SANS 2025 SOC Survey: Critical Gaps & Top Team Strategies
▼ Summary
– The 2025 Global SOC Survey from SANS Institute reveals a disconnect between alert response and data strategy in Security Operations Centers.
– 85% of SOC analysts cite endpoint security alerts as their primary response trigger, yet 42% of SOCs dump all incoming data into a SIEM without a retrieval plan.
– 82% of SOCs operate 24/7 and 73% allow some degree of remote work for their personnel.
– 42% of SOCs use AI/ML tools in an out-of-the-box capacity without customization, which may limit their effectiveness.
– The report serves as a comprehensive, vendor-neutral benchmark for SOC maturity, tooling, and staffing based on global practitioner data.
A new report from the SANS Institute reveals a concerning gap in how modern Security Operations Centers handle critical threat data. While the vast majority of analysts rely on endpoint alerts to initiate incident response, nearly half of all SOCs lack a coherent strategy for managing the flood of incoming information they receive daily.
The 2025 Global SOC Survey, drawing insights from thousands of cybersecurity professionals worldwide, serves as a comprehensive benchmark for understanding current trends in security operations maturity, tool deployment, and staffing models. One of the most striking findings shows that 85% of SOC analysts depend on endpoint security alerts as their main trigger for response actions. At the same time, a significant 42% of organizations admit they simply dump all incoming data into a SIEM without any clear plan for how to retrieve or analyze it later.
Christopher Crowley, a certified instructor at SANS Institute and the survey’s lead author, emphasized the challenges facing today’s security teams. “SOCs form the backbone of cyber defense, yet many remain overwhelmed and under-resourced,” he noted. “This year’s data provides a clear snapshot of how teams are adapting to round-the-clock operations, AI adoption, and the shift toward remote work, while also highlighting common missteps and areas needing improvement.”
The report also highlights that 82% of SOCs are now running 24/7.
Crowley warned against deploying new technologies without proper support, stating, “If leadership isn’t prepared to fully commit the resources needed to make a tool effective, it’s better not to deploy it at all. A shiny new solution requires budget, training, time, and careful integration into existing workflows.”
The report also clarifies how SANS defines a SOC, evaluating it based on capabilities, architecture, staffing, and whether functions are handled internally or outsourced. “This research helps security leaders understand how others are building and evolving their operations centers, and where they stand in comparison,” Crowley added.
For those interested in diving deeper, the full report and registration for an accompanying webcast are available through the SANS Institute website.
(Source: ME Tech Watch)
