The SOC Report – September 2025
Context and Rationale
Security operations centres (SOCs) are at a turning point in 2025. A new report from Software Analyst Cyber Research draws on a survey of over 300 CISOs and evaluates vendors to help SOC leaders understand how artificial intelligence (AI) and automation will reshape the SOC.
The study surveyed more than 300 CISOs to identify pain points and priorities in security operations. Key findings include:
Survey findings from SOC leaders
These numbers illustrate how alert overload and slow triage still hamper SOC effectiveness.
AI SOC Market Structure and Vendor Categories
Market structure and vendor categories
The Software Analyst report organises the AI-SOC market into several architectural approaches:
1
Black-box overlays
stand-alone AI assistants that sit outside existing workflows. These can provide recommendations but lack executional control. The Co Pilots
2
Workflow emulators
tools that mimic manual workflows but cannot adapt at scale. The browser based student
3
Integrated AI SOC platforms
systems that embed AI within the SOC's infrastructure, a mesh of orchestrating detection, investigation and response. The AI SOC mesh that does it all (with Human oversight)
The authors argue that the winners in the AI‑SOC space will not be those with the flashiest chat interfaces but those that reduce mean‑time‑to‑respond (MTTR), scale across fragmented environments and adapt faster than attackers evolve. The promise needs time to evidence but the signs are positive.
Hyperautomation and the Path to an Execution-First SOC
Agentic AI inside the environment
Agentic AI works within the organisation's environment, connecting to hundreds of APIs, using headless modes and chat interfaces to collect context and execute actions.
Horizontal scalability and rapid deployment
Integrated AI SOC platforms are designed for peak loads and can be fully operational in a matter of weeks.
from core setup and integration through early automation templates to advanced workflows and AI‑agent deployment.
Execution‑first orientation
The takeaway is that SOCs don't need another AI assistant; they need systems that can autonomously execute workflows.
Platforms should provide full visibility and control over AI‑driven decisions and allow analysts to modify logic through low‑code or no‑code interfaces.
Our take on the SIEM Evolution: Key Shifts
Is the SIEM going to it's final resting place after a damn good innings? the answer is no, it is evolving into a different beast with more tentacles. API first architecture, storage agnostic and data pipeline agnostic. For SOC practitioners, this is what we have been shouting into the void for, and finally listened to. We discuss our take on where SIEM's are pivoting and evolving:
Convergence with Data Platforms & Pipelines
Modern security architectures are increasingly merging SIEM functionality with data lake / data pipeline infrastructures. Rather than maintaining a siloed SIEM, organisations are adopting hybrid models where the SIEM is one component of a broader data architecture.
The SIEM’s role becomes more about enrichment, correlation, and analytics over structured and semi-structured data, leaving raw storage, cold archives, and large-scale historical inference to data lakes/pipelines i.e AWS security Lake, Data Bricks, Anvilogic.
This shift helps manage data volume costs, simplify ingestion, and improve latency by decoupling storage and analytics.
Open, Modular, Vendor-Agnostic Design
The future SIEM is expected to be less monolithic and more modular: ingest, enrich, correlate, and respond are separated layers, able to interface with external tools and pipelines. Vendors such as Exabeam, SentinelOne and Palo Alto are on this sprint albeit different approaches.
SIEMs are evolving toward open architectures and use of standardised data formats and APIs, reducing vendor lock-in and enabling best-of-breed component replacement.
This means a SIEM could feed into or consume from orchestration systems, threat intelligence platforms, and external analytic engines.
Intelligence Augmentation & Analytics Over Simple Correlation
Traditional correlation-based SIEMs are insufficient for modern threats. The updated model layers AI/ML, behavioural analytics, anomaly detection, and unsupervised techniques on top of the core SIEM engine.
SIEMs evolve to become analytic hubs as they correlate across more data points (identity, external threat intel, asset data etc) rather than just logs → alerts.
The SIEM’s value shifts more toward contextualising, prioritising, and automating response, not simply flagging events.
SIEM Evolution: Key Shifts
SIEM + CTEM / Exposure Management Synergy
Future architectures should see SIEMs integrating with Continuous Threat Exposure Management (CTEM) and attack surface discovery tools. This allows SIEM alerts to be mapped with exposure data for prioritised response.
This approach elevates SIEM from reactive detection to a proactive, exposure-aware defense posture, ensuring it feeds into higher-order exposure workflows.
Reinforcing Performance, Scalability & Cost Models
Legacy SIEMs face constraints from data ingestion costs (the keep it or drop it paradox), licensing models, and performance at scale. Evolving SIEMs are detaching from per-GB or per-event pricing due to heavy lobbying from SOC practitioners.
The shift is towards business-aligned metrics (user count, risk tiers) or tiered storage. By moving raw data to cheaper storage, SIEM is applied only where correlation and alerting are critical, making costs more predictable and sustainable.
Summary: What This Means
Integrated Layer
In modern SOCs, SIEM acts as a correlation, enrichment, and contextualisation layer, integrated with data lakes, pipelines, threat intelligence, orchestration, and exposure management tools.
Open & Modular
Organizations should aim for open, modular SIEM architectures, combined with external analytics and exposure systems, to avoid vendor lock-in from monolithic legacy stacks.
Evolving Engine
The SIEM is not going extinct, despite the wishful thinking! it's evolving into a smarter, more flexible, analytics-driven engine rather than a siloed alert machine.
Conclusion
The 2025 SOC report portrays a market still maturing but accelerating quickly.
The key message is that effective AI‑SOC platforms must be integrated, execution‑first systems that deliver speed, scalability and transparency. Buyers, whose philosophy is single vendor simplicity will be watching how the current SIEM vendors diversify their trajectory towards decoupling hot storage from cold, analytics and enrichment and also where and how AI integrates into the detection & response lifecycle.
Read the full reports here
The AI SOC Market Landscape 2025 - Software Analyst Cyber Research https://softwareanalyst.io/reports/ai-soc-industry-wide-report-2025/
AI SOC Market Landscape 2025: Torq Leads in Hyperautomation
AI To Handle 60% of SOC Work By 2028. It Had Better Be Robust. | D3 Security https://d3security.com/blog/ai-soc-report-d3-robust-solution/
The Convergence of SIEM and Log management - Network World
Ready to Transform Your Security Operations?
Connect with us for more information or a personalised consultation.