GigaOm Radar for Autonomous Security Operations Center (SOC) Solutions v4

Autonomous security operations center (SOC) solutions shift the focus of security analysts from repetitive tasks to investigating only the most important incidents. These systems use correlation engines, customized alarms, automated workflows, and connections to both internal and external intelligence feeds, along with AI and machine learning. Autonomous SOCs give analysts a clear overview of threats and serve as a central hub for collecting information and resolving incidents.

The SOC will not, and should not, be fully autonomous. Instead, it should be given the autonomy only to deal with the biggest hindrance for analysts: volume of responses. Tackling volume-based problems without automation can be done only by hiring more security analysts. However, high-volume, low-complexity attack responses can often be fully automated, enabling businesses to dedicate analysts to truly important attacks, such as unknown or zero-day attacks.

The foundation of autonomous SOC solutions is technologies already in use today. These solutions are based on a core security information and event management (SIEM) architecture. On top of the information management base, autonomous SOC solutions offer native security orchestration, automation, and response (SOAR) features, user and entity behavior anomaly detection (UEBA), endpoint detection and response (EDR), and other security capabilities. 

In the mid-2020s, the SecOps toolkit gained a new technology: large language models (LLMs). These can offer a natural language interface for interacting with the product, commonly adopted in a copilot fashion. However, LLMs can also be architected into agents, which can carry out investigation and response tasks with minimal human intervention. 

Historically, a SIEM solution has been the center of operations for analysts, and it is still a viable and powerful tool today. Incremental developments mean that SIEM tools are still relevant, but the core SIEM function of collecting and sorting through logs can serve only so many use cases. Organizations today are increasingly opting for more comprehensive security operations products that decrease the amount of resources otherwise invested in deploying multiple solutions and integrating them, as well as the chair swiveling that follows.

We’ve previously described autonomous SOC solutions by looking at integrated SIEM and SOAR solutions, which were commonly a result of SIEM vendors acquiring SOAR tools. As these technologies are fully integrated, it is no longer relevant whether the capabilities were developed in-house or acquired. 

We’re now expanding the scope of evaluation to include UEBA, EDR, LLM-based automation, and vulnerability management capabilities because the autonomous SOC strategy differs from vendor to vendor with regard to the type of modules they include in their product.

This is our fourth year evaluating the autonomous security operations center space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 22 of the top autonomous security operations center solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading autonomous security operations center offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well autonomous security operations center solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based autonomous SOC solutions.

• Large enterprise: Large enterprises require high-performance solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure will be key differentiators.

• Regulated industries: These typically include verticals such as finance and healthcare, in which vendors need to adhere to strict rules and regulations as well as support on-premises deployments.

• Managed security service provider (MSSP): MSSPs require multitenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.

• Public sector: These are governmental agencies that have strict requirements, including around data residency, disaster recovery, and security-cleared vendor support staff.

We recognize five deployment models for solutions in this report: 

• Physical appliance: These are hardware solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though they may purchase support services through the vendor or a third-party service provider.

• Virtual appliance: This is a software version of the solution that can be installed on a customer’s on-premises equipment or in private clouds.

• Public cloud image: The solution can be purchased from a public cloud provider’s marketplace and run in the customer’s public cloud environment.

• Software only: This model offers customers an installation file that they can install and run on their preferred operating system and hardware.

• Software as a service (SaaS): Compared to cloud-hosted models, SaaS has a different licensing and consumption model in which customers typically subscribe to a pay-as-you-go plan without purchasing the solution outright, and pay separately for management.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Multiple ingest streams

• Tunable alarms

• Third-party tool orchestration

• Converged solution

• Flexible storage

• Data and threat enrichment

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an autonomous SOC solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Autonomous SOC Solutions.”

Key Features

• Detection engine: This feature considers the capabilities of the alarm-triggering engine that defines the detection rules used to identify suspicious or threatening events. The detection engine must do three things: trigger alerts for suspicious events; correlate, consolidate, and deduplicate events into single incidents and prioritize them based on impact and risk; and calibrate alarm triggers.

• Case management: Case management refers to the platform’s ability to provide a multiple-user workspace, sometimes called a war room, for handling incidents. It’s a space where users can share all relevant information regarding incidents, including context as to why the incident was triggered, actions taken as part of the playbook, internal notes, pending actions, approvals, and next steps, along with everything else that needs to be shared for effective handling of incidents.

• User and entity anomaly detection: Autonomous SOC tools can employ UEBA modules to establish baseline profiles for normal user behavior, then look for deviations. Anomalous behavior can include unusual login times, access of unauthorized resources, large data transfers, or unusual file access patterns.

• Response and remediation: A solution’s response and remediation capabilities include direct control over affected assets to terminate, quarantine, or isolate threats. Response activities can be automated and carried out via workflows or executed manually by analysts in real time through the solution interface, with near-instant feedback. Response also includes all preceding actions, such as collecting OS-level data using tools or agents and enriching it with context and threat intelligence to validate malicious processes before isolation or termination.

• Threat hunting and modeling: This refers to the solution’s ability to support analyst-driven searches of historic data for suspicious activity that evaded real-time detection. It also gives analysts the ability to place threats, alarms, or incidents within a wider context with respect to the affected IT systems or other existing threats. 

• Deterministic automation and integrations: To help analysts manage the organization’s existing security stack, solutions must integrate with and orchestrate third-party services. Integrations must be bidirectional, where the solution can both pull data from and push data to external tools. Solutions should provide out-of-the-box integrations, a mechanism for handling integrations, and expose their functions via well-documented APIs. Common orchestration actions, such as removing user permissions in an identity and access management (IAM) tool, should be possible without requiring customers to manually identify the correct IAM tool API call and write scripts.

• Monitoring ephemeral resources: Ephemeral resources such as containers and serverless functions pose new security threats. These resources can be infected when they are alive, spun up by malicious actors, or fed malicious data. Autonomous SOC tools can integrate with monitoring tools for containerized and ephemeral environments to ingest data.

Table 2. Key Features Comparison

Emerging Features

• DevSecOps and security as code: This emerging technology evaluates a solution’s ability to support DevOps practices in security operations teams and enables them to define detection rules using code. At a high level, this refers to the ability to manage and configure various aspects of an autonomous SOC solution using code repositories, version control, and automated deployment processes. 

• Vulnerability and misconfiguration scanning This feature evaluates a vendor’s ability to identify vulnerabilities and misconfigurations in the customer's environment. Basic capabilities for this feature include integrating with third-party vulnerability management tools such as Qualys and Tenable and resolving the risks identified by these tools. 

• LLM modularity: This feature evaluates how SecOps automation tools enable customers to deploy and configure the LLMs used for investigation and response.

• LLM monitoring and evaluations: LLM monitoring refers to the visibility over LLM performance and response times, and logging of their actions. Evaluations involve measuring the model’s response accuracy and ensuring responses are relevant and grounded in data.

• Design-time LLM: LLMs can naturally be used to generate content, which means they can provide administrators and analysts with a natural language interface to write playbooks, detection rules, scripts, data transformations, and integrations with third-party tools.

• LLM investigation and response copilots: These features offer analysts a natural language interface to conduct investigation and response actions. Typically, copilots are exposed through a chatbox, pop-up, separate window, or within the case management system. 

• LLM investigation and response agents: Agents are self-determining LLMs that can, when prompted or triggered, carry out investigation and response actions. SecOps automation tools offer them either as prepackaged and preconfigured agents ready-made for specific use cases, or as building blocks that allow analysts to build and run their own.

• Guardrails: Guardrails involve controlling the LLM outputs to ensure they are accurate, relevant, and correctly formatted.

Table 3. Emerging Features Comparison

Business Criteria

• Scalability: This criterion evaluates a vendor’s capability to serve large deployments and respond to changes in the amount of data ingested. No solution can be infinitely scalable. Even cloud-based solutions that can scale up the underlying infrastructure to support more data have some limitations and usability concerns. 

• Manageability: This criterion evaluates how administrators and end users interact with the solution, with specific focus on the work required for initial setup and ongoing configuration. If end users have to spend more time managing the tool than dealing with security incidents, manageability is reduced. Autonomous SOC solutions have many components and integrations they depend on and so must be easy to manage. 

• Cost transparency: This criterion evaluates the way a solution is licensed and priced to support customers in managing their solution costs transparently and predictably. The licensing model can be based on any of the following: events per second, per GB ingested; storage-related costs such as total retention, hot storage, and cold storage; pay-as-you-go and pay-as-you-grow mechanisms; seat-based pricing; and free tiers. Additional modules (such as UEBA or SOAR) may be priced additionally or included in the base price.

• Documentation and support: To help customers adopt and run the solution at the scale they need, vendors often offer comprehensive technical documentation and support services. This can include training and certification programs, technical documentation, onboarding programs, help desks in different tiers and working hours, drop-in support teams, and support for on-premises deployments.

• Ecosystem: This business criterion evaluates an autonomous SOC vendor’s partner ecosystem, which includes alliances with third-party managed services providers (MSPs), technology alliances, third-party produced content, channels to market, and third-party professional services providers.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Autonomous SOC

As you can see in Figure 1, vendors are distributed across the four quadrants of the chart, with the highest concentration of vendors in the Innovation/Platform Play quadrant.

Vendors are positioned across the quadrants according to the extent of their product’s feature set and use cases, as well as their implementation of LLM-based capabilities. More specifically, the breadth of use cases determines the vendor’s position along the Feature/Platform Play axis, with vendors in the Platform Play half able to deliver across most, if not all, key features described in the report. The Innovation/Maturity distribution depends on the vendor’s implementation of LLM-based capabilities, primarily captured in the report’s emerging features. 

With regard to LLM-based capabilities in particular, vendors either need to hire in-demand AI engineers or upskill their existing employees. Both are rather lengthy exercises, and the largest vendors are best positioned to develop enterprise-grade LLM-based features. 

These vendors will also have the opportunity to acquire LLM-native security automation tools, which will bring both capabilities and skills in-house. We expect to start seeing acquisitions in this category over the next year.

Year over year, this report remains largely consistent with the previous iteration. Two new vendors, which have recently entered the security operations field, have been added.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

CrowdStrike: Falcon

Solution Overview
The CrowdStrike Falcon platform offers a suite of security capabilities built on top of CrowdStrike’s single-agent approach. It consists of Next-Gen SIEM, EDR, Fusion SOAR, Charlotte AI, and others. 

The Falcon modules share a common data backplane, LogScale, the platform’s security data lake and log management engine. Next-Gen SIEM operates on CrowdStrike's own global infrastructure and data centers, and can also be hosted on Amazon Web Services (AWS) GovCloud to meet the security and compliance requirements of US federal agencies.

CrowdStrike’s EDR and threat intelligence pedigree deliver a scalable SIEM, with LogScale capable of processing up to one trillion high-fidelity signals per day. The widely deployed EDR and threat intelligence products offer organizations the opportunity to consolidate their security operations tooling under one provider. 

CrowdStrike is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
CrowdStrike scored well on a number of decision criteria, including:

• Detection engine: The solution provides comprehensive capabilities for defining and calibrating alarms through features like the CrowdStrike Query Language (CQL) for flexible rule creation and modification, prepackaged rules mapped to MITRE ATT&CK, and custom rule creation via an intuitive UI or CQL. The platform uses ML-based dynamic detection prioritization for risk scoring and AI-powered IoCs for endpoint and cloud workload data.

• Response and remediation: Falcon offers an agent-based EDR solution fully integrated with its SIEM offering. It provides low-level controls over the hosts where the agent runs to block, terminate, and quarantine threats by using tools to gather OS-level information.

• LLM-based agents: Charlotte AI offers agentic capabilities for investigating, triaging, and responding to potential breaches. It provides detailed activity logs of all actions taken, documentation of analysis steps, and a record of functions executed. Chain-of-thought reasoning is applied to investigation paths, multistep analysis workflows, and progressive refinement of conclusions. This AI maintains context across an investigation session, implements evaluations, and allows analysts to upload their documents.

Opportunities
CrowdStrike has room for improvement in a few decision criteria, including:

• Case management: While the vendor has native case management features, it can further improve by using data stored as global context for LLM agents or copilots, handling nonsecurity collaboration with other teams, and serving as a shared resource among analysts, including onboarding of new ones. 

• LLM modularity: CrowdStrike can improve on this feature by offering multiple hosting options for the LLM and controls over the LLM’s configuration and authentication.

• LLM monitoring and evaluations: While CrowdStrike’s solution can report on some LLM-related metrics, it does not evaluate retrieval-augmented generation (RAG) performance and ensure the validity of schemas and formats produced by the LLM. 

Purchase Considerations
Flexible purchasing options through the Falcon Flex consumption model and financing through CrowdStrike Financial Services are available. Next-Gen SIEM can be purchased separately or as part of other modules.

Next-Gen SIEM is priced based on the volume of third-party data ingested and the retention period. All native CrowdStrike Falcon telemetry from platform modules (like endpoint, identity, and cloud) is included at no extra ingest cost. Next-Gen SIEM customers have access to 30 days hot retention out of the box and can expand up to five years (based on ingestion). 

Use Cases
The CrowdStrike Falcon platform delivers a range of use cases, including security operations center transformation and modernization, legacy SIEM replacement and consolidation, automated alert triage and investigation, cross-domain threat detection and response, threat hunting and forensics, real-time security analytics, automated incident response, compliance, and log management.

Datadog: Cloud SIEM

Solution Overview
As part of a wider portfolio of infrastructure observability, Datadog Cloud SIEM is built natively into the Datadog Observability and Security Platform and provides extended coverage of security services. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, allowing users to pivot seamlessly from a potential threat to relevant monitored data for quickly triaging security alerts. 

The solution is highly innovative, supporting emerging features such as security as code and misconfiguration detection.

Datadog Cloud SIEM provides real-time monitoring, threat detection, and response capabilities across complex, dynamic cloud environments, leading to better protection against potential cyberattacks. Cloud SIEM applies advanced analytics to security-related logs from cloud environments, identity providers (IdPs), and SaaS applications. By Lleveraging an extended set of data streams from the rest of the IT and cloud infrastructure, Datadog canand cloud, using application, infrastructure, and cloud provider logs to provide deeper insights into application and security activity. 

Datadog is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Datadog scored well on a number of decision criteria, including:

• Case management: These features are built into the Datadog platform and can be accessed with just one click from within Cloud SIEM. Cases can be created directly from security signals and alerts and are populated with all relevant telemetry data, analyst contacts, asset owners, and third-party messaging and issue-tracking links. War rooms can be created easily, and stakeholders can collaborate virtually with the built-in CoScreen meeting tool.

• Deterministic automation and integrations: Datadog can define automation logic using workflows and webhooks as script-based connectors that link Datadog to other tools. By setting up webhooks that respond to Datadog security notifications, users can create simple, automated remediation workflows that neutralize threats in real time. Webhooks deliver their payloads to the services users want to automate whenever a detection rule is broken. Datadog also offers Content Packs, a centralized hub for all out-of-the-box content related to an integration. Content Packs can contain prebuilt detection rules, dashboards, workflow automation blueprints, or visual/graphical Investigator widgets. Customers can see a preview of this content prior to activating a Content Pack. Content Packs are available in the following categories: cloud audit, authentication, collaboration, network, cloud developer tools, and endpoint. 

• Detection engine: Cloud SIEM offers out-of-the-box detection rules that align with the MITRE ATT&CK framework. Rules can be cloned and customized based on the organization’s needs. It offers risk-based alerting, and analysts can correlate threats, findings, and vulnerabilities to consolidate and facilitate efficient investigations.

Opportunities
Datadog has room for improvement in a few decision criteria, including:

• User and entity anomaly detection: Datadog does not offer capabilities such as peer-based activities or employ multiple types of analysis models to process data. This feature is currently in beta testing.

• Response and remediation: The vendor can further develop its response and remediation capabilities to include zero-day detection and response content, or OS-level control and visibility into affected assets.

• LLM investigation and response agents: While Bits AI is a comprehensive LLM-based copilot, Datadog’s LLM investigation and response agents are currently in preview stage.

Purchase Considerations
Datadog's business model is subscription-based SaaS. Products like Indexed Logs and Cloud SIEM, which are linked to volumes, are priced by volume. Datadog offers discounts for multiyear subscriptions or large-volume deployments. On-demand prices are publicly available.

Use Cases
Cloud SIEM can be used for security threat detection, investigation, and response, rule testing using historical data, threat hunting, improved regulatory compliance, security auditing, reporting, threat intelligence, and historical trend analysis. As it is part of a wider observability platform, the solution also has access to infrastructure and application performance monitoring.

Devo Technology: Devo Platform*

Solution Overview
Devo Technology’s comprehensive security operations products include Devo SIEM, which is part of the Devo Platform, a cloud-native SaaS solution with integrated SOAR, UEBA, and autonomous threat investigation and hunting.

In late 2022, Devo Technology acquired LogicHub, a purpose-built SOAR vendor, and integrated its capabilities into the SIEM product. The solution also includes Devo HyperStream, a proprietary, real-time data analytics engine, and Devo DeepTrace for performing autonomous investigations and threat hunting. The Devo Exchange, a community-based app and marketplace, provides on-demand access to a growing library of curated security content created by Devo Technology and its partners and customers. The exchange is free to every Devo Technology customer. 

A distinguishing feature is that Devo Technology includes 400 days of hot data with the platform, a longer period than is offered by other vendors featured in the report.

Devo Technology is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Devo Technology scored well on a number of decision criteria, including:

• Detection engine: Devo Technology uses prepackaged alarm rules available through Devo Exchange. AI-triggered alarms can be single-metric or multi-metric time-series anomaly detections that detect problems based on historical baselines. Devo Behavior Analytics, the vendor’s UEBA capability, is overlaid against alerts and cases to provide additional context and reduce false positive alarms.

• Threat hunting and modeling: Devo DeepTrace is an alert investigation and threat-hunting capability that allows security analysts to autonomously perform full investigations on alerts or suspicious events. DeepTrace’s attack-tracing AI pieces together the activity of malicious users or external actors, enabling analysts to analyze and report results in the form of traces, which are artifacts that chronologically document each attack chain. 

• Response and remediation: The solution can collect binaries, URLs, and files for sandboxing and perform volatile memory analysis at the time of an incident to detect threats hiding in RAM. Devo Technology’s security research team, SciSec, offers its customers a proprietary threat intelligence feed, dubbed Collective Defense, for data collection and sharing. It delivers early warnings about emerging threats via cross-customer threat-hunting analysis and accelerated investigations using validated and enriched threat intelligence from all participating Devo Technology customers.

Opportunities
Devo Technology has room for improvement in a few decision criteria, including:

• Deterministic automation and integrations: While the solution’s automation engine is based on  workflows, it can enhance this capability by implementing integration version control and automated writing of new integrations. For automation, it can start supporting various triggers, including generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• LLM modularity: Devo can improve in this area by supporting different models, hosting them in different environments per customer preference, allowing customers control over LLM parameters, defining functional calling, and agent memory. 

• Case management: Devo Technology has good case management features, which can be improved by handling nonsecurity collaboration with other teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource among analysts, including onboarding of new ones. 

Purchase Considerations
Devo Technology offers three security packages: Intelligent SIEM Starter, Intelligent SIEM, and Intelligent SIEM+. All three include Devo Analytics Cloud, the SaaS log analytics capability of the Devo Platform. The licensing metric for each package is data ingestion. All packages include SIEM, SOAR, and UEBA at no additional cost. 

Each package supports unlimited users and includes 24/7 customer support, a customer success manager, 400 days of hot data, unlimited queries, the Devo Exchange, cloud usage costs, full platform management by Devo Technology, and data encryption at rest and in flight.

Use Cases
With integrated SOAR and UEBA capabilities, Devo Technology’s solution can deliver on a wide range of use cases, such as automating processes, orchestrating third-party tools, and monitoring anomalous user and entity behaviors. It can also be used for a variety of other use cases across multicloud and hybrid environments, including services and IT infrastructure monitoring, application performance monitoring, network status and performance, and customer experience management.

Elastic: Elastic Security

Solution Overview
Elastic Security differs from other solutions in that it’s built on the open source Search AI Platform, which the company continues to extend as “free and open.” It’s worth noting that other vendors are using Elasticsearch as the underlying engine to query and extract information from their databases.

Elastic is a highly innovative vendor engaged in a program of developing emerging features, including vulnerability and misconfiguration scanning, DevSecOps, and security as code.

Elastic Security offers a solid user experience through an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail combine to rank it high on the threat hunting key feature. Furthermore, the platform features graphical views of events and timelines, which equip security analysts with the right tools to investigate long-term threats in a context-rich environment.

Elastic is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Elastic scored well on a number of decision criteria, including:

• Response and remediation: Elastic offers native orchestration and response capabilities powered by Elastic Agent. It provides a terminal-like interface that lets practitioners view and invoke response actions quickly, and it also offers self-cleaning via an automated remediation feature that erases attack artifacts from a system. When malicious activity is identified on a host, self-cleaning automatically returns the host to its pre-attack state by reversing changes implemented during the attack. 

• User and entity anomaly detection: The latest anomaly detection modules enable the platform to perform several actions, such as identifying OS processes that show unexpected network activity and searching for unusual listening ports, unusual URL requests from hosts, rare processes running on multiple hosts in a fleet or network, activity from users who are not normally active, and many other potential attack vectors. For risk scoring, Elastic Security can measure host and user risks to highlight suspicious entities. This feature uses a transform with a scripted metric aggregation to calculate risk scores based on alerts generated within the past five days for hosts or 90 days for users. 

• Threat hunting and modeling: The platform features graphical views of events and timelines, which equips security analysts with the right tools to investigate long-term threats in a context-rich environment. It also has a comprehensive and well-architected storage and querying engine that can quickly process queries to surface relevant information.

Opportunities
Elastic has room for improvement in a few decision criteria, including:

• Monitoring ephemeral resources: The solution has limited support for detecting abnormal activities related to Kubernetes and container management, such as unauthorized pod access, changes to security policies and configuration, or issues with container images, repositories, and public registries.

• Case management: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling nonsecurity collaboration with other teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource among analysts, including onboarding of new ones.

• Deterministic automation and integrations: While the solution can define automation logic using workflows, it can enhance this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers (including LLM chats), and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

Purchase Considerations
Organizations interested in Elastic Security need to take into account the learning curve associated with using the product. While the product has extensive capabilities, organizations will have a longer time to value as they tune the alarm system and train security analysts to use the solution.

While the Elastic Stack (Elasticsearch, Kibana, Beats, and Logstash–also known as the ELK Stack) is free and open source, enterprises can choose between three Elastic Security plans: Standard, Platinum, and Enterprise. Each has increasing prices and feature sets. This report considers the solution’s capabilities available with the Enterprise plan. Elastic Cloud can be deployed on any of the major public cloud providers: AWS, Azure, or Google Cloud Platform (GCP). Customers who want to manage the software themselves, whether on a public, private, or hybrid cloud, can download Elastic.

Use Cases
Elastic Security can cater to a wide variety of use cases, such as detection and investigation for both current threats and historical ones. With some built-in SOAR capabilities, the solution can orchestrate third-party applications and automate response capabilities. Elastic has powerful Elasticsearch-based search capabilities, enabling analysts to parse large amounts of data. With services certified to meet compliance standards, it can also help organizations comply with various industry-standard regulations.

Google Cloud: Google Security Operations*

Solution Overview
Google Security Operations, formerly known as Chronicle, is an integrated product that combines SIEM and SOAR capabilities, developed following the 2022 acquisition of point-solution vendor Siemplify. The Google Security Operations solution is designed to help organizations detect, investigate, and respond to security threats in real time. The solution is powered by Google Cloud Platform (GCP) infrastructure and leverages Google’s machine learning capabilities to automate and streamline security workflows. It is a stable solution that can support enterprise requirements.

Google Security Operations provides an intuitive user interface that allows security analysts to investigate incidents, create workflows, and automate response actions without requiring extensive coding knowledge. The SOAR feature also uses ML to improve its accuracy and speed in identifying and responding to security incidents. Automated response capabilities help organizations reduce the time taken to detect and respond to security threats, thereby reducing the risk of data breaches and other security incidents.

Google Security Operations enables customers to safely run playbooks through their paces in a preproduction environment using the playbook simulator. This allows users to test each step in a playbook, including actions and conditions, without affecting production data. Each step of a playbook or playbook block can be tested to verify the required flow, manipulate the results of actions, and simulate the playbook with different tools and integrations, even if the customer doesn’t have access.

Google Cloud is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Google Cloud scored well on a number of decision criteria, including:

• Threat hunting and modeling: The tool can display contextual information that includes actors, campaigns, vulnerabilities, and other indicators of malicious activity associated with alert entities. The graphical views showcase relationships between entities and associated details for each artifact affected.

• Case management: An interactive “case wall” allows security analysts to view every action and artifact and find case-related information. Analysts can tag colleagues, assign tasks, and monitor the progress of a case. They can also communicate in real time with each other, with departments outside the SOC, or with their service provider. They can document these chats as part of every case and pin messages as evidence to the case wall. 

• User and entity anomaly detection: With a dedicated UEBA model that detects anomalies in authentication, network traffic analysis, suspicious actions, and data loss prevention-based detections, the solution provides contextual risk scores using information from authoritative sources such as configuration management database (CMDB), IAM, and data loss prevention (DLP), including telemetry, context, relationships, and vulnerabilities. 

Opportunities
Google Cloud has room for improvement in a few decision criteria, including:

• Vulnerability and misconfiguration scanning: It currently provides integration with Nessus, a third-party specialized tool, and with Mandiant Attack Surface Management (ASM), but has no native capabilities.

• Monitoring ephemeral resources: The solution can improve its capabilities for detecting abnormal activities related to Kubernetes and container management. These can include unauthorized pod access, changes to security policies and configuration, or issues with container images, repositories, and public registries.

• Detection engine: While the tool uses a patented Alert Grouping mechanism and alert triage is automated using playbooks, the solution can further improve by calibrating alarms based on flagged false positives or using SIGMA rules as a vendor-agnostic way of sharing detection rules and alerts across tools.

Purchase Considerations
Google Security Operations is available in three tiers: Standard, Enterprise, and Enterprise Plus. All three tiers include both the SIEM and SOAR modules, while the Enterprise Plus version offers advanced features such as full access to Google Threat Intelligence, Google-curated detections, and BigQuery Unified Data Model (UDM) storage.

Google Security Operations is available in packages and priced based on ingestion. It includes one year of security telemetry retention at no additional cost.

Use Cases
The Google Security Operations platform can be used to handle a wide range of SecOps use cases, including automating investigation and response activities, case management, incident response, threat hunting, and threat intelligence.

Gurucul: Gurucul REVEAL 

Solution Overview
Gurucul REVEAL is a modular, unified data and security analytics platform structured as a suite of six integrated proprietary modules, which include Next-Gen SIEM, UEBA, SOAR, data optimizer (data pipeline management), identity analytics, and and AI-SOC Analyst, all powered by Sme AI, Gurucul’s suite of Generative and Agentic AI agents.

Gurucul REVEAL analyzes enterprise data at scale, using machine learning and artificial intelligence to provide real-time, actionable insights into actual threats and their associated risks. It is designed to deliver results on day one, offering versatility in deployment, data ingestion, customization, and the ability to quantify, prioritize, and mitigate the risk of security threats, as well as respond effectively.  It is a cloud-native platform that supports on-premises, hybrid, and multicloud and can integrate with users’ technology stacks. 

Its intelligent data fabric ensures visibility across the customer’s environment. It automates data ingestion, interprets data from any source or format, extracts security-relevant content, and enriches, reduces, and routes data from any source, format, or IT estate, including nonsecurity data. It offers more than 10,000 out-of-the-box content modules that can be easily modified as needed through a simple, wizard-driven interface.  

It heavily leverages AI and ML analytics, with a library of more than 4,000 pretuned detection models that have been developed and refined. These can be chained together to trigger, confirm, filter, and cross-validate alerts, identifying unknown unknowns and surfacing what matters most. They are also easily customized with a drag-and-drop interface. ​The platform dynamically assesses risk based on more than 200 different attributes. Internal and external risk profiles normalize scores and provide full context to elevate threats, enabling you to take action. The entire platform uses agentic and GenAI, which work together to reduce the time to detect and respond to insider threats. 

Gurucul is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Gurucul scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: The solution offers robust threat hunting capabilities through features such as applying optimized rules to historical data for retroactive analysis and accelerated behavior profiling and the retrospective identification of vulnerability exploits using the investigate interface. Analysts can visualize attack sequences with the threat progression timeline view and understand environmental relationships using interactive dependency maps and drill-down capabilities.

• Data analysis and risk scoring: The tool excels in data analysis and risk scoring through its AI-driven architecture, which features a data optimizer for intelligent data lifecycle management, Gurucul Studio for custom rule and model creation, and AI/ML-powered analytics engines. It provides UEBA with customizable baselines, context-aware dynamic risk scoring that incorporates various factors (such as behavioral anomalies and threat intelligence), and risk chaining to identify complex attacks by correlating seemingly unrelated events.

• LLM-based agents: The solution employs self-deterministic AI agents, powered by its Sme AI, to enhance threat investigation and response. These agents enrich alerts with context, execute playbooks, and provide analysts with real-time recommendations. Prompts follow chain-of-thought techniques for transparent reasoning. Gurucul integrates with vector databases such as MongoDB and Elasticsearch for enhanced semantic search and context-aware analysis. 

Opportunities
Gurucul has room for improvement in a few decision criteria, including:

• Case management and collaboration: Although the vendor natively supports case management features within the tool, it can be further improved by utilizing data stored as global context for LLM agents or copilots, thereby serving as a shared resource among analysts, including for onboarding new ones.

• Deterministic automation and integrations: While the solution can define automation logic using workflows, it can enhance this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers (including LLM chats), and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• Response and remediation: Gurucul has good response capabilities achieved by orchestrating third-party products in a customer’s stack but does not currently offer proprietary agents that can run across hosts and other appliances.

Purchase Considerations
The Gurucul REVEAL licensing approach is subscription-based, so organizations pay a recurring annual or monthly fee for MSSPs. Annual subscriptions often include software updates, support, and maintenance, with costs determined by factors such as the number of users, data volume, or other metrics specific to the organization's needs. 

Use Cases
Gurucul’s extensive platform is appropriate for various use cases, including threat detection, investigation, and response (TDIR), insider threat management, identity threat detection and response, cloud security monitoring, data exfiltration prevention, privileged access monitoring, and regulatory and standards compliance.

Hunters: Hunters SOC Platform

Solution Overview
Hunters SOC Platform is a cloud-native security operations solution delivered as a multitenant SaaS that runs on AWS and Snowflake or Databricks. It ingests, normalizes, and analyzes data from all security and IT sources, allowing security teams to connect to organizational data without having to deploy and maintain ingestion pipelines. The platform delivers built-in and regularly updated detection capabilities based on the MITRE ATT&CK framework, so analysts do not have to regularly build and maintain detection rules.

Hunters leverages commercial data warehouse technologies such as Snowflake and Databricks to cost-effectively scale large data volumes. It has an open security data lake strategy that allows customers to bring their own warehouses, or it can manage the data infrastructure on the customer’s behalf. Hunters is a highly innovative vendor that is focused on emerging features such as LLM integrations, DevSecOps, and security as code.

Threat Clustering is a method applied to every detector, aggregating new leads with similar leads, reducing redundant triage efforts. Clustering is based on similarities in malicious intent, impact, or context, which are uniquely defined for each detector. Threat Clustering uses two levels of aggregation, allowing analysts to quickly identify and scope the root cause of a threat, its prevalence, and its impact on the organization.

Host investigation provides a host-specific timeline of raw data ingested in relation to a specific host, support for multiple data lakes running on either Snowflake or Databricks, SQL as detection for advanced detection use cases leveraging the power of SQL directly against the data lake backend, detection as code for building GitOps-based detections and interacting with the platform as part of the continuous integration and continuous delivery (CI/CD) process, and workflows for defining no-code automation playbooks for ticketing, chatops, email, or other systems.

Hunters is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Hunters scored well on a number of decision criteria, including:

• Detection engine: Hunters uses a prebuilt and continuously validated library of detection and investigation capabilities that automatically manages content at scale. The detectors are preverified on real-world customer data to remove any false positives and excessive alerting, then deployed directly to all customer tenants without requiring any action or tweaking. Organizational threat coverage is automatically mapped onto the MITRE ATT&CK framework. Some of the Hunters detectors rely on AI/ML models, and customers can customize and build their own to address their bespoke use cases. Through the multitenant architecture, Hunters continuously tunes and optimizes analytics based on data from all tenants.

• Threat hunting and modeling: Hunters’ detection mechanism is capable of backfilling, and new detection capabilities are always researched and run against historical data. This capability works for tactics, techniques, and procedures detectors as well as for indicators of compromise (IoCs). It is based on a unique architecture that allows users to run new IoCs against historical data and match seen IoCs to updated feeds. The Hunters graph-based correlation engine connects events across multiple data sources, creating detailed attack "stories" that provide a holistic view of threats, helping customers understand the entire timeline of an attack and respond effectively. 

• Monitoring ephemeral resources: Hunters’ newly released detection pack for Kubernetes offers capabilities to detect activities such as suspicious impersonation attempts by a Kubernetes user and creation of a pod with a sensitive hostpath volume. The solution integrates scanners and also CNAPP/CSPM products like Wiz, Orca, and Prisma, and leverages the data from these products to enrich and improve the score and accuracy of detections.

Opportunities
Hunters has room for improvement in a few decision criteria, including:

• Response and remediation: While Hunters integrates with third-party products for response actions, it does not currently offer its own agents for host and device-level observability and response. 

• Deterministic automation and integrations: While the solution can define automation logic using workflows, it can enhance this capability by implementing integration version control and automated writing of new integrations. For automation, it supports various triggers, including generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• Design-time LLM: Hunters can use an LLM to build a query from natural language, which can then be turned into a detector, but it doesn’t currently write automation workflows or perform data transformation and parsing. Transformation capabilities are on the vendor’s 2025 roadmap. 

Purchase Considerations
Hunters licenses its solution based on the number of customer entities monitored, with unlimited data ingested per entity. A license is required for every monitored endpoint, workstation, server, VM, or EC2 instance within the monitored environment. Ephemeral devices can be counted using a daily average of those devices visible over the course of a 30-day period. The company offers two data lake options: customers can bring their own Snowflake or Databricks and pay those companies directly for credit consumption, or they can purchase a Hunters-managed data lake with storage terms up to 36 months.

Use Cases
Hunters SOC Platform can accommodate a wide variety of use cases, such as to automate incident response workflows; automatically triage, enrich, cluster, and prioritize alerts; utilize automated workflows; identify and respond to cloud-specific threats; continuously monitor cloud environments; leverage advanced analytics for threat detection; detect and respond to on-premises threats in real time; correlate data across endpoints and networks; and streamline incident response workflows. It is also multitenant-friendly for MSSPs, enabling them to deliver comprehensive security services to their clients.

Huntsman Security: Enterprise SIEM 

Solution Overview
Huntsman Security’s SIEM offering includes Enterprise SIEM and MSSP SIEM, each with a strong focus on simplifying and optimizing security operations through automation and workflow support. Huntsman Security also provides an integrated SOAR solution and an optional Scorecard module that gives details about a system’s patch status and software versions in addition to misconfigurations and other vulnerabilities. Huntsman Security offers a stable solution that is suitable for the needs of large enterprises and organizations operating in regulated industries.

For MSSPs and larger or federated organizations, Huntsman Security’s solution supports the creation of multitenancy silos of data, reports, policies, and alerts to enable simultaneous handling of multiple MSSP customers or organizational units from a single instance. The segmentation permits separate business units or the security operations of large or federated organizations to be managed separately.

Huntsman Security’s SIEM solution is a single product, delivered as software and deployable on-premises or in public and private cloud environments, but the vendor does not currently offer a SaaS option. Its MSSP SIEM product supports multitenancy, allowing business units to be managed as separate silos or as federated units, with a single team able to share threat intelligence across multiple end customers. Huntsman Security offers a stable solution that delivers on the requirements of enterprises and regulated industries.

Huntsman Security is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Huntsman Security scored well on a number of decision criteria, including:

• User and entity anomaly detection: Huntsman’s patented Behaviour Anomaly Detection (BAD2) engine is integrated into its SIEM product to provide real-time ML capabilities that detect unknown threats. BAD2 supports use cases such as higher or unusual volumes of network traffic or user sessions on a per-user or per-host basis, volumes of events such as file accesses or other activity on hosts and workstations, changes in the usage profile of application servers, or query operations on databases and changes in the frequency or prevalence of operations. The detection engine adapts to changes and trends over time, either adjusting and relearning “normal” values or using fixed, preset baselines, depending on the nature of the environment and risk.

• Detection engine: Rules are created or customized in the UI by selecting from drop-downs and checkboxes covering alert logic definition (triggers, correlators, and reference sources), alert text, recipients, and actions (emails, reports, scripts/workflows, and the like). The SIEM solution correlates across different event types using a multistage correlator that caches key event data in RAM for real-time matching. Data is checked against open alert descriptors to see if further conditions are met. Alerts trigger when all conditions are met or expire if time windows elapse. Correlation rules can be combined with behavioral rules to refine anomalous alerts and minimize false positives.

• Case management: The built-in incident and case management directly links to event alerts and builds a workflow around cases, including incident allocation between users, change history, incident/threat prioritization, categorization, and export of data to files or via email. Events and alerts are referenceable immediately from the GUI, allowing analysts to drill down into contextual data or see sequences of events leading to an alert. From the GUI, mapped fields show associated data, and alerts contain threat type and contextual information, such as malware type and risk.

Opportunities
Huntsman Security has room for improvement in a few decision criteria, including:

• Deterministic automation and integrations: While the solution can define automation logic using workflows, it can enhance this capability by implementing integration version control and automated writing of new integrations. For automation, it can support triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• Monitoring ephemeral resources: Huntsman Security uses cloud connectors and virtual agents to gather audit and event data directly from cloud infrastructures and virtual hosts, but the solution does not have explicit awareness of ephemeral containers and Kubernetes resources.

Purchase Considerations
Huntsman Security supports three licensing models: a CapEx-based model, which is a traditional software license with support renewed annually; an OpEx-based model for periodic subscription; and a pay-as-you-go model for highly flexible usage-based utility billing. License fees are based on events per second but can be converted to other scaling metrics, such as per user or per device. Huntsman has a strong presence in the UK market and clients in the private and public sectors, including defense, intelligence, and law enforcement agencies.

Use Cases
The Huntsman Security SIEM solution can cater to a variety of use cases, particularly for meeting compliance standards and requirements in highly regulated industries. With anomalous behavior detection, the solution can track and audit user activity to protect against unauthorized access. It can also be used for threat hunting, investigation, orchestration of third-party services, and response automation. 

Logpoint*

Solution Overview
Logpoint offers a SIEM solution with exceptional security and privacy controls. Its distinguishing feature is its high level of compliance, having been awarded the Common Criteria EAL3+ certification in 2015 and 2020, and a SOC 2 Type II attestation in 2023. To achieve and maintain EAL3+ certification, the highest software security standard achievable by any SIEM vendor, the on-premises solution is developed on a hardened OS maintained by Logpoint. This makes Logpoint SIEM well suited for deployment in highly regulated industries, including national governments and international agencies.

Logpoint has converged SIEM, SOAR, EDR, and UEBA capabilities into a single end-to-end security operations platform. Supported by case management and threat intelligence features, Logpoint ensures a converged experience both with on-premises and cloud-hosted deployments. 

Logpoint has taken a modular approach to security monitoring and analytics. Logpoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management, incident detection, and investigation capabilities. Logpoint offers good manageability functions, such as the Director for SIEM module that provides multitenancy capabilities for MSSPs or large enterprise deployments. 

Logpoint is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Logpoint scored well on a number of decision criteria, including:

• Response and remediation: The solution offers native extended detection and response (XDR) features, including AgentX, an endpoint agent that provides telemetry such as process metrics, kernel callbacks, event logs; Sysmon, on-demand context from endpoints for powerful threat hunting; and low-level system information via osquery. The Logpoint Security Research team researches and investigates new major vulnerabilities, then builds custom SIEM rules and SOAR playbooks for investigation and response.

• User and entity anomaly detection features: The solution establishes baselines on the behavior of users or entities and compares activity to the individual baseline to detect abnormalities. It compares user activity to peer groups, including authentication abnormalities and suspicious data transfer activities mapped to MITRE ATT&CK. 

• Case management: The solution has native features that enable multiple analysts to view, comment on, and modify cases, and reassign them to the most relevant analyst. Investigation timelines for activities on a case make it easy to get an overview of the investigation and understand what action to take next. Cases can be assigned automatically based on analyst profiles. Assignment is done in the alert ownership and then later in the aggregated case. 

Opportunities
Logpoint has room for improvement in a few decision criteria, including:

• Threat hunting and modeling: While threat hunting can be incorporated into SOAR playbooks that query multiple external sources and carry out active actions in other systems to prepare a case for an analyst, it does not currently offer interactive correlation graphs, timeline-based analysis, or retrospective application of detection rules.

• LLM modularity: Logpoint’s LLM-based capabilities currently consist of a ChatGPT API integration for case management, but it does not currently offer multiple models or hosting options, controls over parameters, functional calling, or memory.

• Monitoring ephemeral resources: The solution’s capabilities for detecting abnormal Kubernetes and container-related activities is limited. For example, the solution does not monitor These include unauthorized pod access, changes to security policies and configuration, or issues with container images, repositories, and public registries.

Logpoint was classified as a Forward Mover given its limited year-over-year developments and slow release cadence.

Purchase Considerations
Logpoint’s licensing model depends on the modules used by customers. The on-premises SIEM solution is licensed by the number of devices (nodes) sending data, and the SaaS SIEM by data ingestion and retention. 

SOAR is offered as an add-on for SIEM and is divided into two products: Logpoint Automation (SOAR playbooks) and Logpoint Case Management (for collaborative investigations). The licensing of Automation and Case Management is based on the number of entities, but there’s no limit on the number of seats. AgentX is included at no additional cost as part of the Logpoint SIEM license. UEBA is licensed by the number of users and entities the customer wants to track. 

Logpoint offers predictable pricing based on the number of devices sending logs to the SIEM solution rather than data volume or events per second. It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

Use Cases
Logpoint’s unified SIEM, UEBA, and SOAR tools, as well as the EAL3+ certification, can cater to a good range of enterprise use cases, such as security log ingestion and management, orchestration of third-party services, and automated response, as well as monitoring user activity to watch privilege escalation and unauthorized access behaviors. However, the solution does not currently monitor ephemeral resources, such as containers, natively.

Logsign

Solution Overview
Logsign is a unified security operations platform with integrated modules for SIEM, threat intelligence, UEBA, and threat detection and incident response. Logsign Unified SecOps Platform offers flexible deployment options, including an on-premises model, where customers can manage the platform within their own data centers, and a cloud-based model to deploy instances in a public or private cloud environment.

The UEBA module can be used to detect inside attacks, stop data exfiltration, and detect risky users and watch their behaviors to prevent the spread of infections. The analytics module provides information on why a user behavior is suspicious using 400 predefined behaviors and indicates how this behavior is expected to progress. For example, it monitors multiple failed login attempts in a specific period of time to determine brute force attacks. Logsign is a stable solution that can support the long-term requirements of large enterprises.

Logsign is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Logsign scored well on a number of decision criteria, including:

• Case management: The solution provides a detailed page for analysts to collaborate, take necessary actions, and conduct investigations. Logsign provides detailed case management incidents with timelines, visual cards for investigations, an incidents summary with detailed views, and lifecycle management according to the least-similar incident. Lifecycle stages are possible and can produce automated or semiautomated responses for some detections.

• Detection engine: Logsign analyzes real-time and historical data to correlate events into a comprehensive incident view. It incorporates analyst feedback and historical data analysis into a continuous learning loop to self-tune over time, reducing false positives and improving the overall accuracy of its threat detection and incident correlation capabilities.

• Threat hunting and modeling: Analysts can pull relevant threat information without needing to pivot between tabs. For example, they can check the confidence score of the IP address or connect to VirusTotal to get IP reputation. From there, they can respond to and contain threats by rebooting the affected asset, killing processes, or terminating connections. Following the remediation stage, the solution enables analysts to update firewall rules or endpoint agents. Threat hunting can also be conducted using the MITRE ATT&CK framework.

Opportunities
Logsign has room for improvement in a few decision criteria, including:

• Response and remediation: Even though the solution can perform predefined automatic actions upon an alert, it does not currently automatically perform investigations or block/contain threats. The solution does not offer an agent to be deployed on hosts and other appliances to provide low-level controls and visibility.

• Deterministic automation and integrations: The tool should further develop its automation engine to add features such as scripting-based automation supported by a comprehensive integrated development environment (IDE) that supports debugging and schema validation, built-in automation processes such as automatically normalizing data to a predefined product-specific schema, deduplicating fields, removing null values, and extracting payloads. It can also implement automatic and asynchronous data updates as sources are updated, such as new data available in threat intelligence feeds.

• Monitoring ephemeral resources: The solution’s capabilities for detecting abnormal activities related to Kubernetes and container management is limited. It does not currently detect unauthorized pod access, changes to security policies and configuration, or issues with container images, repositories, and public registries.

Logsign was classified as a Challenger and Forward Mover given its limited year-over-year developments and slow release cadence.

Purchase Considerations
Logsign’s licensing model is subscription-based and primarily determined by the number and type of log data sources connected to the platform. This ensures a pricing model aligned with the volume of data analyzed. 

Modules available include UEBA and threat intelligence, which are added to the Logsign Unified SecOps Platform, allowing customers to choose the specific features they need. For MSSPs, the UEBA and threat intelligence modules are included by default in Logsign Unified SecOps Platform for MSSPs. 

Logsign’s tiered service models offer customers options for the level of proactive support, expert guidance, and hands-on management included with the platform. 

Use Cases
Logsign Unified SecOps Platform can deliver on use cases such as threat detection and incident response, as well as meeting compliance requirements. The solution can proactively identify threats to production systems and sensitive data, track and audit user activity to protect against unauthorized access, and generate detailed reports to demonstrate compliance with various standards.

ManageEngine: Log360

Solution Overview
ManageEngine’s suite of products is a versatile SIEM solution. Its SIEM platform, Log360, takes a modular approach to information and event management, integrating several products into a single console. Users can mix and match multiple products to create a bespoke solution or choose the whole suite for a comprehensive SIEM platform.

Customers can choose the security features they need, including threat intelligence feeds for enriched data analysis. The solution integrates with threat intelligence feeds like STIX and TAXII and has a technological alliance partnership with Webroot's BrightCloud, and Constella. The solution's Incident Workbench analytics console can be invoked from anywhere inside the SIEM console of Log360 as users traverse through different dashboards like Reports, Log Search, Compliance, and Correlation.

ManageEngine is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
ManageEngine scored well on a number of decision criteria, including:

• Deterministic automation and integrations: Supports the creation of workflows that automate common procedures carried out by security analysts. It can be used for use cases such as integrations with threat intelligence feeds like Webroot to help stop threats at the source, integration with firewalls to help analysts manage security from one console, incident management automation to group alerts and events into larger incidents, and integration with help desk tools such as BMC, Jira, ManageEngine ServiceDesk Plus, and ServiceNow.

• User and entity anomaly detection: ManageEngine offers this as an add-on powered by ML that can detect anomalies by recognizing subtle shifts in user or entity activity. It helps identify, qualify, and investigate threats that might otherwise go unnoticed by extracting more information from logs to give better context. Administrators can identify the network’s count, time, and pattern anomalies based on users and their peer groups. Out-of-the-box analytics are provided for use cases such as insider threats, account compromise, and data exfiltration. Risk scores are calculated for each user and entity based on deviations from their baseline behavior. The solution can also monitor cloud networks to generate in-depth reports of network activity on AWS, Azure, and GCP applications.

• Detection engine: Log360 allows for manually customized detection rules based on incidents flagged as false positives. Alerts can be set to “attention,” “trouble,” and “critical” based on the severity of the event or incident. It can map alerts, reports, and search results, and correlate rules as incidents. 

Opportunities
ManageEngine has room for improvement in a few decision criteria, including:

• Monitoring ephemeral resources:  While the solution can ingest basic logs generated by containers or Kubernetes, it does not have awareness of Kubernetes constructs and how threats behave in ephemeral compute instances.

• Response and remediation:  Log360 can orchestrate third-party products for basic response capabilities, but it can improve by supporting the gathering of OS-level information using tools such as osquery or by using agents and enriching this data with context and threat intelligence to validate the malicious process.

• Threat hunting and modeling: The solution can query data stores to surface information about suspicious activities, but it does not currently generate topological views of assets affected by a cyber incident, display threats on a timeline, or retroactively apply new detection rules on old data.

Purchase Considerations
Log360 SIEM solution is licensed based on log sources rather than ingestion rate. Add-on components include file integrity monitoring and file server auditing, application monitoring, Internet Information Services (IIS) and SQL Server auditing, Active Directory reporting, cloud source auditing, Microsoft 365 tenants, AWS accounts, UEBA, advanced threat analytics, and Exchange Server auditing.

Use Cases
Log360 can support use cases such as user behavior and critical systems monitoring for watching privileged user activity, identifying anomalies through ML, and detecting suspicious attempts like privilege escalation and unauthorized access. It can also be used for network threat detection to monitor traffic through unusual connections or port activity, auditing changes such as firewall policy modifications, monitoring threat intelligence feeds for malicious IP or URL blocking, and for rogue device detection with automated response workflows. 

Log360 also has a file integrity monitoring (FIM) module that tracks all file and folder activity, such as access, creation, deletion, and modification. FIM also generates detailed reports and triggers alerts for unauthorized actions. The solution can help organizations comply with industry-specific regulations with built-in reporting templates for Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and other regulations.

Microsoft: Sentinel*

Solution Overview
Microsoft Sentinel is a cloud-native SIEM solution with integrated SOAR capabilities that forms an autonomous SOC solution using built-in AI to help analyze large volumes of data. Microsoft Sentinel aggregates data from sources including users, applications, servers, and devices running on-premises or in any cloud. Microsoft Sentinel is built on the Azure platform. It provides a fully integrated experience in the Azure portal that integrates seamlessly with existing services such as Microsoft Defender for Cloud and Azure Machine Learning.

Microsoft Sentinel supports Jupyter notebooks in Azure Machine Learning workspaces, including full libraries for ML, visualization, and data analysis. These can be used to extend the scope of what can be done with Microsoft Sentinel data, such as performing analytics that aren't built into Microsoft Sentinel, creating bespoke data visualizations, and integrating data sources outside of Microsoft Sentinel.

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Microsoft scored well on a number of decision criteria, including:

• Deterministic automation and integrations: The solution is enabled by a playbook engine that integrates with Azure services and existing tools. To build playbooks with Azure Logic Apps, users can choose from a set of prebuilt playbooks, such as ticketing integrations with ServiceNow. The solution’s primary purpose is to automate recurring and predictable enrichment, response, and remediation tasks typically performed by security analysts. Automation takes a few different forms in Microsoft Sentinel, from rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions and provide powerful and flexible advanced automation of threat response tasks.

• Detection engine: The solution can reduce noise and minimize the number of alerts generated by using analytics to correlate alerts into incidents. Incidents are groups of related alerts indicating a possible actionable threat that can be investigated and resolved. Microsoft Sentinel also provides ML rules to determine baseline network behavior and look for anomalies. The model incorporates analyst feedback and response actions into its rule set, continuously refining its ability to identify threats more accurately.

• User and entity anomaly detection: The Risk Scoring Module incorporates two modules that work together to calculate a risk value. Each module defines its own variables, including a multiplier applied to each row and a score indicating whether calculations are performed on a per-item basis. The values generated by these included modules are summed up within this module to produce a final total. 

Opportunities
Microsoft has room for improvement in a few decision criteria, including:

• Vulnerability and misconfiguration scanning: The solution does not currently support native vulnerability and misconfiguration detection capabilities, only integrating with third-party specialized tooling.

• Case management: While Microsoft Sentinel offers native case and incident management features, it can further improve by implementing capabilities such as automatic analyst assignment, building analyst profiles, and using case data as context for LLM copilots and agents.

• Response and remediation: Sentinel can conduct response actions across the Microsoft portfolio via solutions such as Entra and Defender. However, it can further develop proprietary response workflows to respond to zero-day threats and gather OS-level information about affected devices. 

Purchase Considerations
Customers are billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested from two different types of logs: Analytics Logs and Basic Logs. Analytics Logs in Microsoft Sentinel support all data types and offer full analytics, alerts, and no query limits. Basic Logs are usually verbose and contain a mix of high-volume and low-security value data without the full capabilities of analytics logs. Microsoft Sentinel also offers a pay-as-you-go pricing model, where customers are billed per GB for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. 

As a cloud-native, Azure-based solution with no option for on-premises deployment, Microsoft Sentinel may not be suitable for organizations that require a non-Azure deployment model.

Use Cases
Microsoft Sentinel is a comprehensive SIEM solution that is particularly well suited for customers who have invested in the Microsoft ecosystem. With built-in SOAR capabilities, the solution can be used for automating response tasks and orchestrating third-party services. 

NetWitness: NetWitness Logs

Solution Overview
NetWitness provides an autonomous SOC solution built on the vendor’s multiple-module XDR platform, which includes components for threat management across networks, endpoints, and logs. The SIEM component, which includes an integrated SOAR tool, can be deployed as a standalone solution or as part of the XDR platform. The solution can be installed on-premises or deployed as cloud-hosted solutions on either dedicated or shared infrastructure, or provided via SaaS models.

NetWitness Logs is the SIEM component of NetWitness Platform. It collects security, compliance, OS, resource access, and administrative events, and parses these events into respective meta keys to further enrich the data with relevant threat, priority, and business context, or comprehensive investigations and complex correlation. It natively supports application-layer monitoring using log ingestion, API integrations, network protocols, and endpoint data, including log ingestion from security platforms such as unified threat management (UTM), SaaS, and IaaS vendors. 

NetWitness Plugin Framework enables monitoring and analysis of API-driven applications such as Microsoft 365, Salesforce, Dropbox, Slack, and other applications or services. It has over 400 integrations, including open source log collectors such as Logstash, FluentD, and Elastic. In addition, NetWitness Logs has parsers for most major operating systems, including SAP ERP, GE PACS IW, and J4Care Healthcare Connector.

NetWitness SIEM can be deployed wherever a customer needs threat detection, including on-premises hardware, virtual software, major cloud providers, or any hybrid combination. It can also be deployed as a SaaS and managed security solution or managed detection and response offering for organizations that prefer to outsource some or all of the administrative or investigative burden. 

NetWitness is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
NetWitness scored well on a number of decision criteria, including:

• Response and remediation: The solution offers built-in workflow response capabilities, full XDR features, and detection techniques informed by FirstWatch, a specialized threat intelligence team focused on keeping up with the ever-changing threat landscape and ensuring NetWitness can detect emerging threats. 

• User and entity anomaly detection: NetWitness UEBA is a cloud-based behavior analytics solution powered by AWS that applies unsupervised ML to data captured by the NetWitness Platform to rapidly detect unknown threats. A distinguishing feature of NetWitness is its integration of a full-featured network capture and analytics solution (network traffic analysis/network detection and response [NTA/NDR]). This combination of packet and metadata capture, static file analysis, threat intelligence, and orchestration workflows enables analysts to perform thorough investigations and identify threats that are not detectable with logs alone.

• Case management: The solution centralizes incident information, including what actions were performed. This helps in understanding what has been accomplished and determining the next logical step in resolving issues. The case management functionality then uses broad embedded intelligence to analyze and enrich the extracted evidence with broader context.

Opportunities
NetWitness has room for improvement in a few decision criteria, including:

• Threat hunting and modeling: NetWitness can support investigation and forensics, but it does not currently offer visualization graphs that show affected entities. 

• Monitoring ephemeral resources: The solution’s Universal Rest API  can collect logs from any event source that exposes REST API for log collection, but the solution does not have explicit awareness of container and Kubernetes constructs to detect threats specific to these environments.

• DevSecOps and security as code: In NetWitness Logs, all code, rules, data analysis, detection logic, and alert responses are maintained in secure GitHub repositories with branching strategies to separate version development.  However, the solution does not support detection-as-code, native version control, or programmatic interaction with the product.

NetWitness was classified as a Forward Mover given its limited year-over-year developments and slow release cadence.

Purchase Considerations
NetWitness offers three types of licenses. The first is throughput based, which is measured by the volume of data used per day for logs (SIEM), or network (packets), or malware measured in GB per day for logs and in TB per day for packets. The total throughput is determined by the daily use across the entire enterprise deployment of NetWitness Platform, with the license selected based on this daily requirement. The second is UEBA, which looks at the number of active users from the previous day and sends it to the licensing server. Entitlement is measured for logs and endpoint events for the number of active users and checked against a user ID. The third is endpoint, which is based on the number of active agents deployed.

Use Cases
With an integrated SIEM and EDR approach, NetWitness can support a variety of use cases, including discovery of infrastructure (such as host and network discovery), network threat detection for monitoring traffic, and change auditing such as firewall policy modifications. With the UEBA module, it can monitor user behavior and identify anomalies using ML. The solution can help organizations comply with industry-specific regulations such as PCI DSS, SOX, and HIPAA.

OpenText: ArcSight*

Solution Overview
OpenText ArcSight’s autonomous SOC solution offers a complete end-to-end SecOps experience that consists of SIEM, UEBA, and SOAR capabilities as well as big data threat hunting. These features reside on a unified platform that includes common storage, a shared data platform, and a single interface.

OpenText’s SOAR capabilities were inherited after it acquired ATAR Labs in 2020. Since then, the company has been integrating the SOAR solution tightly and strategically with the rest of its security portfolio. Currently, ArcSight ships with the fully integrated SOAR solution within the SIEM platform at no additional cost.

ArcSight’s approach to layered analytics is a distinguishing feature that simplifies threat detection. It can provide SOCs with an end-to-end enterprise security operations platform powered by an advanced correlation engine capable of detecting known threats in real time. Furthermore, ArcSight uses unsupervised ML to detect unknown threats using behavioral analysis and big data threat hunting. 

ArcSight supports all the deployment models described in this report, including physical appliances, cloud-hosted, and SaaS. The SaaS deployment is hosted by the OpenText cybersecurity operations team, with the underlying hosting components provided by AWS. 

OpenText is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
OpenText scored well on a number of decision criteria, including:

• User and entity anomaly detection: The platform’s layered analytics can detect unknown and elusive threats through behavioral analysis backed by unsupervised ML, which helps detect attacks such as advanced persistent threats and insider incidents. OpenText also delivers big data threat hunting backed by supervised ML and a security-centric data lake.

• Case management: The platform enables SOC analysts, IT admins, and end users to work on incidents collaboratively. It supports the creation of incidents via SIEM alerts, emails, threat intelligence feeds, a REST API, and manual activities by SOC analysts. It ingests events and messages from those sources and automatically creates case tickets with a rule-based consolidation engine.

• Detection engine: Detection rules are updated by ArcSight’s intelligence feed to obtain threat definitions as they evolve. Those threat definitions or identifiers are then converted into various lists that the real-time rules use to match against new events coming into the system. As a threat evolves and the threat intelligence platform is updated, the definitions are synced automatically with ArcSight.

Opportunities
OpenText has room for improvement in a few decision criteria, including:

• Response and remediation: OpenText’s response capabilities include SOAR-like orchestration of third-party products. However, the solution does not offer agents and does not gather low-level OS information from the affected assets. 

• DevSecOps and security as code: The vendor only exposes functions via APIs and does not support out-of-the-box integrations with CI/CD and version control tools or detection-as-code features.

• Monitoring ephemeral resources: The solution has limited support for detecting abnormal activities related to Kubernetes and container management, such as unauthorized pod access, changes to security policies and configuration, or issues with container images, repositories, and public registries.

Purchase Considerations
There are three licensing models offered by the ArcSight platform. The events-per-second model is the primary license option for the platform. It employs a post-filter/preaggregation construct and is used for log management (storage/retention), threat hunting, and real-time threat detection. The flat-fee model is reserved for add-on functionalities such as high availability, Compliance Insight Packs (CIPs), and ArcSight ThreatHub Feed Plus. The per-managed-entity model covers capabilities such as advanced behavioral analysis.

For no additional charge, OpenText includes a SOAR solution and ThreatHub Feed Basic, both of which are aligned with the ArcSight ThreatHub Research online platform. Through the ArcSight Marketplace, customers can access hundreds of supporting content packages from its partners, community, and security experts, the majority of which are free to customers. 

Use Cases
ArcSight supports a variety of real-world use cases to detect modern threats, such as ransomware and insider detection and incident response, sensitive data and IP protection, threat hunting lead generation, financial fraud detection and response, compliance and regulation real-time detection and long-term reporting, and forensics investigation. The solution also offers attack detection and response for infrastructure, distributed denial of service (DDoS), internet of things (IoT), and mobile devices. 

Palo Alto Networks: Cortex XSIAM*

Solution Overview
Palo Alto Networks Cortex Extended Security Intelligence and Automation Management (XSIAM) is an autonomous SOC solution that unifies security functions such as XDR, SOAR, attack surface management (ASM), UEBA, threat intelligence platform, and SIEM tools into a single solution. Cortex XSIAM centralizes all security data and uses ML data models designed specifically for security. It can be deployed as SaaS. 

Cortex XSIAM collects and ingests endpoint, network, cloud, identity data, and threat intelligence data, in addition to logs and alerts. This drives ML for natively autonomous response actions, such as cross-correlation of alerts and data, detection of highly sophisticated threats, and automated remediation based on native threat intelligence and attack surface data. Cortex XSIAM offers a range of features for emerging technologies, such as LLM integrations, security content for emerging threats, and DevSecOps and security as code.

Cortex XSIAM automates data source health monitoring by establishing baseline profiles and generating alerts when those sources deviate from historical bounds. It also enables autonomous operations, such as answering investigative questions like "Is this activity normal?" These are tasks that would traditionally require human analysts, and it gives rise to new possibilities for automating investigations.

Cortex XSIAM leverages multiple data sources in its SmartScore feature, which aids analysts by dynamically scoring incidents based on the context of the incident and involved entities. It also scores users as well as compute resources according to the behavior exhibited over time, comparing current activity to both the user's historical baseline and the baselines of similar or administrative users. 

One of Cortex XSIAM’s distinguishing features for automation management and development is a playbook debugger that allows users to test playbooks outside of a formal flow, as well as before implementation. Testing can be done against existing alerts or incidents, or using populated variables. The “playground” is a nonproduction environment where users can safely develop and test scripts, APIs, commands, and more. It is an investigation space that is not connected to a live (active) investigation.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Palo Alto Networks scored well on a number of decision criteria, including:

• Detection engine: The Causality Analysis Engine correlates activity from all detection sensors to establish causality chains that identify the root cause of every alert. It also identifies a complete forensic timeline of events that helps analysts determine the scope and damage of an attack and provide an immediate response. It determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident. When a malicious file, behavior, or technique is detected, Cortex XSIAM correlates available data across detection sensors to display the sequence of activity that led to the alert. This sequence of events is called the “causality chain” and is built from processes, events, insights, and alerts associated with the activity. 

• Monitoring ephemeral resources: Cortex XSIAM can be deployed via a daemonset agent on Kubernetes pods to provide visibility into container execution and can monitor for malicious activity such as privilege escalation or malicious code. Additionally, Cortex XSIAM can utilize an agentless approach for monitoring resources by mapping them against Center for Internet Security (CIS) benchmarks to help ensure configuration issues or risks are not present. 

• Case management: In Cortex XSIAM, each incident has its own war room, which contains chats, notes, files, commands, and task results. Cases can be assigned automatically but can also be assigned or reassigned by analysts as needed according to team dynamics or according to shift dynamics. Case details are stored in the war room and can be used for compliance and improvement purposes. The incident itself is accompanied by a description and provides recommendations for next steps, as well as pending actions and approvals.

Opportunities
Palo Alto Networks has room for improvement in a few decision criteria, including:

• Deterministic automation and integrations: The solution can enhance its integrations capabilities by implementing integration version control and automated writing of new integrations. To improve the deterministic automation features, it  can implement support triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. Advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback, can also be improved.

• User and entity anomaly detection: While the solution can continuously baseline users to detect anomalous behavior, it could improve by implementing techniques such as min-max clustering and sequence-based correlation where indicators are associated over time.

• Threat hunting and modeling: The tool can perform queries on stored data for investigation and analysis capabilities, but it does not currently apply updated detection rules on existing datasets for retrospective analysis or visually display correlations in a topological graph chart. 

Purchase Considerations
Pricing depends on the number of knowledge workers and the number of GB/day of data ingestion from third-party data sources. In addition to the base SKU, customers can purchase additional data storage for integrated solutions by ingestion (GB/day) and additional hot and cold retention (GB/day per month).

Additional modules can be purchased separately, such as Forensics, Threat Intelligence Management, and Attack Surface Management.

Two considerations for the solution are its pricing and licensing options. While there is some flexibility in pricing, the solution tends to be expensive, making it prohibitive for SMBs.

The solution’s all-in-one platform approach can also entail a large displacement of tools for customers with brownfield deployments. This can be a good long-term strategy but will be considerably disruptive until a customer is fully onboarded.

Use Cases
The Palo Alto Networks Cortex XSIAM platform supports a wide range of use cases, including compliance, log management, threat hunting, zero-day response and remediation, end-to-end automation, and attack surface management and vulnerability management.

Rapid7: InsightIDR*

Solution Overview
Rapid7 InsightIDR is a cloud-native integrated SIEM and XDR solution. InsightIDR has many native modules available and supports a robust library of third-party integrations to supplement its out-of-the-box endpoint, network, and user coverage. The solution offers a constantly updated library of MITRE ATT&CK-mapped detections and can deliver capabilities such as EDR, UEBA, embedded threat intelligence, deception technology, incident response, and investigations. It is a stable solution that can cater to the needs of enterprises. 

Rapid7 has bundled its security operations products under a single licensing model, Threat Complete for InsightIDR, and includes two tiers, Threat Complete Advanced and Threat Complete Ultimate. In this report, we evaluated the features under the InsightIDR Threat Complete Ultimate package, which includes centralized log management, search, reporting and dashboards, FIM, intrusion detection system (IDS), network traffic analysis, threat intelligence, EDR, attacker behavior analytics, user behavior analytics, deception technology, SOAR, attack surface monitoring, and security configuration assessment (policy assessment).

Rapid7 is positioned as an Entrant and Forward Mover in the Maturity/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Rapid7 scored well on a number of decision criteria, including:

• User and entity anomaly detection: The solution continuously baselines normal user activity to identify anomalies. Correlated user data also offers context for other attacker alerts to help speed investigation and response. InsightIDR also has an attacker behavior analytics module, which identifies the way attackers gain persistence on an asset and send and receive commands to victim machines. Each rule in the attacker behavior analytics module hunts for a unique attacker behavior. The UEBA and attacker behavior analytics detection rules are flexible, giving analysts the ability to modify out-of-the-box rules, create custom alerts, and subscribe or contribute to community threats. In addition, firing rules can directly trigger automation workflows that are either custom-developed or pulled from the Rapid7 workflow library.

• Monitoring ephemeral resources: InsightIDR’s capabilities for monitoring ephemeral resources and automation can be supported natively at a basic level and can provide advanced functions using InsightCloudSec for cloud posture management. 

• Response and remediation: Customers can view Threat Command alerts alongside their broader detection set in InsightIDR to prioritize and investigate alerts. InsightIDR’s investigation management capabilities allow seamless pivoting between the two products. Threat Command detection rules can be tuned directly in InsightIDR for rule actions, rule priorities, and exceptions. The solution’s native network traffic analysis feature provides network visibility and detection, using proprietary packet capture to access additional network metadata for an understanding of the full scope of activity.

Opportunities
Rapid7 has room for improvement in a few decision criteria, including:

• Case management: While Rapid7’s solution offers native case management features, it lacks some advanced features, such as automatic analyst assignment for case management, war rooms,  and nonsecurity team collaboration.

• Threat hunting and modeling: Customers can view Threat Command alerts in InsightIDR alongside their broader detection set and use InsightIDR’s investigation management capabilities to prioritize and investigate them. However, the solution does not offer interactive topological graphs for threat hunting, timeline-based display of threats, or retrospective analysis with newly updated detection rules.

• Deterministic automation and integrations: While the solution supports script-based automation, it can further improve by offering workflow-based automation engines and mechanisms for writing custom integrations with third-party tooling.

Rapid7 was classified as a Forward Mover given its slow development cadence and small number of year-over-year feature releases.

Purchase Considerations
Threat Complete is Rapid7’s licensing package for InsightIDR and includes a wide range of capabilities under a single model, which contains the following modules: centralized log management, search, reporting and dashboards, FIM, IDS, network traffic analysis, threat intelligence, EDR, attacker behavior analytics, user behavior analytics, deception technology, SOAR, attack surface monitoring, and security configuration assessment.

Use Cases
The solution’s distinguished XDR and SIEM approach enables a range of use cases, including automated endpoint response and comprehensive environment visibility. The solution provides native engineer-vetted detections, embedded threat intelligence, and threat investigation tools.

Securonix: Unified Defense SIEM

Solution Overview
Securonix Unified Defense SIEM provides organizations a threat detection, investigation, and response (TDIR) solution built on a highly scalable data cloud. The cloud-native solution adopts a cybersecurity mesh architecture to agnostically integrate with multiple clouds, data lakes, and security solutions. The SIEM solution offers organizations 365 days of hot data for fast search and investigation, powered by the Snowflake data cloud. It relies on threat content as a service to deliver a frictionless unified TDIR experience.

Securonix’s strategy is to create a next-generation SIEM platform that is well integrated, comprehensive, and can provide a true end-to-end security analytics and operations solution. Securonix differs from solutions with similar capabilities in its approach to the cloud. It is one of only a few vendors that provides a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud version.

Securonix demonstrated year-over-year developments of new and innovative features.

Securonix is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Securonix scored well on a number of decision criteria, including:

• Detection engine: Securonix Threat Labs continuously monitors emerging threats and develops detection content that customers can apply in production. In addition, Securonix offers prepackaged content that can be deployed using its automated content dispenser. The content includes use cases such as insider threat detection, fraud analytics, threat hunting, compliance reporting, and identity and access analytics.

• Threat hunting and modeling: Securonix’s Autonomous Threat Sweeper (ATS)  automatically performs retroactive threat hunting by scanning historical logs for newly discovered threats. Leveraging the latest research and threat content from Securonix Threat Labs, ATS runs in the background without any user intervention, looking for signs of compromise in historical customer data.

• User and entity anomaly detection: The solution supports a wide range of detection models, including feature extraction, min-max clustering, peer group profiling, event rarity, word entropy, extracting features from the subjects using word2vec, enumerating behaviors, and proxy/network traffic analysis. While other SIEM vendors implement ML capabilities to enhance existing features, Securonix puts ML at the platform’s core, using both supervised and unsupervised ML to enable  behavior pattern recognition, rare event detection, and automated phishing and spam identification.

Opportunities
Securonix has room for improvement in a few decision criteria, including:

• Response and remediation: While the solution can integrate with third-party products for response actions, it can further improve these capabilities by gathering OS-level information using tools such as osquery or by using agents. 

• Deterministic automation and integrations: Deterministic automation can be defined using low-code logic but can be improved by supporting triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• DevSecOps and security as code: While rules and detection logic can be maintained in GitHub repositories, the solution does not support detection as code, native version control, or programmatic interaction with the product.

Purchase Considerations
Securonix offers four licensing tiers, each with increasing features and pricing based  on a GB-per-day ingestion rate. Autonomous Threat Sweeper, SOAR, and Investigate are available as add-ons to the Basic, Standard, and Advanced packages, and all add-ons are included in the All-In package. The capabilities evaluated in this report are those included in the All-In package.

Use Cases
The most popular use cases for the Securonix solution are focused on detection of insider threats, privilege misuse, and advanced cyberattacks. Securonix supports more than 1,000 out-of-the-box use cases and more than 100 threat models that are available to customers as prepackaged content. Threat chain models are combinations of use cases (IoCs) that, if seen together, indicate a much stronger likelihood of a security compromise.

Stellar Cyber: Stellar Cyber unified, open SecOps platform

Solution Overview
Stellar Cyber unified, open SecOps platform is a solution for performing end-to-end threat detection and response, combining multiple capabilities into a single product, including next-generation SIEM, NDR, threat intelligence platform, IDS, SOAR, and UEBA tools.

Stellar Cyber offers visibility into IT, operational technology (OT), and security environments and provides automated detection and response across multiple data sources. Stellar Cyber is built on a security data lake and a detection and correlation engine. Additional native capabilities are built into the platform to provide comprehensive detection and response.

Data is collected, normalized, enriched, detected, and correlated across all sources. It  can be collected from API-based connectors, log sources, or via Stellar Cyber sensors for enhanced visibility. Normalization and enrichment happen across all data, either at the edge (sensors) or centrally. Detections based on both ML and rules reveal threats and send the results to the correlation engine for automated investigation. 

Stellar Cyber is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Stellar Cyber scored well on a number of decision criteria, including:

• Detection engine: The solution’s detection engine generates alerts based on anomalies and potential threats using custom ML models and curated threat intelligence. The solution uses ML to analyze natively generated and collected alerts to correlate seemingly unrelated security events into a single case ready for analyst investigation. Native, third-party, and custom alerts are correlated into Incidents, automating investigations and providing immediate context.

• Response and remediation: Stellar Cyber offers comprehensive response and remediation capabilities, including the ability to terminate, quarantine, and isolate threats through integrations with 32 EDR vendors. It supports both agent-based and agentless remediation, with its own suite of physical and virtual sensors for OS-level controls to terminate processes. The platform can destroy and recreate containers via scripting and webhooks, steer traffic to sandboxes for investigation, and leverage MITRE ATT&CK data for correlation and recommended mitigations, utilizing a Kill Chain Loop for actionable insights. Threats detected in one customer's environment can be immediately scanned for in others, and the tool can take proactive measures against suspicious behaviors, subject user access to isolation proxies for deeper inspection, and collect binaries, URLs, and documents for sandbox scanning. 

• Monitoring ephemeral resources: Stellar Cyber offers robust support for monitoring ephemeral resources, covering key security aspects. For identity and access management, it tracks privilege escalation attempts within pods, changes to RBAC policies and roles, and failed authentication attempts. In network security, it monitors for unauthorized pod connections, network tunneling or reverse shells, and unexpected network traffic patterns. Runtime security is enhanced by detecting malicious images, new vulnerabilities in old images, and unauthorized pods. It also tracks policy changes, including those to pod security policies, Kubernetes secrets and ConfigMaps, and container image repositories. Furthermore, Stellar Cyber ingests a comprehensive range of observability data, including Kubernetes audit, controller manager, scheduler, Kubelet, and etcd logs, as well as container runtime, ingress controller, cluster network, workload, node OS, monitoring system, and CI/CD pipeline logs, ensuring deep insight into all cluster activities.

Stellar Cyber was classified as an Outperformer given its extensive near-term development pipeline and release schedule.

Opportunities
Stellar Cyber has room for improvement in a few decision criteria, including:

• Case management: Even though the solution natively supports case management features, it does not currently offer war rooms where multiple analysts communicate in real time with case-specific data, handling nonsecurity collaboration with other teams. It can also use data stored as global context for LLM agents or copilots, and serve as a shared resource among analysts, including onboarding of new ones. 

• Deterministic automation and integrations: The solution offers good automation and integrations capabilities. However, integrations can be improved by implementing integration version control and automated writing of new integrations, while automation can support features such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

• Design-time LLM: Stellar Cyber can use an LLM to build a query from natural language, which can then be turned into a detector, but it doesn’t currently write automation workflows or transform or parse data. 

Purchase Considerations
The platform includes all the technology described in this report under a single, all-in license. It is fully multitenant, making it suitable for MSSPs. Stellar Cyber also offers enablement services for MSSPs, training SOC teams to use the platform and sales teams to sell the platform effectively. Enterprises can access training for both administrators and analysts to maximize the platform's potential. Pricing is based on assets or ingestion. 

Use Cases
Stellar Cyber’s solution can cater to a wide range of use cases, including log ingestion and management, case management and collaboration, threat hunting, process and investigation automation, and compliance with industry standards.

Sumo Logic: Cloud SIEM

Solution Overview
Sumo Logic Cloud SIEM is a SaaS-delivered solution built from the ground up as a multitenant microservices architecture that scales elastically and supports large volumes of data ingestion. Sumo Logic’s solution offers a range of features, including the Insight Rules Engine that features over 1,000 out-of-the-box rules, an entity timeline and Entity Relationship Graph for threat hunting, the Insight Global Confidence Scores module, the Automation Service that offers playbooks for Insight enrichment, notifications, and containment actions, and a MITRE ATT&CK Threat Coverage Explorer.

Sumo Logic’s autonomous SOC results from the 2021 acquisition of DFLabs, a standalone SOAR provider. The SOAR product has been natively integrated in the Cloud SIEM solution and is available under the Enterprise Suite plan. It is a stable solution that can cater to the needs of SMBs and large enterprises. 

Sumo Logic is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
Sumo Logic scored well on a number of decision criteria, including:

• Detection engine: Cloud SIEM’s Insight Engine consolidates alert signals from multiple sources into a single insight tied to specific entities. It reduces triage and investigation time by automatically correlating related activities and potential threats. It also provides a powerful historical view, evaluating all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores, which help analysts prioritize their work based on the likelihood that the insight is a true event. 

• Monitoring ephemeral resources: The solution allows visibility into Kubernetes clusters and provides integrations with Falco, an open source runtime security tool that monitors for privilege escalation in privileged containers, unexpected network connections or socket mutations, and reads or writes to well-known directories.

• Threat hunting and modeling: Sumo Logic provides a “view back in time” feature that evaluates all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores, which help analysts prioritize their work based on the likelihood that the insight is a true event.

Opportunities
Sumo Logic has room for improvement in a few decision criteria, including:

• User and entity anomaly detection: The solution provides limited models to detect anomalous behavior using analysis such as comparison against peer groups or network behavior analysis. 

• Vulnerability and misconfiguration scanning: The tool only supports integration with vulnerability management tools and prepackaged response workflows.

• Deterministic automation and integrations: While the solution can define automation logic using workflows, it can enhance this capability by implementing integration version control and automated writing of new integrations. For automation, it can support triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers, and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback.

Sumo Logic was classified as a Forward Mover given its slow development cadence and small number of year-over-year feature releases.

Purchase Considerations
Sumo Logic features a $0 ingest fee, with pricing based solely on data analysis. The solution has three tiers: Free, Essential, and Enterprise Suite. Only the Enterprise Suite plan offers the Cloud SIEM capabilities. The Free tier includes a maximum 1 GB/day log ingestion capacity and seven days of data retention but no security-specific capabilities. The Enterprise Suite allows customers to define their own data retention and offers 24/7 support for P1 incidents, and it includes Cloud Infrastructure Security, Cloud SIEM, and Cloud SOAR.

Use Cases
Sumo Logic Cloud SIEM supports a range of cases, including compliance with data security and privacy regulations such as PCI DSS, incident response to identify how an attack breached enterprise security systems and which hosts or applications were affected by the breach, vulnerability management to proactively test network and IT infrastructure, and threat intelligence.

Torq: HyperSOC

Solution Overview
Torq is an enterprise-grade security automation solution for no-code, low-code, and pro-code automations. It offers a rich templates library addressing automation for various pillars of a cybersecurity program such as SecOps, threat intelligence, threat hunting, cloud security, application security, IAM, device management, governance, risk, and compliance.

Torq's HyperSOC solution is built on its comprehensive automation engine to address common SOC opportunities such as alert fatigue, false positives, and staff burnout. Despite being the only non-SIEM solution featured in the report, Torq can ingest and store data in a Torq-hosted or customer-hosted data lake.

Torq is hosted on IaaS services such as AWS and GCP, and it has points of presence in various regions. Torq’s automation data plane can be separated from a control plane and be self-hosted in any bare metal or virtualized private network.

Torq offers autonomous operations features for both the workflow design and runtime security event processing. Design-time capabilities consist of assistive development of automated processes, such as summarization for successful collaboration, improvement, development copilots, and the like. Runtime capabilities consist of data enrichment and data-driven suggestions to assign specific teams or analysts based on their profile, ownership, and history. It can also suggest investigative steps to help understand the issue and recommend containment actions to stop the negative effect and facilitate complete remediation.

Torq is positioned as a Leader and Fast Mover in the Innovation/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Torq scored well on a number of decision criteria, including:

• Case management: Torq offers a built-in case management system developed in-house and integrated with the solution’s event-driven architecture and security automation capabilities. Torq also offers out-of-the-box bidirectional integrations with leading case management systems such as ServiceNow, Jira, and Zendesk, as well as with communication platforms like Slack, Microsoft Teams, and Cisco Webex. Torq supports in-the-platform virtual war rooms as a part of its case management, with multiworkspace architecture and granular role-based access controls (RBAC) that can engage multiple teams across organizational disciplines, including security, IT, engineering, business lines, and human resources.

• Monitoring ephemeral resources: Torq has comprehensive visibility over ephemeral resources, monitoring container- and Kubernetes-based constructs across three key domains: identity and access management, to detect privilege escalation attempts within pods, changes to RBAC policies and roles, and failed authentication attempts; network security to detect unauthorized pod connections, network security, to identify unauthorized pod connections, network tunneling, reverse shells, and unexpected ingress or egress traffic patterns; and runtime security, to uncover malicious images masquerading as legitimate ones from public registries, newly discovered vulnerabilities in legacy images, and unauthorized or suspicious pods running in the cluster.

• Threat hunting and modelling: Torq HyperSOC can apply newly optimized rules to historical data to identify untriggered alarms and detect threats that may have initially evaded real-time detection. It automatically correlates and analyzes alerts from various security tools and enriches the alert information with data from external threat intelligence services like Mandiant (Google), CrowdStrike, SentinelOne, and VirusTotal for a more comprehensive threat assessment.

Opportunities
Torq has room for improvement in a few decision criteria, including:

• Vulnerability and misconfiguration scanning: The solution can integrate with third-party tools such as Wiz and Astrix but does not natively support these use cases, meaning it is dependent on the customer’s technology stack.

• Response and remediation: While the solution can automate the response process to perform investigations and block or contain threats, it does not offer an agent to be deployed on hosts and other appliances to provide low-level controls and visibility.

• Detection engine: While Torq’s detection mechanisms are comprehensive, the solution is not intended to scale up raw data ingestion and implicit detection to terabytes or petabytes of data. The solution is best used for richer events such as API calls, which can then be enriched with network or cloud logs.

Purchase Considerations
Torq licensing models are structured around the platform tier, number of workspaces, and product add-ons. Platform tier licensing is based on the number of employees, which determines the volume of security events to be automated. This ensures that the platform can handle security events with proper urgency and efficiency.

Each workspace is licensed based on the number of workflows and access to platform features. Workspaces can be upgraded with additional workflows and features as needed. Customers can purchase additional features and services as add-ons to their existing licenses. This includes extra workflows, advanced insights, and case management capabilities.

Use Cases
Torq can deliver a wide range of automation and response use cases, including 

IAM, threat hunting, cloud security posture management, management, incident management and response, containment procedures, threat remediation, and evidence preservation.

Tuskira: Tuskira Autonomous Threat Operations Platform

Solution Overview
Tuskira is an AI-native platform that transforms existing security stacks into autonomous, threat-defense systems. It ingests telemetry from across the enterprise into a unified Security Mesh, builds a live digital twin of the environment, and deploys an AI Analyst Workforce to simulate attacks, validate risks, and automatically mitigate real threats.

Tuskira is a single unified platform with modular AI Analyst agents that can be enabled based on customer needs. The core platform provides the security mesh, digital twin, and orchestration engine. The AI Analysts are functionally distinct modules that operate within the shared platform.

The Security Mesh ingests and normalizes telemetry from more than 150 tools to create a real-time semantic layer. The digital twin continuously updates models of the customer’s live environment used to simulate adversary behavior and validate security posture.

AI Analysts are purpose-built agents for threat assessment, hunting, response, vulnerability validation, and control optimization. Each operates independently but shares context to drive coordinated defense. The Automated Mitigation Engine converts validated risk into threat action, tuning rules, isolating endpoints, modifying policies, or triggering remediation workflows

Tuskira is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the autonomous SOC Radar chart.

Strengths
Tuskira scored well on a number of decision criteria, including:

• Detection engine: Tuskira uses pretrained ML models to analyze ingested data, look for anomalies, and identify threats. It uses reasoning-based AI agents to conduct the alert analysis with real-time customer data using modular correlation pipeline layers to deliver detection correlations. Tuskira uses digital twin technology to conduct attack defense analysis using ML and AI models, using exploit code for conducting behavior analysis. The solution conducts tests of detection rules against synthetic, AI-generated, and sampled telemetry, catching regressions, schema changes, and gaps in coverage.

• Response and remediation: Tuskira platform delivers both agentless and agent-based response and remediation capabilities. Through its unified Security Data Fabric and digital twin architecture, Tuskira can terminate, quarantine, or isolate threats across cloud, endpoint, and container environments. It supports OS-level controls to halt or kill malicious processes and has the ability to destroy and recreate containers as part of its automated remediation workflows using EDR integrations. 

• Threat hunting and modeling: Tuskira AI agents use purposely trained models in threat modeling tradecraft to build digital twin and multilayered threat models. This includes network vulnerabilities, exploits, threats, defense controls, and residual risks. The digital twins are the foundation for Tuskira agents to deliver threat hunting and interactive dependency maps. 

Opportunities
Tuskira has room for improvement in a few decision criteria, including:

• Case management: While Tuskira agents create a case for every alert, this mechanism is not oriented for human analysts to document, collaborate, and investigate cases manually.

• User and entity anomaly detection: While the solution can conduct anomaly analysis for identities and correlate them across several events, it does not implement techniques such as min-max clustering, peer comparisons, and sequence-based correlation, where indicators are associated over time.

• Deterministic automation and integrations: The solution is predominantly based on LLM-based automation, meaning that its capabilities for writing deterministic automation are limited. 

Purchase Considerations
Tuskira's pricing model consists of three main components: a Base Platform Subscription, which is a monthly or annual fee scaling with environment size and integration complexity, providing access to core AI-driven automation, a unified security mesh, dashboards, and RBAC; AI Agent-Based Pricing, where customers pay based on the number and type of AI agents deployed for specific security functions, with pricing varying by agent type, use case, and degree of autonomy; and Triage Volume, which offers volume-based pricing tied to the number of security events or triaged alerts processed per month, structured into tiers like Starter and Growth.

Use Cases
Tuskira’s solution is suitable for use cases such as simulating, assessing, and prioritizing risk based on exploitability and control effectiveness. It validates whether detections actually align with current risks and measures whether your stack can defend against validated threat scenarios. It can also be used for threat hunting and zero-day detection, as well as incident response. 

UTMStack

Solution Overview
UTMStack’s SIEM solution provides threat detection and response that is powered by threat intelligence and real-time correlation before ingestion. UTMStack is a single product that can be deployed on-premises, within the customer’s cloud, or as a platform using the UTMStack SaaS.

UTMStack has the following components: Dashboard Builder, Alert and Incident Management, User Activity Auditor, Log Analyzer, File Changes Tracker, Threat Intelligence, Built-In SOAR, Compliance Reporting, Vulnerability Management, and an LLM enhanced by RAG for automated alert and incident investigation. 

UTMStack has its own internal research team focused on dark web data hunting, IoC and attack pattern investigation, and the operation of honeypot networks for threat intelligence investigation and malware hunting. Its proprietary threat intelligence platform, Threatwinds, integrates this research into UTMStack by default across all deployments.

UTMStack has two approaches to multitenancy: one instance per customer or a single instance shared among multiple customers. As UTMStack supports on-premises and cloud deployments, MSSPs can manage all these deployments remotely using a “federation service,” which orchestrates multiple UTMStack instances and provides a single pane of glass for monitoring, making it a useful tool for security operations teams.

UTMStack is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the autonomous SOC Radar chart.

Strengths
UTMStack scored well on a number of decision criteria, including:

• Detection engine: The solution normalizes ingested data using logstash parsing rules and an in-house correlation engine written and compiled in Go. In UTMStack, logs are correlated before ingestion to reduce detection and response times. This can improve correlation detection times and lower resource utilization. Alarm or alert definitions are written in simple YAML text correlation rule files, which are intuitive and can be created by a security analyst without coding experience. UTMStack uses the MITRE ATT&CK framework for alert classification and scoring and can determine risk based on user, device, workload and identity context, resource’s level of exposure to the public internet or other external networks, behavior deviation from the baseline, heuristic analysis, and threat intelligence IoC analysis.

• Response and remediation: The tool handles incident response automation and workflows for alert automation, host isolation, host shutdown, IP blocking at firewalls, and malware activity intervention. The system supports PowerShell and Bash automation. Automation features include low-code playbooks, external API requests, agent-based command execution, secure shell command execution, and scripting using PowerShell and bash. 

• DevSecOps and security as code: All UTMStack code is open source and available on GitHub, supporting CI/CD with GitHub Actions, implementing unit testing, and exposing its functions via an API.

Opportunities
UTMStack has room for improvement in a few decision criteria, including:

• Deterministic automation and integrations: The solution has a limited number of out-of-the-box integrations. It could improve its integration management capabilities using features such as version control and IDEs. The vendor does not currently provide a marketplace to manage third-party integrations.

• User and entity anomaly detection: UTMStack can detect behavior deviations using a large language model with retrieval augmented generation but does not offer ML-based or time-series analysis of behaviors.

• Threat hunting and modeling: While the solution provides a correlation graph to visually display affected assets, it does not currently apply updated detection rules retrospectively or display threats across a timeline to indicate threat progression and lateral movement.

Purchase Considerations
UTMStack has a free open source version, making the solution a low-risk, no-cost opportunity for organizations to deploy the product. The solution has two paid tiers: cloud SIEM and support, and an on-premises enterprise edition. UTMStack licensing is based on individual data sources of logs such as firewalls, Windows servers, Microsoft 365, and antivirus tools.

While the solution has good capabilities, enterprises need to evaluate the vendor’s capacity to support large deployments, such as whether it can deliver large-scale ticket, chat, and remote session support, training sessions, assistance with product configuration and integration, and case escalations.

Use Cases
The solution can cater to a wide range of use cases, including log management; compliance management and reporting for regulations such as HIPAA, GDPR, GLBA, SOC, and ISO; file tracking and classification; user activity tracking; and threat intelligence source for firewalls.

There’s no way around automation to cope with today’s ever-growing security and threat detection demands, and most security providers share a vision for how a SOC will work in the future. Tasks that have been manually performed for decades are well documented and ripe for automation, with vendors now abstracting the processes and exposing only the output to analysts. 

For low-complexity attacks, organizations can either define their own logic or use prepackaged content and lessons learned from large volumes of similar threats so that an autonomous SOC solution resolves them independently. No organization wants or needs analysts to manually determine whether an email is a phishing attempt. However, for higher-complexity incidents, humans should always be in the loop.

These tools should preserve human agency and augment analysts to operate at higher levels of abstraction. Today’s autonomous SOC features are the core infrastructure for ingesting, processing, and presenting data, while the UI favors natural language interaction rather than clicking through menus.

The relationship between tools and analysts will be one of interdependency, where both entities calibrate each other’s performance for optimal results rather than a one-sided dynamic where analysts always dictate and define how the tool should behave. AI and ML are the core enablers here because extracting information and patterns from petabytes of data is something that humans can’t and shouldn’t take on. 

"This playbook you defined isn't behaving as you intended," an autonomous SOC solution will respectfully say to an analyst while also providing supporting evidence. "I see," the analyst might reply. "In these specific circumstances, we want to exclude these entities from triggering the playbook."

Ultimately, success with this new generation of tooling will depend on the ability of those in front of the screen (security analysts) to make the best use of it. As this human-machine relationship develops, the best incident responders will be computer-assisted analysts, just like in chess, where computer-assisted humans are the best players.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Autonomous Security Operations Center (SOC) Solutions" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.