custom parsers:
-
Beacon Security: Architects ingestion for both normalized and raw data. Beacon expands your coverage by collecting data from sources including APIs, syslog, webhooks, and cloud storage. Using a real-time streaming pipeline, it normalizes these raw events directly into out-of-the-box UDM mappings in minutes. Before data even reaches Google Security Operations, Beacon applies security-driven data reduction to filter and aggregate events preserving detection fidelity. Finally, it uses AI-powered data orchestration and continuous security data posture management to track collection health and help reduce the risk of blind spots becoming breaches.
-
Contrast Security ADR: Detects, investigates, and responds to application-layer attacks with the Contrast ADR and Google Security Operations integration. Verified runtime attack telemetry streams into Google's UDM, powering purpose-built detection rules that automatically surface confirmed exploits as cases and correlate application-layer findings with signals from WAFs, EDR tools and database security sensors.
-
Gigamon GigaVUE Cloud Suite: Introduces a new integration to help organizations close visibility gaps across hybrid cloud environments. This integration amplifies the power of Google Security Operations with actionable application and network-derived telemetry — including packets, flows, and metadata — from Gigamon, giving teams the context they need to detect threats earlier and investigate with greater precision.
-
SAP Logserv: Closes the visibility gap between SAP Logserv and security operations, empowering analysts to detect, investigate, and respond to SAP-specific threats alongside their existing IT landscape. The integration features out-of-the-box ingestion and uses SAP-specific standard parsers to normalize raw, complex infrastructure and application logs into the UDM format. This gives teams unified, enterprise-wide visibility to defend business-critical data while reducing the need for deep SAP technical expertise or custom log pipelines. This integration has been developed by Google, in partnership with SAP.
-
Synqly Mesh: Offers a unified API that performs bi-directional data normalization between Google Security Operations' UDM and the Open Cybersecurity Schema Framework (OCSF). It supports event ingestion configurations (Sink) as well as full bi-directional SIEM connectivity.
-
Vali Cyber Zero Lock: Streams hypervisor-level security events directly into your existing Google Security Operations workflows. This integration provides visibility into emerging ESXi threats and is designed to help keep virtual infrastructure protected and operational.
2. Response integrations for streamlined alert and case management
These integrations hook directly into your workflows, allowing external platforms to trigger alert delivery, create cases, and execute automated actions.
-
Darktrace: Currently in development, this response integration enables Google Security Operations to ingest Darktrace Incidents and Model Alerts. By pulling in pre-parsed raw logs via API or webhook, this integration provides your team with network context needed to streamline alert delivery, manage cases, and trigger automated response actions.
-
GreyNoise: New integrations that enhance detection and response capabilities in Google Security Operations. Spanning both SIEM and SOAR, the integration delivers standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, webhook support, response actions, and ready-to-deploy playbooks.
-
Thinkst Canary: Integrates directly with Google Security Operations SOAR, allowing security teams to ingest high-confidence Canary incidents as actionable cases. It preserves full alert context, surfaces extracted entities like IP addresses and hostnames, and allows analysts to acknowledge incidents without ever leaving their Google Security Operations workflow.
-
Torq: Brings its AI SOC Platform to Google Security Operations to help automate the threat lifecycle. Torq pulls detections directly via API, applies agentic AI auto-triage to filter out noise, and executes autonomous response actions — like isolating endpoints or revoking access — across the security stack while keeping Google Security Operations updated with case status.
3. Pulling Google Security Operations data (bi-directional API workflows)
Security doesn't just happen in one console. These integrations use secure APIs to pull Google Security Operations detections and intelligence natively into partner platforms, bridging the gap between tools.
-
Intezer: Allows you to natively query, investigate, and triage Google Security Operations detections without leaving your established environment. It automatically ingests Google Security Operations alerts directly into Intezer, which then queries your underlying Google Security Operations data during active investigations to drive autonomous triage. This bi-directional workflow ensures your team has the full picture — eliminating the need to pivot between consoles, reducing manual data gathering, and freeing your analysts to focus on high-level decision-making and rapid response.
-
Prophet Security: Integrates with Google Security Operations to provide AI-powered alert investigation and natural language threat hunting. It is designed to automatically ingest alerts, queries the Chronicle API for real-time UDM event context, and bidirectionally syncs investigation findings and comments back to Google Security Operations, with the goal of reducing analyst workload.
-
Tidal Cyber: Pulls configuration and policy data from your cyber defense intelligence (CDI) environment. It can retrieve ATT&CK-mapped curated detection rules and user-created rules from Google Security Operations. It also synchronizes the detection rules states with Tidal to reflect enabled and disabled capabilities. By knowing both what a product is capable of and what's currently enabled in your environment, Tidal helps identify configuration gaps and assists in keeping your defensive stack and coverage map accurate as policies change.
Details on all partner integrations can be found in our technical documentation or in your Google Security Operations Content Hub console.
Unify your defense today
For technology vendors and developers looking to join the Google Cloud Security integration ecosystem, you can get started by downloading the Google Security Operations Build Partner Guide to understand our UDM schema and API requirements, and reach out to our Google Cloud Security Tech Partners team to request a development environment to accelerate your build in time for our next release cycle.
You can follow all of our security announcements at Next ‘26 here.
