SANS SOC Survey 2025

Keypoints

• Typical report structure: Title and authorship, table of contents, executive summary, key findings, methodology/demographics, detailed topical sections (SOC definition, capabilities, architecture, staffing, tools, AI/ML, threat intelligence, incident response), expert commentary, vendor/product briefings, conclusions, sponsors, and program information. Each section summarizes data, interprets trends, and provides practical recommendations and vendor context.
• Executive summary: Sets context and objectives—compare peer performance, prioritize improvements, and surface technology and staffing guidance for the coming year.
• Demographics and methodology: Describes respondent locations, industries, and organization sizes to frame representativeness and applicability of findings.
• SOC definition and baseline: Typical SOC priorities are alert triage, detection, and incident response, supplemented by threat intelligence, vulnerability management, and hunting; baseline staffing ~10 FTEs with 3–5 year tenure common.
• Capabilities vs. outsourcing: Core functions (architecture, monitoring, compliance, incident response) are generally kept in-house; specialized, project-based tasks (pentest, DFIR, red teaming) are commonly outsourced; hybrid monitoring models are frequent.
• Architecture trends: Centralized on-prem SOCs remain the most common (38%); cloud SOCs are growing (24% current, planned 29%); migration to cloud is gradual and influenced by geopolitics and data residency concerns.
• Key statistics (operational coverage and triggers): 79% of SOCs operate 24/7; 85% of incident starts are triggered by endpoint security alerts, underscoring EDR/endpoint telemetry as primary signal sources.
• Data management concerns: 42% of SOCs dump all incoming data into a SIEM without clear retrieval/management plans, creating scale and visibility problems and raising cost and effectiveness risks.
• Skills and hiring signals: 43% of respondents rank SIEM as the top technical hiring skill—more than double the next skill—indicating centralized log analytics remain mission-critical.
• AI/ML adoption and shortcomings: 42% of SOCs use AI/ML tools “out of the box” with no customization; AI/ML tools are widely adopted but under-governed, often introduced without ownership, causing low satisfaction and unintentional risk.
• Threat intelligence usage: 73% of SOCs perform CTI activities and 69% use CTI primarily for incident response; distribution commonly via email/documents, and analysts rely heavily on experience/intuition (72%) rather than structured analytic methods.
• Reporting and automation deficits: 69% of SOCs still rely on manual or mostly manual metric reporting; lack of automation for metrics and repetitive tasks remains a major efficiency bottleneck.
• Tool satisfaction hierarchy: EDR/XDR is the most trusted and highest-rated technology (only tech above a 3/4 satisfaction threshold); newer solutions (AI/ML, deception) score poorly due to integration, governance, and expectation gaps.
• Incident response posture: IR is largely reactive—most IR functions are internal or ad hoc—and threat hunting is commonly vendor-driven, partially automated, and often retrospective rather than hypothesis-led proactive hunting.
• Staffing and retention crisis: Common SOC size is 2–10 people for many organizations; 73% allow some remote work; 62% of SOC professionals say their organization isn’t doing enough to retain top talent; transparency around budgets and retention programs is weak (42% of staff unaware of SOC budget).
• Recurring themes: persistence of reactive operations, over-reliance on alerts and SIEM dumps, underinvestment in hunting and automation, hype vs. reality for AI/ML, and the critical role of people and culture over pure tooling.
• Significant operational takeaways: prioritize intentional AI governance and standardization, reduce SIEM noise and unnecessary data retention, automate repetitive reporting and triage workflows, invest in retention and career progression, and formalize threat intelligence practices using structured analytic techniques and internal data sources.
• Vendor & product insights: Product briefings (Prophet AI, Swimlane, ThreatConnect, Infoblox, Elastic, Fortinet) exemplify market responses—agentic AI for investigative automation, hyperautomation for orchestration and playbooks, integrated CTI and risk quantification to link security to business impact, and platforms that promise measurable ROI by reducing alert volume and analyst toil.
• Strategic recommendations: balance tool procurement with budgeted integration and training, invest in EDR/endpoint telemetry and detection engineering, formalize hunting methodologies, adopt low-code automation for playbooks and reporting, and pursue incremental, governed AI deployments aligned to measurable SOC metrics (MTTI, MTTR, dwell time).
• Global and regulatory considerations: rising geopolitical scrutiny affects cross-border monitoring and data residency—security leaders must engage legal and compliance to address visibility, third-party monitoring, and regulatory constraints during cloud migration planning.
• Encouraging signals: widespread 24/7 coverage, growing cloud adoption plans, nascent improvements in proactive detection and intentional AI integration, and renewed emphasis on career progression as a retention lever—yet progress remains incremental and uneven.