
Security operations centres (SOCs) are at a turning point in 2025. A new report from Software Analyst Cyber Research draws on a survey of over 300 CISOs and evaluates vendors to help SOC leaders understand how artificial intelligence (AI) and automation will reshape the SOC.
The study surveyed more than 300 CISOs to identify pain points and priorities in security operations. Key findings include:
These numbers illustrate how alert overload and slow triage still hamper SOC effectiveness.
The Software Analyst report organises the AI-SOC market into several architectural approaches:
stand-alone AI assistants that sit outside existing workflows. These can provide recommendations but lack executional control. The Co Pilots
tools that mimic manual workflows but cannot adapt at scale. The browser based student
systems that embed AI within the SOC's infrastructure, a mesh of orchestrating detection, investigation and response. The AI SOC mesh that does it all (with Human oversight)
The authors argue that the winners in the AI‑SOC space will not be those with the flashiest chat interfaces but those that reduce mean‑time‑to‑respond (MTTR), scale across fragmented environments and adapt faster than attackers evolve. The promise needs time to evidence but the signs are positive.
Agentic AI works within the organisation's environment, connecting to hundreds of APIs, using headless modes and chat interfaces to collect context and execute actions.
Integrated AI SOC platforms are designed for peak loads and can be fully operational in a matter of weeks.
from core setup and integration through early automation templates to advanced workflows and AI‑agent deployment.
The takeaway is that SOCs don't need another AI assistant; they need systems that can autonomously execute workflows.
Platforms should provide full visibility and control over AI‑driven decisions and allow analysts to modify logic through low‑code or no‑code interfaces.
Is the SIEM going to it's final resting place after a damn good innings? the answer is no, it is evolving into a different beast with more tentacles. API first architecture, storage agnostic and data pipeline agnostic. For SOC practitioners, this is what we have been shouting into the void for, and finally listened to. We discuss our take on where SIEM's are pivoting and evolving:
Modern security architectures are increasingly merging SIEM functionality with data lake / data pipeline infrastructures. Rather than maintaining a siloed SIEM, organisations are adopting hybrid models where the SIEM is one component of a broader data architecture.
The SIEM’s role becomes more about enrichment, correlation, and analytics over structured and semi-structured data, leaving raw storage, cold archives, and large-scale historical inference to data lakes/pipelines i.e AWS security Lake, Data Bricks, Anvilogic.
This shift helps manage data volume costs, simplify ingestion, and improve latency by decoupling storage and analytics.
The future SIEM is expected to be less monolithic and more modular: ingest, enrich, correlate, and respond are separated layers, able to interface with external tools and pipelines. Vendors such as Exabeam, SentinelOne and Palo Alto are on this sprint albeit different approaches.
SIEMs are evolving toward open architectures and use of standardised data formats and APIs, reducing vendor lock-in and enabling best-of-breed component replacement.
This means a SIEM could feed into or consume from orchestration systems, threat intelligence platforms, and external analytic engines.
Traditional correlation-based SIEMs are insufficient for modern threats. The updated model layers AI/ML, behavioural analytics, anomaly detection, and unsupervised techniques on top of the core SIEM engine.
SIEMs evolve to become analytic hubs as they correlate across more data points (identity, external threat intel, asset data etc) rather than just logs → alerts.
The SIEM’s value shifts more toward contextualising, prioritising, and automating response, not simply flagging events.
Future architectures should see SIEMs integrating with Continuous Threat Exposure Management (CTEM) and attack surface discovery tools. This allows SIEM alerts to be mapped with exposure data for prioritised response.
This approach elevates SIEM from reactive detection to a proactive, exposure-aware defense posture, ensuring it feeds into higher-order exposure workflows.
Legacy SIEMs face constraints from data ingestion costs (the keep it or drop it paradox), licensing models, and performance at scale. Evolving SIEMs are detaching from per-GB or per-event pricing due to heavy lobbying from SOC practitioners.
The shift is towards business-aligned metrics (user count, risk tiers) or tiered storage. By moving raw data to cheaper storage, SIEM is applied only where correlation and alerting are critical, making costs more predictable and sustainable.
In modern SOCs, SIEM acts as a correlation, enrichment, and contextualisation layer, integrated with data lakes, pipelines, threat intelligence, orchestration, and exposure management tools.
Organizations should aim for open, modular SIEM architectures, combined with external analytics and exposure systems, to avoid vendor lock-in from monolithic legacy stacks.
The SIEM is not going extinct, despite the wishful thinking! it's evolving into a smarter, more flexible, analytics-driven engine rather than a siloed alert machine.
The 2025 SOC report portrays a market still maturing but accelerating quickly.
The key message is that effective AI‑SOC platforms must be integrated, execution‑first systems that deliver speed, scalability and transparency. Buyers, whose philosophy is single vendor simplicity will be watching how the current SIEM vendors diversify their trajectory towards decoupling hot storage from cold, analytics and enrichment and also where and how AI integrates into the detection & response lifecycle.
The SOC Report – September 2025