GigaOm Radar for Security Information and Event Management v5

The security information and event management (SIEM) solution space is mature and competitive. Most vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly minor. However, there’s an increasing number of younger SIEM vendors entering the market that can benefit from all the lessons learned during the 2010s and offer modern, lightweight, and often cloud-native solutions. 

To improve differentiation, SIEM vendors are developing advanced platforms that provide greater context and deploy ML and automation capabilities to augment security analysts’ efforts. These solutions deliver value by giving security analysts deeper and broader visibility into complex infrastructures, increasing efficiency and decreasing the elapsed time to detection and response.

Vendors offer SIEM solutions in various forms, such as physical appliances, virtual appliances that can be installed in the customers’ on-premises or cloud environments, cloud-hosted solutions on either dedicated or shared infrastructure, and software as a service (SaaS). Many vendors have developed multitenant SIEM solutions for large enterprises or managed security service providers (MSSPs). Customers often find SIEM solutions challenging to deploy, maintain, or even operate, leading to a growing demand for managed SIEM services provided by the SIEM vendor or third-party partners.

SIEM solutions continue to vie for space with other security solutions, such as user and entity behavior analytics (UEBA); endpoint detection and response (EDR); security orchestration, automation, and response (SOAR); and security analytics solutions. All SIEM vendors support integrations with other security solutions. Many vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether that’s just a SIEM solution, a SIEM and a SOAR solution, or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers who want the extra features but are not ready to invest in multiple solutions.

This is our fifth year evaluating the security information and event management space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 23 of the top security information and event management solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading security information and event management offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well security information and event management solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based SIEM solutions.

• Large enterprise: Large enterprises require high-performance SIEM solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure are key differentiators for them.

• Regulated industries: These typically include verticals such as finance and healthcare, for which vendors need to adhere to strict rules and regulations as well as support on-premises deployments.

• Public sector: These are local and central government bodies as well as international entities that have strict requirements around data sovereignty, vendor certifications, and technology supply chains.

• Cloud service provider (CSP): CSPs must be able to monitor the large number of tenants that use the provider’s underlying infrastructure, ensuring visibility across shared devices to prevent lateral movement and lower the risk inherited from each tenant.

• Managed Security Service Provider (MSSP): MSSPs require multitenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.

In addition, we recognize five deployment models for solutions in this report: 

• Physical appliance: These are hardware solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though they may purchase support services through the vendor or a third-party service provider.

• Virtual appliance: This is a software version of the solution that can be installed on a customer’s on-premises equipment or in private clouds.

• Public cloud image: The solution can be purchased from a public cloud provider’s marketplace and run in the customer’s public cloud environment.

• Hosted and managed by vendor: In this model, the customer purchases the solution and outsources its management to the SIEM vendor, who hosts and manages it on the customer’s behalf.

• SaaS: Compared to cloud-hosted models, software as a service has a different licensing and consumption model in which customers often subscribe using a pay-as-you-go plan without purchasing the solution outright and paying separately for management.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Multiple ingest streams

• Flexible storage 

• Configurable alarms

• Root cause analysis

• Dashboards and visualizations

• Security certifications, compliance, and audits

• Large enterprise deployment

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a security information and event management solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Security Information and Event Management Solutions.”

Key Features

• Alarm fidelity and self-tuning: Alarm fidelity considers the capabilities of the alarm-triggering engine that defines the detection rules used to identify suspicious or threatening events. Calibrating alarm fidelity is a balancing act between detecting all suspicious events and not triggering false positives. 

• Data enrichment: On their own, security event logs contain limited information. During incident investigations, the security team must analyze those events in context. Many SIEM solutions now gather information from user directories, asset inventories, threat intelligence feeds, asset metadata, network information, geo-location, vulnerability management systems, and many other data sources to provide that context. 

• Collaboration and case management: Collaboration enables multiple security analysts to work together on an incident. Analysts can share information, assign tasks, and communicate within the SIEM platform to identify, categorize, and respond to threats. 

• Automation: Automation within SIEM platforms has been continuously evolving to make the platforms easier to onboard and use. Setup actions, such as connecting to data sources for log collection, can be done automatically with prepackaged connectors rather than custom code. Other activities like threat enrichment and extracting contextual information can also be defined via playbooks. 

• Threat hunting and retrospective analysis: With extensive storage capabilities, SIEM solutions can tap into years of collected data to analyze it retrospectively. This activity is referred to as threat hunting, and it complements real-time incident detection and response. This criterion evaluates the solution’s capability to support analyst-driven searches of historic data for suspicious activity that evaded real-time detection. 

• Monitoring ephemeral resources: Ephemeral resources such as containers and serverless functions pose new security threats. These resources can be infected when they are alive, spun up by malicious actors, or fed malicious data. SIEM tools can integrate with monitoring tools for containerized and ephemeral environments to ingest data.

• Data analysis and risk scoring: All SIEM vendors offer some basic behavioral analytics capabilities. Stronger solutions can leverage multiple ML models to analyze data, look for anomalies, and identify threats, then either flag them for analysts to investigate or respond automatically. Often, the resulting action is based on a calculated risk score, which can take into consideration the impact of the threat on the customer’s real-world environment.

Table 2. K

Emerging Features

• LLM-based copilots: These offer security analysts a natural language interface to interact with the product. These copilots must support threat hunting, enrichment by conducting external web searches for third-party intelligence, and surfacing or prioritizing the most urgent security alarms and incidents. 

• LLM agents: This refers to self-deterministic AI agents that can take action autonomously upon ingesting data. LLM-based agent capabilities include autonomous detection, investigation, and response. 

• Cost optimization: Considering that SIEM solutions consume a large percentage of an organization’s security budget, solutions are being developed that can help customers reduce their bill at a technology level rather than just at a pricing level. 

• DevSecOps suitability: Some SIEM solutions support DevOps practices in security operations teams, enabling them to define detection rules using code rather than applying them after development is complete. At a high level, this refers to the ability to manage and configure various aspects of a SIEM solution using code repositories, version control, and automated deployment processes. 

• Security content: While content offered as prepackaged rulesets and out-of-the-box integrations has been available in SIEM for a long time, some SIEM vendors are delivering security content to users as soon as new threats, vulnerabilities, and technologies are discovered and deployed. 

Table 3. Emerging Features Comparison 

Business Criteria

• Ecosystem: This business criterion evaluates a SIEM vendor’s partner ecosystem, which may include third-party MSPs, professional services providers, and channels to market. The ecosystem may also include specialized third-party tools and integrations with commonly deployed technologies.

• Scalability: No SIEM can be infinitely scalable. Even cloud-based solutions that can scale up the underlying infrastructure to support more data have some limitations, along with usability and performance concerns. However, solutions should be able to serve large deployments and respond to changes in the amount of data ingested.

• Attack surface coverage: While most vendors talk about the types of logs their solution can ingest, this metric translates that information into the types of infrastructure and services the solution can support. For example, solutions must be able to support the data generated natively by various entities, such as MQTT generated by IoT devices, or be able to parse or normalize it.

• Documentation and support: To help customers in adopting and running the solution at the scale they need, vendors should offer comprehensive technical documentation and support services. 

• Threat research units: This business criterion evaluates whether the SIEM vendor operates an in-house threat research unit that can produce security content and reports and help customers navigate emerging threats. 

• Professional services: These are add-on services customers can purchase for instances falling outside of normal support use cases. They may include deployment, configuration, and calibration of the solution, incident response, security posture and compromise assessment, digital forensics, and the like.

• Licensing: This criterion evaluates how a solution supports customers in managing their SIEM costs in a transparent and predictable way. Licensing models can be based on events per second (EPS), on GB ingested, or on number of seats. They can include storage-related costs based on total retention, hot and cold storage, or pay-as-you-go and pay-as-you-grow mechanisms. Other considerations may involve whether free tiers are available and whether other modules, such as UEBA and SOAR, are included in the base price.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Security Information and Event Management

As you can see in Figure 1, vendors are spread throughout all quadrants of the Radar chart, with the majority on the platform side. They are categorized along the Feature/Platform axis depending on whether they natively offer SOAR capabilities, and along the Innovation/Maturity axis based on their scores for the emerging technologies and other novel features.

Many SIEM market exits happened in the second half of 2024. IBM sold its security SaaS portfolio, which included its SIEM business; Logz.io discontinued its SIEM product; there was a merger between LogRhythm and Exabeam; and the Trellix SIEM product received an end-of-life notice in favor of its XDR platform. This year, two established vendors have been added to the report: Crowdstrike and Gurucul. 

In the Maturity/Feature Play quadrant, the vendors offer purpose-built SIEM solutions, but SOAR-like capabilities, if any, are delivered through additional solutions. The Maturity/Platform Play quadrant has the largest concentration of vendors. They provide robust SIEM solutions that include native SOAR capabilities. Vendors in the Innovation/Platform Play quadrant offer SIEM capabilities that natively integrate SOAR-like capabilities and score well across emerging technologies. Lastly, in the Innovation/Feature Play quadrant, the solution scores well across emerging features but requires separate solutions to implement orchestration and response capabilities.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

CrowdStrike: Falcon Next-Gen SIEM

Solution Overview
Released in May 2024, CrowdStrike’s Falcon Next-Gen SIEM represents one of the most notable product launches in the market, especially following numerous mergers and acquisitions in 2024.

The solution features a cloud-native architecture and is built on CrowdStrike's proven Falcon platform. It can be purchased with Insight XDR, which shares a unified interface. 

The Falcon modules share a common data backplane, LogScale, the platform’s security data lake and log management engine. Next-Gen SIEM operates on CrowdStrike's own global infrastructure and data centers, and can also be hosted on AWS GovCloud to meet the security and compliance requirements of US federal agencies.

CrowdStrike’s EDR and threat intelligence pedigree deliver a scalable SIEM, with LogScale capable of processing up to one trillion high-fidelity signals per day. The widely deployed EDR and threat Intelligence products offer organizations the opportunity to consolidate their security operations tooling under one provider. 

CrowdStrike is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for Security Information and Event Management chart.

Strengths
CrowdStrike scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: The solution provides comprehensive capabilities for defining and calibrating alarms through features like the CrowdStrike Query Language (CQL) for flexible rule creation and modification, prepackaged rules mapped to MITRE ATT&CK, and custom rule creation via an intuitive UI or CQL. The platform uses ML-based dynamic detection prioritization for risk scoring and AI-powered IOCs for endpoint and cloud workload data.

• Threat hunting and retrospective analysis: Through integration with Falcon Exposure Management and vulnerability feeds, Next-Gen SIEM can automatically correlate historical activity with newly discovered vulnerabilities to identify potentially compromised assets. When pivoting to investigations, Workbench provides a centralized, visual interface where analysts can investigate and respond to incidents using comprehensive data and context stored in graph databases. Event timelines show the chronological progression of threat activities, display related events and alerts, highlight key detection points, and enable timeline filtering and zoom capabilities.

• LLM-based agents: Charlotte AI offers agentic capabilities for investigating, triaging, and responding to potential breaches. It provides detailed activity logs of all actions taken, documentation of analysis steps, and a record of functions executed. Chain-of-thought reasoning is applied to investigation paths, multistep analysis workflows, and progressive refinement of conclusions. This AI maintains context across an investigation session, implements evaluations, and allows analysts to upload their documents.

Opportunities
CrowdStrike has room for improvement in a few decision criteria, including:

• Data enrichment: CrowdStrike boasts solid data enrichment capabilities, including a proprietary threat intelligence feed supported by its in-house threat research unit. However, it can improve by providing local storage of third-party enrichment data and native network traffic analysis.

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with other teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource among analysts, including onboarding of new ones. 

Purchase Considerations
Flexible purchasing options through the Falcon Flex consumption model and financing through CrowdStrike Financial Services are available. NGS can be purchased separately or as part of other modules.

Next-Gen SIEM is priced based on the volume of third party data ingested and the retention period. All native CrowdStrike Falcon telemetry from platform modules (like endpoint, identity, and cloud) is included at no extra ingest cost. Next-Gen SIEM customers have access to 30 days hot retention out of the box and can expand up to five years (based on ingestion). 

Use Cases
The CrowdStrike Next-Gen SIEM product delivers a range of use cases, including security operations center (SOC) transformation and modernization, legacy SIEM replacement and consolidation, automated alert triage and investigation, cross-domain threat detection and response, threat hunting and forensics, real-time security analytics, automated incident response, compliance, and log management.

Datadog: Cloud SIEM

Solution Overview
As part of a wider portfolio of infrastructure observability, Datadog Cloud SIEM is built natively into the Datadog Observability and Security Platform, providing extended coverage of security services. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, allowing users to pivot seamlessly from a potential threat to relevant monitored data to quickly triage security alerts. 

Datadog Cloud SIEM offers real-time monitoring, threat detection, and response capabilities across complex and dynamic cloud environments, resulting in enhanced protection against potential cyberattacks. 

Cloud SIEM applies advanced analytics to security-related logs from cloud environments, identity providers, and SaaS applications. Leveraging an extended set of data streams from the rest of the IT infrastructure, it uses application, infrastructure, and cloud provider logs to provide deeper insights into application and security activity. The solution supports niche use cases, such as generating a security signal to alert you automatically when a support administrator creates a new API or application key for a service.

Datadog also offers “content packs,” a centralized hub for all out-of-the-box content related to an integration. Content packs can contain prebuilt detection rules, dashboards, workflow automation blueprints, or visual and graphical investigator widgets. Customers can view a preview of this content before activating a content pack. Content packs are available in the following categories: cloud audit, authentication, collaboration, network, cloud developer tools, and endpoint. 

Cloud SIEM now offers native incident response capabilities, including alerts, notifications, and automated remediations, enabling security teams to respond quickly to and mitigate security incidents. It integrates with other Datadog services on the platform, such as triaging tools like case management and security automation through workflows. Newly released features include detection rule testing and unit testing, which incorporate detection-as-code methodologies to better integrate testing into the deployment workflows of newly built detections.

Datadog is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Datadog scored well on a number of decision criteria, including:

• Data enrichment: For data enrichment, Datadog Cloud SIEM provides threat intelligence feeds curated by specialized threat intelligence partners, including IPinfo and GreyNoise. This feature enriches all ingested logs with curated threat intelligence in real time, detecting activity from known threat actors and automatically surfacing relevant context within security alerts. The solution also includes activity information (for example, scanner, attack, or abuse) and the actor’s intention (malicious vs benign) as new attributes, providing rich context for alert investigators. Threat intelligence provides context summaries, reducing false positives and accelerating triage of security signals. 

• Monitoring ephemeral resources: Datadog offers extensive capabilities for monitoring ephemeral resources, including containers and related Kubernetes constructs, providing visibility into container identity and access management (IAM), networking, and policy changes. Datadog also offers runtime monitoring for containers.

• Case management and collaboration: Case management features are built into the Datadog platform and can be accessed with just one click from within Cloud SIEM. Cases can be created directly from security signals and alerts, and they get populated with all relevant telemetry data, analyst contacts, asset owners, and third-party messaging and issue-tracking links. War rooms can be easily created, and stakeholders can collaborate virtually with built-in co-screen meeting tools.

Opportunities
Datadog has room for improvement in a few decision criteria, including:

• Data analysis and risk scoring: While the vendor supports analysis and risk scoring capabilities via capabilities such as CVSS scores and identifying deviations from standard behavior, it could improve by offering monitors levels of inbound and outbound application traffic, connections with other services, and Layer 7 content; context aware risk scores; prediction of subsequent steps in a threat’s lifecycle, such as identifying lateral movement targets; and threat modeling to detect advanced threats that surface over long periods.

• LLM-based copilot: While Datadog introduced Bits AI, a generative AI-powered DevOps copilot that can help investigate and respond to incidents, it can be improved by offering evaluations, guardrails, multiple hosting options, a range of model options, and retrieval augmented generation (RAG) evaluations.

Purchase Considerations
Datadog's business model is a subscription-based SaaS model. As a result, its products, such as Indexed Logs and Cloud SIEM, are priced based on volume. Datadog offers discounts for multiyear subscriptions or large volume deployments. On-demand prices are publicly available.

Use Cases
Cloud SIEM can be used for security threat detection, investigation, and response, rule testing using historical data, threat hunting, improved regulatory compliance and security auditing and reporting, threat intelligence, and historical trend analysis. As it is part of a wider observability platform, the solution also has access to infrastructure and application performance monitoring.

Devo Technology: Devo Security Data Platform

Solution Overview
Devo Technology’s comprehensive security operations products include Devo SIEM, which is part of the Devo Security Data Platform—a cloud-native, SaaS-delivered solution with integrated SOAR, UEBA, and autonomous threat investigation and hunting capabilities.

In late 2022, Devo Technology acquired LogicHub, a purpose-built security orchestration, automation, and response (SOAR) vendor, and integrated its capabilities natively into the SIEM product. The solution also includes Devo HyperStream, a proprietary, real-time data analytics engine, and Devo DeepTrace for performing autonomous investigations and threat hunting. Devo Exchange—a community-based app and marketplace that provides on-demand access to a growing library of curated security content created by Devo Technology, partners, and customers—is free to every Devo Technology customer.

A distinguishing feature is that the Devo Platform includes 400 days of hot data, a more extended period than is offered by other vendors featured in the report.

The solution can collect binaries, URLs, and files for sandboxing, and it can perform volatile memory analysis at the time of an incident to detect threats hiding in RAM. Devo Technology’s security research team, SciSec, offers its customers a proprietary threat intelligence feed, dubbed Collective Defense, for data collection and sharing. It delivers early warnings about emerging threats via cross-customer threat hunting analysis and accelerated investigations using validated and enriched threat intel from all participating Devo Technology customers.

Devo Technology is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Devo Technology scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: The solution can use prepackaged alarm rules available in Devo Exchange. AI-triggered alarms can be single-metric or multimetric time-series anomaly detections of problems based on historical baselines. Devo Behavior Analytics, the vendor’s UEBA capability, is overlaid against alerts and cases to provide additional context and reduce false positive alarms.

• Threat hunting and retrospective analysis: Devo DeepTrace is an alert investigation and threat hunting capability that enables security analysts to conduct comprehensive investigations on alerts or suspicious events autonomously. DeepTrace’s attack-tracing AI pieces together the activity of malicious users or external actors, allowing the analysts to report results in the form of traces, which are artifacts that chronologically document each attack chain.

• Data analysis and risk scoring: An entity analytics feature provides context for analysts, such as an “entity battlecard” that ties together valuable data points, including the entity impact score and the alerts, investigations, and enrichments associated with the entity. It also provides visual representations that illustrate the connections between entities and the outcomes of several machine learning models.

Opportunities
Devo Technology has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features within the tool, it can further improve by using data stored as global context for LLM agents or copilots and serving as a shared resource for onboarding new analysts.

• DevSecOps suitability: While Devo Technology offers APIs to manage the tooling programmatically, it does not currently support provisioning of SIEM resources such as alerts, detection rules, dashboards, and suppressions via declarative provisioning such as YAML configuration files.

• Automation: While the solution can define automation logic using workflows and scripting, it could enhance this capability by implementing triggers such as generic HTTP, event-based streamings, and LLM chats. It could also implement advanced playbook capabilities, such as retries, timeouts, rate limits, parallel execution, live editors, workflow rollback, and workflow monitoring.  

Purchase Considerations
Devo Technology offers three security packages: the Intelligent SIEM Starter, Intelligent SIEM, and Intelligent SIEM+. All three include Devo Analytics Cloud, the SaaS log analytics capability of the Devo Platform. The licensing metric for each package is data ingestion. All packages include SIEM, SOAR, and UEBA at no additional cost. 

Each package supports unlimited users and includes 24/7 customer support, a customer success manager, 400 days of hot data, unlimited queries, the Devo Exchange, cloud usage costs, full platform management by Devo, and data encryption at rest and in flight.

Use Cases
With integrated SOAR and UEBA capabilities, Devo’s solution enables the automation of processes, orchestration of third-party tools, and monitoring of anomalous user and entity behaviors. It can also be used for a variety of other use cases, including services and IT infrastructure monitoring, application performance monitoring, network status and performance, and customer experience management across multicloud and hybrid environments.

Elastic: Elastic Security

Solution Overview
Elastic Security stands out from other SIEM solutions because it’s built on the open source Elastic Search AI Platform, which the company continues to extend as “free and open.” It’s worth noting that other SIEM vendors are using Elasticsearch as the underlying engine to query and extract information from their databases.

With its latest 8.14 release, Elastic offers major features, including attack discovery, which triages large numbers of alerts to highlight only the significant ones; enhancements to the Elastic AI Assistant; and the Elasticsearch Query Language (ES|QL). 

Elastic Security offers a superior user experience and an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail combine to rank it high on the threat hunting key feature. Furthermore, the platform features graphical views of events and timelines, which equips security analysts with the right tools to investigate long-term threats in a context-rich environment.

Elastic is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Elastic scored well on a number of decision criteria, including:

• Automation: The tool provides native orchestration and response capabilities, powered by the Elastic Agent. It gives a terminal-like interface that enables practitioners to view and invoke response actions quickly, and it offers self-cleaning capabilities through an automated remediation feature that erases attack artifacts from the system. When malicious activity is identified on a host, self-cleaning automatically returns the host to its pre-attack state.

• Data analysis and risk scoring: The solution can measure host and user risks to highlight suspicious entities. This feature uses a transform with scripted metric aggregation to calculate risk scores based on alerts generated within the past five days for hosts or within the past 90 days for users. The latest anomaly detection modules enable the platform to perform actions such as identifying OS processes showing unexpected network activity and searching for unusual listening ports and web URL requests, rare processes running on multiple hosts, and activity from inactive users.

• LLM-based copilot: The solution offers a generative AI feature that allows users to interact with Elastic Security for tasks such as alert investigation, incident response, and query generation or conversion using natural language. The solution also uses retrieval-augmented generation (RAG) for alerts, enabling it to provide context for additional alerts within the environment.

Opportunities
Elastic has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features within the tool, it could improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with teams such as finance, legal, and HR, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding them.

• Threat hunting and retrospective analysis: While Elastic’s querying engine is quick and scalable, the solution could improve by applying newly optimized rules to historical data to identify untriggered alarms, retrospectively identify infections related to newly discovered vulnerabilities, automate threat-hunting workflows, seamlessly write and run queries to extract data of interest, and enrich historic data on demand. It could also display interactive timelines that highlight event clusters, frequency analysis that identifies unusual timing patterns, and comparative views that contrast current behavior against historical baselines. 

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, the solution could improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to role-based access control; networking data to detect unauthorized pod connections, network tunneling or a reverse shell; runtime security data such as malicious, unauthorized, or unsigned images; and changes to security policy, secrets, and configmaps.

Purchase Considerations
While the Elastic Stack is free and open source, enterprises can choose among three Elastic Security plans—standard, platinum, and enterprise–each with increasing prices and feature sets. This report examines the solution’s capabilities as they are available with the enterprise plan. Elastic Cloud can be deployed on any of the major public cloud providers, including AWS, Azure, and Google Cloud. Customers who want to manage the software themselves, whether on public, private, or hybrid cloud, can download Elastic.

Use Cases
Elastic Security can cater to a wide variety of use cases, including detection and investigation of both current and historical threats. With some built-in SOAR capabilities, the solution can orchestrate third-party applications and automate response capabilities. Elastic has powerful search capabilities, enabling analysts to parse large amounts of data. With services certified to meet compliance standards, it can also help organizations comply with various industry standard regulations.

Exabeam: New-Scale SIEM*

Solution Overview
In mid-2024, Exabeam and LogRythm (another SIEM vendor) merged under the Exabeam branding. The New-Scale Security Operations Platform, sold as Exabeam Fusion, brings together SIEM, machine-learned threat detection, investigation, response automation, and SOC-wide visibility in a single platform. It is a cloud-delivered solution that uses machine learning (ML) and automation for threat detection, analysis, and response.

Exabeam’s Outcomes Navigator feature analyzes environments to assess the level of protection for specific use cases. Outcomes Navigator provides security engineers and leaders with an interactive view to compare their current coverage with the available product coverage. This feature helps to identify gaps and provides recommendations for enhancing coverage. The tool provides a more efficient method for gaining visibility into security outcomes, enabling users to take action and improve their security posture.

The solution can be integrated with existing security stacks through numerous prebuilt integrations with technologies such as endpoint protection systems, business support systems, network modules, and cloud environments. These integrations span the complete threat detection and incident response (TDIR) lifecycle, from data ingestion and normalization to response automation. 

Exabeam is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Exabeam scored well on a number of decision criteria, including:

• Data analysis and risk scoring: The solution calculates a user or asset risk score based on the scores associated with events related to user or asset sessions. For example, a session comprising five login events, all with a score of 10, would have a total score of 50 assigned to it. The behavior analytics module, known as Automated Incident Diagnosis, analyzes abnormal user activity to automatically classify incidents by threat-centric use cases and diagnose associated threats. It classifies the threats by use case to guide investigations with tailored checklists that prescribe the appropriate steps for resolving specific threat types. 

• Security content: The tool offers a short time to value, leveraging prescriptive, threat-centered use case packages that provide repeatable workflows and prepackaged content spanning the entire TDIR lifecycle. These packages offer a standardized way to quickly achieve effective, repeatable security outcomes for specific threat types. They include all of the content necessary to operationalize that use case, including prescribed data sources, parsers, detection rules, and models.

• Threat hunting and retrospective analysis: A mature feature in the SIEM solution is the machine-built timelines that automatically gather evidence and assemble it into a cohesive, step-by-step representation of an attack, which can be used for initial investigation.

Opportunities
Exabeam has room for improvement in a few decision criteria, including:

• Data enrichment: The vendor offers a good range of data enrichment sources, but it can improve by incorporating proprietary threat intelligence and research, providing enrichment at ingestion time for a comprehensive downstream context, storing enrichment data locally for easy retrieval, and verifying the integrity of enrichment data.

• Automation: While the solution can define automation logic using workflows, it could enhance this capability by implementing triggers such as generic HTTP, events, LLM chats, and time schedules. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring. Scripting-based automation would be another plus.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, it could improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to role-based access control; networking data to detect unauthorized pod connections, network tunneling, or a reverse shell; runtime security data such as malicious, unauthorized, or unsigned images; and changes to security policy, secrets, and ConfigMaps.

Purchase Considerations
Considering the recent merger announcement from Exabeam and Logrhythm, prospective buyers need to evaluate the long-term plan for integrating and running the two solutions. At the time of writing, there are very few details available about how the resulting company and product will appear, but the merger process is likely to cause a medium-term disruption until the products and companies are fully integrated.

Use Cases
With a strong UEBA module, the solution can cater to a wide range of user behavior monitoring use cases, such as detecting data exfiltration and lateral movement. The SOAR-like capabilities allow users to define third-party tool orchestration and automated response capabilities. It’s also suitable for achieving compliance with industry-specific standards.

Fortinet: FortiSIEM

Solution Overview
Fortinet is a key player in the security space. Its FortiSIEM product consolidates its position in the market, ranking high on several key criteria described in the report, including data enrichment, collaboration, and automation. FortiSIEM enables true cross-team collaboration and integration, namely between the security operations center (SOC) and network operations center (NOC).

FortiSIEM’s rapid-scale architecture allows organizations to scale up the platform quickly by deploying additional worker and collector nodes. This scalability, combined with the platform’s multitenancy capability, makes Fortinet’s SIEM a suitable solution for managed security service providers (MSSPs). FortiSIEM has a built-in ticketing feature and can integrate with third-party ticketing systems.

FortiSIEM encompasses all core SIEM capabilities, including log management, event correlation, real-time alerting, and incident response. It enhances these features with native automation capabilities, simplifying the process of threat detection, analysis, and response. Furthermore, FortiSIEM can be extended with FortiSOAR, Fortinet’s solution for streamlining security operations center processes through orchestrated automated workflows.

A distinguishing feature is FortiSIEM’s business service, which enables the prioritization of incidents and performance metrics from a business service perspective. In the FortiSIEM context, a business service is defined as a container of relevant devices and applications serving a common business purpose. 

Fortinet further solidifies its strong position for MSSPs with the new release of FortiSIEM Manager, which enables the monitoring and management of multiple FortiSIEM instances. It is available as a virtual machine (VM), a hardware appliance, and software as a service (SaaS), catering to diverse organizational needs and infrastructure setups.

Fortinet is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Fortinet scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: FortiSIEM’s distributed event correlation engine can detect complex threats in near real time, whether they be user or machine behavioral anomalies, specified in terms of event patterns sequenced over time. The FortiSIEM rule engine can include any data in a rule, such as performance and change metrics, as well as security logs. This feature can generate a dynamic watch list that can be used recursively in a new rule to create a nested rule hierarchy and use the SIEM’s native configuration management database (CMDB) objects to define rules. 

• Automation: FortiSIEM has automated many processes that were traditionally carried out by security and network analysts. These include infrastructure discovery, incident mitigation, and detecting changes in network configuration. Customers with more advanced automation requirements can take advantage of FortiSOAR, a standalone product that can be integrated with and enhance the SIEM solution, but it must be deployed separately. 

• Data analysis and risk scoring: FortiSIEM’s ML-based UEBA models offer a built-in rules library for use cases such as login behavior anomalies. The behavioral anomaly rules work out of the box, but they can also be adapted by users for their own environment. Additionally, the solution includes an agent-based file integrity monitoring (FIM) system that helps monitor changes to files, ensuring these changes are tracked and recorded for security auditing and compliance purposes.

Opportunities
Fortinet has room for improvement in a few decision criteria, including:

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by incorporating proprietary threat intelligence and research, providing enrichment at ingestion time for a comprehensive downstream context, storing enrichment data locally for easy retrieval, verifying the integrity of enrichment data, and conducting network traffic analysis.

• Case management and collaboration: While the vendor natively supports case management features within the tool, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with other teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding them.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, the solution could improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to RBAC; networking data to detect unauthorized pod connections, network tunneling, or a reverse shell; runtime security data; and changes to security policy, secrets, and configmaps.

Purchase Considerations
FortiSIEM’s licensing model is based on events per second, number of agent log collectors and file integrity monitoring agents, number of UEBA endpoint collector agents, and an add-on fee for Fortinet’s indicators of compromise (IoC) service. MSSPs can use a consumption-based mechanism that consists of an annual fee plus the number of devices monitored, the number of advanced agents, and the number of UEBA endpoint telemetry collector agents.

Use Cases
FortiSIEM can be used for log management, compliance management, incident detection, case management, and performance monitoring. The solution can be used for various issue alerting possibilities, whether from application, cloud, network, server, or storage performance. Other use cases include host discovery, network discovery, brute force logon attempts, malware and ransomware detection, and credential theft and harvesting.

Gurucul: REVEAL Next-Gen SIEM

Solution Overview
Gurucul REVEAL Next-Gen SIEM is an entirely modular, unified data and security analytics platform. It is structured as a suite of six integrated proprietary modules, which include Next-Gen SIEM, user and entity behavior analytics (UEBA), security orchestration, automation, and response (SOAR), data optimizer (data pipeline management/DPM), identity analytics, and Sme AI, Gurucul’s suite of AI products.

Gurucul’s REVEAL Next-Gen SIEM analyzes enterprise data at scale, using machine learning and artificial intelligence to provide real-time, actionable insights into actual threats and their associated risks. It is designed to deliver results on day one, offering unmatched versatility in deployment, data ingestion, customization, and the ability to quantify, prioritize, and mitigate the risk of security threats, as well as respond effectively.  It is a cloud-native platform that supports on-premises, hybrid, and multicloud. It can integrate with anything in your technology stack. 

Its intelligent fabric ensures complete visibility across your environment. It automates data ingestion, interprets data from any source or format, extracts security-relevant content, and enriches, reduces, and routes data from any source, format, or IT estate, including non-security data. It offers over 10,000 out-of-the-box content modules that can be easily modified as needed through a simple, wizard-driven interface.  

It heavily leverages AI and machine learning (ML) analytics, with a library of over 4,000 pretuned detection models that have been developed and refined. These can be chained together to trigger, confirm, filter, and cross-validate alerts, identifying unknown unknowns and surfacing what matters most. They are also easily customized with a drag-and-drop interface. ​The platform dynamically assesses risk based on more than 200 different attributes. Internal and external risk profiles normalize scores and provide full context to elevate threats, enabling you to take action. The entire platform uses agentic and GenAI, which work together to reduce the time to detect and respond to insider threats. 

Gurucul is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Gurucul scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: The solution offers robust threat hunting capabilities through features such as applying optimized rules to historical data for retroactive analysis and accelerated behavior profiling and the retrospective identification of vulnerability exploits using the investigate interface. Analysts can visualize attack sequences with the threat progression timeline view and understand environmental relationships using interactive dependency maps and drill-down capabilities.

• Data analysis and risk scoring: The tool excels in data analysis and risk scoring through its AI-driven architecture, which features a data optimizer for intelligent data lifecycle management, Gurucul Studio for custom rule and model creation, and AI/ML-powered analytics engines. It provides UEBA with customizable baselines, context-aware dynamic risk scoring that incorporates various factors (such as behavioral anomalies and threat intelligence), and risk chaining to identify complex attacks by correlating seemingly unrelated events.

• LLM-based agents: The solution employs self-deterministic AI agents, powered by its Sme AI, to enhance threat investigation and response. These agents enrich alerts with context, execute playbooks, and provide analysts with real-time recommendations. Prompts follow chain-of-thought techniques for transparent reasoning. Gurucul integrates with vector databases such as MongoDB and Elasticsearch for enhanced semantic search and context-aware analysis. 

Opportunities
Gurucul has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features within the tool, it can improve by using data stored as global context for LLM agents or copilots and serving as a shared resource among analysts, including for onboarding new ones.

• Automation: While the solution can define automation logic using workflows, it can enhance this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers (including LLM chats), and scheduled triggers. It can also implement advanced playbook capabilities, such as retries, timeouts, rate limits, nested playbooks, live editors, and workflow rollback. 

Purchase Considerations
The Gurucul REVEAL Next-Gen SIEM platform's licensing approach is subscription-based, so organizations pay a recurring annual or monthly fee for MSSPs. Annual subscriptions often include software updates, support, and maintenance, with costs determined by factors such as the number of users, data volume, or other metrics specific to the organization's needs. 

Use Cases
Gurucul’s extensive platform is appropriate for various use cases, including threat detection, investigation, and response (TDIR), insider threat management, identity threat detection and response, cloud security monitoring, data exfiltration prevention, privileged access monitoring, and regulatory and standards compliance.

Graylog: Graylog Security

Solution Overview
Graylog Security is a comprehensive SIEM solution built on the Graylog platform, an open source SSPL-licensed centralized log management solution designed for log data aggregation, analysis, and management. The SIEM solution offers anomaly detection services built on prepackaged content, known as Graylog Illuminate, which addresses common cybersecurity and log management functions, such as correlation and alerting, dashboards, dynamic lookup tables, scheduled reports, search templates, streams, and pipelines for routing log messages into categories.

Graylog focuses on providing use case-specific content, including threat detection rules, anomaly detection, saved searches for threat hunting, and dashboards. These are generated in partnership with SOC Prime, a cyberdefense platform that provides a threat detection marketplace with exclusive content packs available to Graylog customers.

Graylog is positioned as a Leader and Outperformer in the Maturity/Feature Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Graylog scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: Graylog’s alerting mechanism works by performing periodic searches that can trigger notifications when a defined condition is satisfied. Alert time frames can be set to search only a specific time in the past and to perform searches only at certain time intervals. Data from logs is aggregated, and alerting is triggered when the result of an aggregation meets a predefined threshold through statistical computation. Illuminate offers index-on-write capabilities and data organization through pipelines and streams.

• Data analysis and risk scoring: The anomaly detection module uses the Graylog environment structured by Illuminate, which receives log data, then normalizes and enriches it. Graylog then feeds the enriched data into the anomaly detection tool, which breaks it into time slices and identifies data points that fall outside the expected range based on historical data. When anomalous data points are detected, they are logged into a special anomaly index in the Graylog instance. 

• Data enrichment: Graylog’s lookup tables support integration with external databases like CMDB. Graylog architecturally separates inputs from data processing, enabling any message to be collected, indexed, and available for search without any processing rules. Graylog includes generic inputs to collect data from nontraditional log sources, such as reading files on local file systems or cloud storage like S3. RAW/Plaintext input is a netcat-like application that will receive any data sent to the listening port, and Raw HTTP ingests plain-text HTTP requests for receiving arbitrary messages over HTTP protocol.

Graylog is classified as an Outperformer given its extensive development pipeline for the next year and considerable feature releases with Graylog 6.0 and 6.1, which include features such as an asset risk model and native telemetry pipeline management.

Opportunities
Graylog has room for improvement in a few decision criteria, including:

• Automation: While the solution can define automation logic using workflows, it can enhance this capability by implementing triggers such as event-driven triggers using protocols like Kafka, chat, and scheduled triggers. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring. Scripting-based automation would be another plus.

• Threat hunting and retrospective analysis: While Graylog’s querying engine is quick and scalable and can apply optimized detection on historical data, the solution can improve by displaying interactive timelines that highlight event clusters, frequency analysis that identifies unusual timing patterns, comparative views that contrast current behavior against historical baselines, and dependency maps of relationships between affected assets.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, it can improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to role-based access control; networking data to detect unauthorized pod connections, network tunneling, or a reverse shell; runtime security data; and changes to security policy, secrets, and configmaps. Graylog plans to extend the asset risk model to ephemeral resources in late 2025.  

Purchase Considerations
Graylog has three different versions. Graylog Open is built to open source standards and is freely available as a self-managed, SSPL-licensed centralized log management solution designed for log data aggregation, analysis, and management. Graylog Enterprise is licensed using a consumption-based subscription model based on daily data allowances. Enterprise adds onto Graylog Open with data and user management features, including continuous updates to log processing and enrichment. Lastly, Graylog Security is also licensed using a consumption subscription model based on daily data allowances, and adds relevant security features to Graylog Enterprise, including anomaly detection, investigations, asset context, and continuous updates. This provides value-added content, such as sigma rules, dashboards, and anomaly detectors. This report evaluates features available under Graylog Security.

Use Cases
Graylog Security can be used for use cases such as Threat Detection and Response, Centralized Log Management, and Compliance. The solution’s content platform, Illuminate, offers out-of-the-box correlation rules, aggregation rules, anomaly detectors, sigma rules, saved searches, and dashboards tailored to meet specific security and compliance use cases.

Hunters: SOC Platform

Solution Overview
The Hunters SOC Platform is a cloud-native security operations solution delivered as a multitenant SaaS offering that runs on AWS, Snowflake, or Databricks. It ingests, normalizes, and analyzes data from all security and IT sources, allowing security teams to connect to organizational data without the need to deploy and maintain ingestion pipelines. The platform delivers built-in and regularly updated detection capabilities based on the MITRE ATT&CK framework that do not require analysts to build and maintain detection rules regularly.

Hunters leverages commercial data warehouse technologies, such as Snowflake and Databricks, to scale cost-effectively with large data volumes. It has an open security data lake strategy that allows customers to bring their own warehouses or have the data infrastructure managed on their behalf.

Some of Hunters’ distinguishing features include host investigation, which provides a host-specific timeline of raw data ingested in relation to a specific host; multiple data lake support for running on either Snowflake or Databricks; SQL-as-Detection for advanced detection use cases leveraging the power of SQL directly against the data lake back end; detection-as-code for building GitOps-based detections and interacting with the platform as part of the CI/CD process; and workflows for defining no-code automation playbooks for ticketing, chatops, email, or other systems.

Hunters is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Hunters scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: Hunters’ distinguishing capabilities for alert calibration, curation, and correlation stem from its prebuilt and continuously validated library of detection and investigation capabilities that automatically manage content at scale. The detectors are preverified using real-world customer data to eliminate false positives and excessive alerting, and then deployed directly to all customer tenants without requiring any action or adjustment. Through the multitenant architecture, Hunters continuously tunes and optimizes analytics based on data from all tenants.

• Data enrichment: Upon detection, the solution automatically enriches and contextualizes data using various sources from the customer's environment, including network, host, and identity data. Hunters’ research team continually develops scoring functions that are mapped to entity types and various detectors. 

• Threat hunting and retrospective analysis: Hunters’ detection mechanism is capable of backfilling, and new detection capabilities are always researched and run against historical data. This capability works for tactics, techniques, and procedures detectors, as well as for IoCs. This is based on a unique architecture that allows users to efficiently run new IoCs against historical data and match seen IoCs to updated feeds. Hunters' graph-based correlation engine connects events across multiple data sources, creating detailed attack "stories." 

Hunters is classified as an Outperformer given its extensive development pipeline for the next year, with recent releases including detection-as-code, prompt-to-query, and AI explainability. 

Opportunities
Hunters has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features within the tool, it can improve by implementing native handling of collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding them.

• Automation: While the solution offers comprehensive out-of-the-box automation features and can define automation logic using workflows, it can further enhance this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers (including LLM chats), and scheduled triggers. It could also implement advanced playbook capabilities, such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring, including execution times, response codes, and logs of automated actions. Scripting-based automation would be another improvement.

• LLM-based agent: Hunters offers extensive agent-based features but can further improve this by allowing users to register functions for the LLM to use and upload documents and data for additional context.

Purchase Considerations
Hunters' licenses are based on the number of customer entities monitored, with unlimited data ingested per entity. A license is required for every monitored endpoint, workstation, server, virtual machine, and EC2 instance within the monitored environment. Ephemeral devices can be counted using a daily average of those devices visible over the course of a 30-day period. The company offers two data lake options: customers can bring their own Snowflake or Databricks and pay those companies directly for credit consumption, or they can purchase a Hunter-managed data lake with storage terms of up to 36 months.

Use Cases
The Hunters solution can be used to automate incident response workflows, automatically triage, enrich, cluster, prioritize alerts, use automated workflows, identify and respond to cloud-specific threats, continuously monitor cloud environments and leverage advanced analytics for threat detection, detect and respond to on-premises threats in real time, correlate data across endpoints and networks, and streamline incident response workflows. It is also multitenant-friendly for MSSPs, enabling them to deliver comprehensive security services to their clients.

Huntsman Security: SIEM

Solution Overview
Huntsman Security is an Australian company with a strong presence in the UK market, serving clients across the private and public sectors, including defense, intelligence, and law enforcement agencies. Its SIEM offering includes Enterprise SIEM and MSSP SIEM, each with a strong focus on simplifying and optimizing security operations through automation and workflow support. Huntsman also provides an integrated SOAR solution and an optional Scorecard module that provides details about a system’s patch status and software versions, as well as misconfigurations and other vulnerabilities.

Huntsman Security’s Enterprise SIEM, with fully integrated SOAR and MITRE ATT&CK analysis capabilities, is a cybersecurity analytics platform that deploys across large or small customer organizations to provide a complete cyberthreat detection and incident management, response, and reporting system.

For MSSPs and larger or federated organizations, Huntsman’s solution supports the creation of multitenancy silos for data, reports, policies, and alerts, enabling the simultaneous handling of multiple MSSP customers or organizational units from a single instance. The segmentation permits separate business units or the security operations of large or federated organizations to be managed separately.

Huntsman Security’s SIEM solution is a single product, delivered as software, and deployable on-premises or in public and private cloud environments. Still, the vendor does not currently offer a SaaS option. Its MSSP SIEM product supports multitenancy, allowing business units to be managed as separate silos or as federated units, with a single team able to share threat intelligence across multiple end customers.

Huntsman Security is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Huntsman Security scored well on a number of decision criteria, including:

• Data analysis and risk scoring: Huntsman Security’s patented Behaviour Anomaly Detection (BAD2) engine is integrated into its SIEM to provide real-time ML capabilities to detect unknown threats. BAD2 supports use cases such as higher or unusual volumes of network session or user traffic on a per-user or per-host basis, volumes of events such as file accesses or other activity on hosts and workstations, changes in the usage profile of application servers, or query operations on databases and changes in the frequency or prevalence of operations. The detection engine adapts to changes and trends over time.

• Alarm fidelity and self-tuning: In Huntsman Security, rules are created or customized in the GUI by selecting from drop-downs and checkboxes that cover alert logic definition (triggers, correlators, and reference sources), alert text, recipients, and actions. The SIEM solution correlates across different event types using a multistage correlator that caches key event data in RAM for real-time matching. Data is checked against open alert descriptors to determine whether any additional conditions are met. 

• Automation: Huntsman SIEM supports automation, orchestration, and response. Alerts can trigger any number of built-in or customer-created scripts or workflows and in any supported language. An alert rule can trigger validation actions and can determine whether the alert is valid or not. Post-alert response commands then take action, gather data, or effect a response. Built-in threat verification facilities proactively gather endpoint, proxy, network, DNS, and security context.

Opportunities
Huntsman Security has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared sharing source between analysts and for new ones onboarding.

• Threat hunting and retrospective analysis: The solution offers good threat hunting features, which include a comprehensive query language, but it can improve by applying newly optimized rules to historical data to identify untriggered alarms, and displaying interactive timelines that highlight event clusters, frequency analysis that identifies unusual timing patterns, and comparative views that contrast current behavior against historical baselines. Interactive dependency maps showing relationships between affected assets would also greatly improve the product.

• Monitoring ephemeral resources: Although the solution can ingest Kubernetes audit logs and API server logs, the solution can improve by detecting attacks such as privilege escalation attempts within pods and changes to role-based access control; unauthorized pod connections, network tunneling, or a reverse shell; runtime security data; and changes to security policy, secrets, and configmaps.

Purchase Considerations
Huntsman Security supports three licensing models—CapEx-based, which is a traditional software license model with support renewed annually; OpEx-based for periodic subscription; and pay-as-you-go for highly flexible usage-based utility billing. License fees are based on events per second but can be converted to other scaling metrics, such as per user or per device. 

Use Cases
The Huntsman SIEM solution can cater to a variety of use cases, particularly for meeting compliance standards and requirements in highly regulated industries. With its anomalous behavior detection, the solution can track and audit user activity to protect against unauthorized access. It can also be used for threat hunting, investigation, orchestration of third-party services, and response automation. 

Logpoint: Logpoint SIEM

Solution Overview
Headquartered in Copenhagen, Denmark, the Logpoint SIEM solution is a solid one with exceptional security and privacy controls. Its distinguishing feature is its high level of compliance, having been awarded the Common Criteria EAL3+ certification in 2015 and 2020, and a SOC2 Type II attestation in 2023. To achieve and maintain EAL3+ certification, the highest software security standard achieved by any SIEM vendor, the on-premises solution is developed on a hardened OS maintained by Logpoint. This makes Logpoint SIEM eminently suitable for deployment in highly regulated industries, including national governments and international agencies.

Logpoint offers SIEM, SOAR, and NDR capabilities, and deep integrations with third-party EDRs from a single end-to-end security operations platform. Supported by case management and threat intelligence features, Logpoint ensures a converged experience for both on-premises and cloud-hosted deployments. 

Besides being compliant across many industries and regulations, the solution is also distinguished by its business integrity monitoring, which looks to detect fraud and financial and value-chain anomalies. This helps analysts eliminate financial and reputational losses in organizations by detecting flaws and deviations from standards in business processes that are vulnerable to fraud.

Logpoint has taken a modular approach to security monitoring and analytics. The Logpoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management, incident detection, and investigation capabilities. Logpoint’s Director for SIEM module provides multitenancy capabilities for MSSPs or large enterprise deployments. 

Logpoint is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Logpoint scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: Logpoint provides security analysts with a comprehensive suite of features for searching vast amounts of information and creating macros. It leverages ML-enabled UEBA capabilities and integrates the MITRE ATT&CK framework through visualizations and predefined alerts, which are mapped to specific techniques.

• Automation: Logpoint has a native SOAR built directly into the SIEM. Logpoint SOAR provides prebuilt and customizable playbooks that closely integrate with SIEM data and can call APIs from over 400 vendors to carry out SOAR actions. Logpoint SOAR can automate many actions, including automated incident analysis, triggering responses in IAM systems, IaaS instances, and EPP/EDR systems; and instructing email systems to delete emails with content that is either malicious or violates policy.

• Case management and collaboration: The solution offers robust case management and collaboration features, including workspaces where multiple analysts can view, comment on, and modify a case. An investigation timeline for all activities on the case item displays an overview of the incident status and helps users understand what action to take next. Cases can be automatically assigned based on analysts’ profiles. Assignment is done in the alert ownership and later in the aggregated case. 

Opportunities
Logpoint has room for improvement in a few decision criteria, including:

• Alarm fidelity and self-tuning: The solution has a good detection mechanism that can allow administrators to define trigger conditions. However, it can be improved by calibrating rules based on flagged false positives, categorizing alarms based on the resolutions of previous similar incidents, or suggesting new or modified alarm rules based on observed patterns.

• Data analysis and risk scoring: While the vendor supports analysis and risk scoring capabilities via capabilities such as CVSS scores and identifying deviations from standard behavior, it can improve by offering context aware risk scores; prediction of next steps of a threat’s lifecycle, such as identifying lateral movement targets; threat modeling to detect advanced threats that surface only gradually; and categorizing threat actors activity.

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by implementing enrichment at ingestion time for full downstream context, storing enrichment data locally for easy retrieval, checking the integrity of enrichment data, and performing network traffic analysis.

Logpoint is classified as a Forward Mover given its limited year-on-year releases and feature developments.

Purchase Considerations
Logpoint’s licensing model depends on the modules used by customers. The on-premises SIEM is licensed by number of devices (nodes) sending data, and the SaaS SIEM by data ingestion and retention. Logpoint’s SOAR is licensed by the number of concurrent analysts. Every Logpoint SIEM license (both on-premises and SaaS) comes with one SOAR seat at no additional cost. AgentX is also included at no additional cost with every Logpoint SIEM license (both on-premises and SaaS). UEBA is licensed by the number of users and entities the customer wants to track. 

Logpoint offers predictable pricing based on the number of devices sending logs to the SIEM solution rather than data volume or events per second (EPS). It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

Use Cases
Logpoint’s unified SIEM, UEBA, and SOAR, along with the EAL3+ certification, make it suitable for a wide range of use cases–such as security log ingestion and management, orchestration of third-party services, and automated response–as well as monitoring of user activity to watch privilege escalation and unauthorized access behaviors.

Logsign: Logsign Unified SecOps Platform

Solution Overview
Logsign is a unified security operations platform with integrated modules for SIEM, threat intelligence, UEBA, and threat detection and incident response. 

The UEBA module can be used to detect inside attacks, stop data exfiltration, and detect risky users and monitor their behaviors to prevent the spread of infections. The analytics module provides information on why a user's behavior is suspicious, using 400 predefined behaviors, and indicates how this behavior is expected to progress. For example, it monitors multiple failed login attempts within a specific period to detect brute force attacks. 

Logsign Unified SecOps Platform offers flexible deployment options, including an on-premises model, through which customers can manage the platform within their own data centers, and a cloud-based model to deploy instances in a public or private cloud environment.

Logsign is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Logsign scored well on a number of decision criteria, including:

• Case management and collaboration: The solution provides a detailed page for analysts so they can collaborate, take the necessary actions, and conduct investigations. Logsign provides detailed incidents in case management with timelines, visual cards for investigations, an incidents summary with detailed views, and lifecycle management according to the least-similar incident. Lifecycle stages are possible, and using the magic button can produce automated or semi-automated responses for some detections.

• Threat hunting and retrospective analysis: Analysts can pull relevant threat information without pivoting using the magic button, which brings up the response integrations. Analysts can, for example, check the confidence score of the IP address or connect to the virus total to get IP reputation. From there, they can respond to and contain threats, undertaking actions such as rebooting the affected asset, killing processes, or terminating connections. Following the remediation stage, the solution enables analysts to update firewall rules or endpoint agents. Threat hunting can also be conducted according to the MITRE ATT&CK framework.

• Alarm fidelity and self-tuning: For alarm fidelity, the Logsign SIEM platform leverages over 500 predefined correlation rules and associated use cases, uses risk-based scoring based on behavior analytics, and filters security signals easily according to severity level or MITRE ATT&CK technique.

Opportunities
Logsign has room for improvement in a few decision criteria, including:

• Automation: While the solution can define automation logic using workflows, it can further enhance this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols like Kafka, chat triggers (including LLM chats), and scheduled triggers. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring such as execution times, response codes, and logs of automated actions. Scripting-based automation would be another improvement.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, the solution could improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to role-based access control; unauthorized pod connections, network tunneling, or a reverse shell; runtime security data such as malicious, unauthorized, or unsigned images; and changes to security policy, secrets, and configmaps.

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by implementing enrichment at ingestion time for full downstream context, storing enrichment data locally for easy retrieval, checking the integrity enrichment data, and performing network traffic analysis.

Purchase Considerations
Logsign’s licensing model is subscription-based and primarily determined by the number and type of log data sources connected to the platform. This ensures a pricing model aligned with the volume of data analyzed. 

Modules available include UEBA and threat intelligence, which are integrated into the Logsign Unified SecOps Platform, allowing customers to select the specific features they need. For managed security services providers, the UEBA and TI modules are included by default in the Logsign Unified SecOps Platform. 

Logsign’s tiered service models offer customers options for the level of proactive support, expert guidance, and hands-on management included with the platform. 

Use Cases
Logsign Unified SecOps Platform can deliver on use cases such as threat detection and incident response while also meeting compliance requirements. The solution can proactively identify threats to production systems and sensitive data, track and audit user activity to protect against unauthorized access, and generate detailed reports to demonstrate compliance with various standards.

ManageEngine: Log360

Solution Overview
ManageEngine’s suite of products is the Swiss Army knife of SIEM. Its main SIEM platform, Log360, takes a modular approach to information and event management, integrating several products into a single console. Users can mix and match multiple products to create a bespoke solution or opt for the entire suite for a comprehensive SIEM platform.

Log360's UEBA add-on is powered by machine learning (ML) and can detect anomalies by recognizing subtle shifts in user or entity activity. It helps identify, qualify, and investigate threats that might otherwise go unnoticed by extracting more information from logs to give better context. Administrators can identify the network’s count, time, and pattern anomalies based on users and their peer groups. Out-of-the-box analytics are provided for use cases such as insider threats, account compromise, and data exfiltration.

Customers can select the security features they need, including threat intelligence feeds for enhanced data analysis. It integrates with threat intelligence feeds, such as STIX and TAXII, as well as Webroot's BrightCloud and AlienVault OTX, and Constella. The Incident Workbench can be invoked from anywhere inside the Log360 SIEM console as users navigate through various dashboards, including reports, log search, compliance, and correlation.

ManageEngine is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
ManageEngine scored well on a number of decision criteria, including:

• Automation: Log360 offers robust automation capabilities, supporting the creation of workflows that automate standard procedures typically performed by security analysts. The solution also features an analytics system, which classifies events in trend reports and system events to help security practitioners with analysis and response. It features out-of-the-box correlation rules, including for common ransomware attacks. The custom correlation rule builder allows analysts to correlate seemingly unrelated events across the network to detect attacks.

• Data analysis and risk scoring: ManageEngine's Log360 is a comprehensive SIEM tool that provides enterprises with a single-pane view of all suspicious user activity on their network. It can be deployed on-premises, in the cloud, and in hybrid environments. Log360's UEBA component is powered by supervised and unsupervised machine learning (ML) models that analyze user behavior, identify anomalous patterns, and detect threats. 

• Data enrichment: The solution can collect data or logs or events from more than 750 sources, including user directories, asset inventories, threat intelligence feed, servers, workstations, applications. It can populate alert and incident details with data from user directories and identity management systems, asset inventories and configuration management databases, open source intelligence and third-party threat intelligence feeds, network observability tools, reputation directories, intrusion detection systems, antivirus and EDR solutions, and more.

Opportunities
ManageEngine has room for improvement in a few decision criteria, including:

• Alarm fidelity and self-tuning: The solution offers a good detection mechanism that can allow administrators to define trigger conditions. However, it can be improved by using prepackaged rule sets as a core baseline for alarm detection calibrating rules based on flagged false positives, categorizing alarms based on the resolutions of previous similar incidents, suggesting new or modified alarm rules based on observed patterns, or providing sandbox environment to test and fine-tune alarms using synthetic data. It could also support vendor-agnostic detections using SIGMA, YARA, or PySigma.

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding new ones.

• Cost optimization: While Log360 can offer better costs through compression of ingested data and apply ingestion filters, it can improve by decoupling log ingestion and log indexing, decoupling log storage from query compute, analyzing data at ingestion time, analyzing only some types of data at ingestion time, with the rest directly stored, and customizing what data is retained to support threat hunting and historical detections use cases.

Purchase Considerations
To deploy the Log360 SIEM, customers are required to monitor components, namely the domain controllers, Windows servers, Windows Workstations, and syslog devices. Add-on components include file integrity monitoring and file server auditing, application monitoring, IIS and SQL server auditing, Active Directory reporting, cloud source auditing, Microsoft 365 tenants, AWS accounts, UEBA, advanced threat analytics, and exchange server auditing.

Use Cases
Log360 can support use cases such as monitoring user behavior and critical systems to track privileged user activity, and it can identify anomalies through machine learning (ML) and detect suspicious attempts, including privilege escalation and unauthorized access. It can also be used for network threat detection to monitor traffic through unusual connections or port activity, auditing changes such as firewall policy modifications to monitor threat intelligence feeds for malicious IP/URL blocking, and for rogue device detection with automated response workflows. Log360 also has a FIM module that tracks all file and folder activity, such as access, creation, deletion, and modification. FIM also generates detailed reports and triggers alerts for unauthorized actions. The solution can help organizations comply with industry specific regulations with built-in reporting templates for PCI DSS, SOX, HIPAA, and other regulations. 

Microsoft: Sentinel*

Solution Overview
Microsoft Sentinel is a cloud-native SIEM solution that uses built-in AI to help analyze large volumes of data. Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud. Microsoft Sentinel is built on the Azure platform. It provides a fully integrated experience in the Azure portal that seamlessly integrates with existing services such as Microsoft Defender for Cloud and Azure ML.

Microsoft Sentinel supports Jupyter notebooks in Azure ML workspaces, including full libraries for machine learning (ML), visualization, and data analysis. They can be used to extend the scope of what you can do with Microsoft Sentinel data, such as performing analytics that aren't built into Microsoft Sentinel, creating bespoke data visualizations, and integrating data sources outside of Microsoft Sentinel.

Azure Lighthouse enables multitenant management with scalability, higher automation, and enhanced governance across resources. It allows service providers to deliver managed services using comprehensive and robust tooling built into the Azure platform. Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken. Enterprise organizations managing resources across multiple tenants can use Azure Lighthouse to streamline management tasks.

Microsoft is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Microsoft scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: To help reduce noise and minimize the number of alerts generated, Microsoft Sentinel uses analytics to correlate alerts into incidents, or groups of related alerts that indicate a possible actionable threat to be investigated and resolved. Microsoft’s ML capabilities can deliver high alarm fidelity by identifying suspicious behavior and presenting a concise list of the most probable attacks or vulnerabilities to a human cybersecurity professional. The model then incorporates feedback.

• Threat hunting and retrospective analysis: The solution provides contextual and behavioral information for threat hunting, investigation, and response using built-in entity-behavioral analytics features. It also has a mature querying function that can be written to extract data before, during, and after a compromise. Before an incident occurs, analysts can be proactive by running any threat-hunting queries related to the data being ingested to provide early insight into events that may confirm that a compromise is in progress.

• Data analysis and risk scoring: The risk scoring module incorporates two modules that work together to calculate a risk value. Each module has its own set of defined variables that specifies the multiplier to be applied for each row passed along and a score per item that indicates whether the score is calculated on a per-item basis. The values generated by these included modules are summed up within this module to obtain a final total. 

Opportunities
Microsoft has room for improvement in a few decision criteria, including:

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by implementing enrichment at ingestion time for full downstream context, storing enrichment data locally for easy retrieval, checking the integrity enrichment data, and performing network traffic analysis.

• Case management and collaboration: While the vendor natively supports case management features, it can further improve by implementing war rooms where multiple analysts communicate with case-specific data, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding new ones.

• Threat hunting and retrospective analysis: Microsoft’s querying engine is quick and scalable but can be improved by offering interactive timelines that highlight event clusters, frequency analysis tools that identify unusual timing patterns, and comparative views that contrast current behavior against historical baselines. Interactive dependency maps showing relationships between affected assets would also be a plus.

Purchase Considerations
Customers are billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested from two different types of logs: analytics and basic. Analytics logs in Microsoft Sentinel support all data types and offer full analytics, alerts, and no query limits. Basic logs are usually verbose and contain a mix of high-volume and low-security value data without the full capabilities of analytics logs. Sentinel also offers a pay-as-you-go pricing model through which customers are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace. 

Use Cases
Microsoft Sentinel is a comprehensive SIEM that is particularly suitable for customers who have bought into the Microsoft ecosystem. With a built-in SOAR, the solution can be used for automation of response tasks and orchestration of third-party services. 

NetWitness: NetWitness Platform

Solution Overview
Having developed its SIEM over the past 15 years, NetWitness fully embraces the concept of an evolved SIEM solution. Its SIEM is also part of the larger NetWitness Platform, integrating with other NetWitness detection and response solutions such as network (NDR) and endpoint (EDR), which together provide comprehensive visibility, correlation, detection, and remediation capabilities. 

NetWitness Logs is the SIEM component of NetWitness Platform. It collects security, compliance, OS, resource access, and administrative events and parses the events into respective meta keys to further enrich the data with relevant threat, priority, and business context, or comprehensive investigations and complex correlation. It natively supports application-layer monitoring using log ingestion, API integrations, network protocols, and endpoint data, including log ingestion from security platforms such as UTM, SaaS, and IaaS vendors. 

NetWitness Plugin Framework enables monitoring and analysis of API-driven applications such as Microsoft 365, SFDC, Dropbox, Slack, and other applications or services. It has over 400 integrations, including open source log collectors such as Logstash, FluentD, and Elastic. In addition, NetWitness Logs has parsers for most major operating systems, such as SAP ERP, GE PACS IW, and J4Care Healthcare Connector.

The NetWitness Log Parser Tool (NWLTP) allows the customer to easily create log parsers for custom applications. SIEM correlates log events from multiple event sources but also with network packet data, NetFlow, endpoints, and other integration sources, allowing comprehensive visibility, detection, forensics, and response across sources. It provides automation and control with orchestration (SOAR) modules that are completely integrated with a unified datastore and data architecture, a single seamless interface that allows visibility across all types of data, so security analysts can see the entirety of any security situation and provide a truly informed and comprehensive response.

NetWitness SIEM can be deployed wherever a customer needs threat detection, including on-premises hardware, virtual software, major cloud providers, or any hybrid combination. It can also be deployed as a SaaS and managed security solution or managed detection and response offering for organizations that prefer to outsource some or all of the administrative and/or investigative burden. 

NetWitness is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
NetWitness scored well on a number of decision criteria, including:

• Data analysis and risk scoring: NetWitness UEBA, a cloud-based behavior-analytics solution powered by AWS, applies unsupervised ML to data captured by the NetWitness Platform to rapidly detect unknown threats. A distinguishing feature of NetWitness is its integration of a fully featured network capture and analytics solution (NTA/NDR) combining packet and metadata capture, static file analysis, threat intelligence, and orchestration.

• Data enrichment: NetWitness can add business context to threat analysis so organizations can prioritize threats based on potential impact to their businesses. In addition, intelligence gathered from industry research and crowdsourced from its customer base and the organization’s own data is fully aggregated and operationalized at ingestion. Enrichment includes elements such as threat intelligence from NetWitness FirstWatch, business context, technical context, Mitre ATT&CK mapping, and geolocation data. Data is applied at ingestion time.

• Alarm fidelity and self-tuning: NetWitness supports creating and configuring custom rules, event source management, alarming service, and health and wellness service with multiple OOTB policies and rules. Rules are highly tunable and can be ordered for suppressing the false positives. Events can be grouped into incidents, which reduces triaging time for the analysts. NetWitness has the capability to send health check API calls and alarms.

Opportunities
NetWitness has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding new ones.

• Automation: While the solution can define automation logic using workflows, it can improve on this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols such as Kafka, LLM chats, and scheduled triggers. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring such as execution times, response codes, and logs of automated actions. 

• Threat hunting and retrospective analysis: Netwitness offers good threat hunting features, including automated threat hunting. This can be improved by retrospectively identifying infections related to newly discovered vulnerabilities, and displaying interactive timelines that highlight event clusters, frequency analysis that identifies unusual timing patterns, and comparative views that contrast current behavior against historical baselines. Dependency maps between affected assets with drill-down capabilities could also improve the solution in this area.

Purchase Considerations
NetWitness offers the following three types of licenses: throughput-based, UEBA-based, and endpoint-based.

Throughput is measured by the amount of data used per day, whether from logs (SIEM), network packets, or malware analysis. Log data is measured in gigabytes per day, while packet data is measured in terabytes per day. The licensed throughput is determined by the total volume of data processed daily across the entire NetWitness Platform deployment.

UEBA (user and entity behavior analytics) licensing is based on the number of active users from the previous day. This user count is reported to the licensing server. Entitlements are tracked for logs and endpoint events by matching active users against their user IDs.

Endpoint licensing is based on the number of active agents deployed across the environment.

Use Cases
With an integrated SIEM and EDR approach, Netwitness can support a variety of use cases, including discovery of infrastructure, such as host and network, network threat detection for monitoring traffic, and change auditing such as firewall policy modifications. With the UEBA module, it can monitor user behavior and identify anomalies using machine learning. The solution can help organizations comply with industry specific regulations such as PCI DSS, SOX, and HIPAA.

OpenText: OpenText Enterprise Security Manager

Solution Overview
Previously known as ArcSight, OpenText Enterprise Security Manager is a central element of OpenText’s security strategy. The OpenText solution offers a complete security operations (SecOps) solution that consists of SIEM, UEBA, SOAR, and big-data threat hunting technologies. These features reside on a unified platform that includes common storage, a shared data platform, and a unified interface.

The solution provides its own threat intelligence feed but can also integrate with a variety of threat intelligence platforms to obtain threat definitions as they evolve. Those threat definitions or identifiers are then turned into various lists that the real-time rules use to match against new events coming into the system. As the threat evolves and the threat intelligence platform is updated, those definitions will be synced automatically into OpenText Enterprise Security Manager and new events will match.

OpenText is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
OpenText scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: Administrators can define detection rules using a flexible rule editor to create logic-based conditions. ML models can be created in TensorFlow, Spark, Python, and SPSS via the Predictive Model Markup Language format. Rules can incorporate event attributes, thresholds, and time windows. The alerting engine supports prepackaged rule sets, alarm correlation, prioritization, and categorization, and false positive calibration.

• Data enrichment: The solution curates data sources via SmartConnectors and FlexConnector, pulling from various logs, databases, APIs, and feeds. The enrichment process is automated through correlation rules and data monitors, with SmartConnectors ingesting data in real time and populating incident fields using predefined mappings. The platform normalizes data to a standardized schema, ensuring consistent incident details, and supports dynamic repopulation.

• Data analysis and risk scoring: OpenText leverages machine learning through its behavior signal module and correlation engine. These components analyze events in real time, enhancing threat detection and prioritization across enterprise environments. The solution offers unsupervised machine learning-based UEBA to continuously create a normal operating baseline and to monitor users’ and entities’ activities, such as type and time of activity, servers or applications’ inbound/outbound traffic, service connections, and Layer 7 payloads. The dynamic risk scoring module prioritizes threats by considering all entities related to an event based on all the context that can be gathered. It also correlates events with MITRE ATT&CK to forecast attack stages.

Opportunities
OpenText has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing native capabilities for handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for onboarding new analysts.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, the solution can improve by implementing awareness of identity and access management to detect attacks such as privilege escalation attempts within pods and changes to role-based access control; unauthorized pod connections, network tunneling, or a reverse shell; runtime security data; and changes to security policy, secrets, and configmaps.

• Automation: While the solution offers comprehensive out-of-the-box automation features and can define automation logic using workflows, it can improve on this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols such as Kafka, LLM chats, and scheduled triggers. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring such as execution times, response codes, and logs of automated actions. 

Purchase Considerations
OpenText Enterprise Security Manager is sold through a flexible, transparent licensing model tailored to enterprise needs, balancing capacity, scalability, and cost efficiency. The solution is priced based on events per second (EPS) and managed entities, with options for perpetual or subscription licenses, add-ons, and premium services. Licensing options include perpetual licenses, which are one-time purchases with ongoing maintenance fees, ideal for long-term deployments; and subscription licenses, which have annual or multiyear terms, offering flexibility and predictable costs, aligning with industry standards.

Use Cases
The solution supports a variety of real-world use cases to detect modern threats, such as threat, ransomware, and insider detection and incident response, sensitive data and IP protection, threat hunting lead generation, financial fraud detection and response, compliance and regulation real-time detection and long-term reporting, and forensics investigation. The solution also offers infrastructure, DDoS, IoT, and mobile attack detection and response. 

Panther Labs

Solution Overview
Panther is built for cloud data, empowering cloud-native security teams to ensure real-time threat detection, log aggregation, incident response, and continuous compliance. 

A distinguishing aspect is the cloud security scanning feature that scans AWS accounts, modeling the resources within them and detecting misconfigurations. Common security misconfigurations detectable by Panther include S3 Buckets without encryption, security groups allowing inbound SSH traffic from 0.0.0.0/0, access keys kept more than 90 days, and permissive identity and access management policies.

Security logs inside the security data lake are enriched with contextual metadata, such as identity context (user, host, IP addresses), vulnerability context (scan reports), and business context. Analysts can create custom lookup tables or use out-of-the-box providers such as GreyNoise, IPinfo, and Tor.

Panther supports alert runbooks, which are sets of instructions for remediating issues triggering an alert. Runbooks also describe the severity of the issue's risk, the remediation effort, and the conditions that triggered the alert.

Panther Labs is positioned as an Entrant and Fast Mover alone in the Innovation/Feature Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Panther Labs scored well on a number of decision criteria, including:

• DevSecOps suitability: The Panther Console is Panther's web interface, and the Panther Developer Workflows–including CI/CD, API, and the Panther analysis tool (PAT)–are non-console workflows that can be used to interact with a Panther account. Teams can also customize, create, and harden detections leveraging Python, unit tests, and standard CI/CD workflows to tailor detections specifically for their environment.

• Threat hunting and retrospective analysis: Panther pushes normalized data into a security data lake inside Snowflake, where it is readily available for investigation using SQL queries. Panther's data analysis tools enable analysts to search collected and normalized log data in data lakes. Log sources can be queried with the indicator search tool or query builder or by using SQL in Data Explorer. Data Explorer is useful for conducting a complex or highly customized search.

• Alarm fidelity and self-tuning: Python functions take in log events to identify suspicious behavior and trigger alerts. There are three types of Python functions: rules, scheduled rules, and policies. Rules detect suspicious activity in security logs in real time. Scheduled rules run against results from scheduled queries on data lakes. Policies scan and evaluate cloud infrastructure configurations to identify misconfigurations. 

Opportunities
Panther Labs has room for improvement in a few decision criteria, including:

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by including proprietary threat intelligence and research, providing enrichment at ingestion time for full downstream context, storing enrichment data locally for easy retrieval, checking the integrity enrichment data, and performing network traffic analysis.

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource for analysts, including onboarding of new ones.

• Automation: While the solution can define automation logic using workflows, it can improve on this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols such as Kafka, LLM chats, and scheduled triggers. It could also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring such as execution times, response codes, and logs of automated actions. The solution coud also implement scripting-based automation using languages such as Python.

Purchase Considerations
Panther does not publicly disclose its pricing and licensing models. It offers one-year data retention policies and allows customers to bring their own Snowflake instance. Panther can run queries directly in the data lake service.

While Panther’s approach has clear differentiators, the solution’s CSPM features are currently limited to monitoring AWS environments.

Use Cases
Panther is particularly strong in supporting DevSecOps practices because it built its solution with a detection-as-code-first approach. With the distinguishing AWS misconfiguration detection features, the solution is highly suitable for DevOps-led AWS-native organizations.

Rapid7: InsightIDR* 

Solution Overview
Rapid7’s InsightIDR is a cloud-native integrated SIEM and XDR solution. InsightIDR has many modules available natively and supports a robust library of third-party integrations to supplement its out-of-the-box endpoint, network, and user coverage. The solution offers a constantly updated library of ATT&CK-mapped detections and can deliver capabilities such as EDR, UEBA, embedded threat intelligence, deception technology, incident response, and investigations.

The InsightIDR solution’s native network traffic analysis feature provides network visibility and detection as well as data from the rest of the environment. Its enhanced network traffic analysis feature leverages proprietary packet capture to access additional network metadata for an understanding of the full scope of activity.

Last year, Rapid7 added the InsightIDR and Threat Command integrations for XDR features, which offers an improved external and internal attack surface view within Rapid7. Customers can view Threat Command alerts alongside their broader detection set in InsightIDR to prioritize and investigate these alerts by using InsightIDR’s investigation management capabilities, then seamlessly pivot back and forth between the two products. Threat Command detection rules can be tuned directly in InsightIDR with respect to rule actions, rule priorities, and exceptions.

Rapid7 is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Rapid7 scored well on a number of decision criteria, including:

• Data enrichment: InsightIDR leverages external threat intelligence from Rapid7’s open source community, advanced attack surface mapping, and proprietary ML. Detections are constantly curated by Rapid7’s threat intelligence and detections engineering team. The solution auto-enriches every log line with user and asset details and correlates events across different data sources displaying visual investigation timelines. 

• Data analysis and risk scoring: The solution also includes a UEBA module, which continuously baselines normal user activity to identify anomalies. Correlated user data also offers rich context for other attacker alerts to help speed your investigations and response. Besides UEBA, InsightIDR also has an attacker behavior analytics (ABA) module, which identifies the way attackers gain persistence on an asset and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior. The UEBA and ABA detection rules are flexible, and analysts can modify out-of-the-box rules, create custom alerts, and subscribe or contribute to community threat intelligence.

• Automation: For automation, InsightIDR includes prebuilt workflows for containing threats on an endpoint, suspending user accounts, and integrating with ticketing systems. InsightIDR also integrates seamlessly with InsightConnect (Rapid7’s SOAR solution) for more advanced workflow-building capabilities. 

Opportunities
Rapid7 has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms, handling collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a resource shared among analysts, including new ones being onboarded.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, it can improve by implementing features such as detection of privilege escalation attempts within pods and changes to role-based access control attacks; detect unauthorized pod connections, network tunneling, or a reverse shell; runtime detection for malicious, unauthorized or unsigned images; and changes to security policy, secrets, and configmaps.

• Alarm fidelity and self-tuning: The solution has a good detection mechanism that can allow administrators to define trigger conditions. However, it can be improved by categorizing alarms based on the resolutions of previous similar incidents, suggesting new or modified alarm rules based on observed patterns, or providing a sandbox environment to test and fine-tune alarms using synthetic data. It could also support vendor-agnostic detections using SIGMA, YARA, or PySigma, or offer alarm monitoring to report on trigger frequency, false positive rate, and true positive rate.

Rapid7 was classified as a Forward Mover given its limited year-on-year releases and feature developments.

Purchase Considerations
Threat Complete is Rapid7’s licensing package for InsightIDR and includes two tiers: Threat Complete Advanced and Threat Complete Ultimate. In this report, we evaluated the features as available under the InsightDR Ultimate package: centralized log management, search, reporting and dashboards, FIM, IDS, network traffic analysis, threat intelligence, EDR, attacker behavior analytics, user behavior analytics, deception technology, SOAR, attack surface monitoring, and security configuration assessment (policy assessment).

Use Cases
The solution’s distinguished XDR and SIEM approach enables a range of use cases, including automated endpoint response and comprehensive environment visibility. The solution provides native engineer-vetted detections, embedded threat intelligence, and threat investigation tools.

Securonix: Securonix Unified Defense SIEM

Solution Overview
Securonix Unified Defense SIEM provides organizations a threat detection, investigation, and response (TDIR) solution built on a highly scalable data cloud. The cloud-native solution adopts a cybersecurity mesh architecture to agnostically integrate with multiple clouds, data lakes, and security solutions. The SIEM offers organizations with 365 days of hot data for fast search and investigation, powered by the Snowflake Data Cloud. It relies on threat content as a service to deliver a frictionless unified TDIR experience.

Securonix’s strategy is to create a next-generation SIEM platform that is well integrated, comprehensive, and can provide a true end-to-end security analytics and operations solution. Securonix differs from other vendors of solutions with similar capabilities in its approach to the cloud. It is one of only a few vendors that provide a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud version.

The Securonix platform includes capabilities relating to security data lakes (SDLs), UEBA, security orchestration, automation, and XDR. Buyers interested in Securonix’s SIEM platform should consider user experience, the learning curve, and available documentation. These factors will be essential to ensuring the platform’s capabilities are used as intended and that its complexity will not be a hindrance for security analysts.

Securonix is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Securonix scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: Securonix’s Autonomous Threat Sweeper (ATS) service automatically performs threat hunting retroactively, using historic logs to scan customer environments for threats that have only been recently discovered. Another differentiator is the vendor’s Threat Research Lab, which continuously monitors emerging threats and develops detection content that customers can apply in production. 

• Data analysis and risk scoring: Securonix leverages both supervised and unsupervised ML to achieve capabilities such as behavior pattern and rare event detection, automated phishing, and spam identification. It can perform analysis functions such as feature extraction, min-max clustering, and peer group profiling. The system can also leverage contextual data to super enrich user data by applying risk boosters.

• Data enrichment: Data ingested into the platform is super enriched by meaningful context attached to any attributes/fields within raw events to build super-enriched events. Super enrichment can occur in many scenarios, including attaching entity metadata, threat intelligence, geolocation, lookup data, and user identity information such as job function, access privileges, location, peer groups, and activity. This super enriched data is indexed, normalized, and processed throughout the Securonix solution, following the WORM principle. 

Opportunities
Securonix has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with other teams, using data stored as global context for LLM agents or copilots, and serving as a resource shared among analysts, including new ones being onboarded.

• Automation: While the solution can define automation logic using workflows, it can improve on this capability by implementing triggers such as generic HTTP, events, and chat triggers. For playbooks, it could implement retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback and workflow monitoring. Scripting-based automation would be another improvement.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes audit logs and API server logs, it could improve by detecting attacks such as privilege escalation attempts within pods and changes to role-based access control; networking data to detect unauthorized pod connections, network tunneling, or a reverse shell; runtime security data such as malicious, unauthorized or unsigned images; and changes to security policy, secrets, and configmaps.

Purchase Considerations
Securonix offers four licensing tiers with increasing features and prices, all priced on a GB per day ingestion rate. Autonomous Threat Sweeper, SOAR, and Investigate are available as add-ons to the Basic, Standard, and Advanced packages, and all add-ons are included in the All-in package. The capabilities evaluated in this report are the ones included in the All-in package.

Use Cases
The most popular use cases for the Securonix solution are focused on detection of insider threats, privilege misuse, and advanced cyberattacks. Securonix supports over 1,000 out-of-the-box use cases and more than 100 threat models that are available to customers as prepackaged content. Threat chain models are combinations of use cases (indicators of compromise or IoCs) that, if seen together, indicate a much stronger likelihood of a security compromise.

SolarWinds: Security Event Manager

Solution Overview
SolarWinds’ Security Event Manager (SEM) is a mature SIEM solution that offers deep visibility into IT environments. SEM collects, consolidates, normalizes, and visualizes logs and events from firewalls, IDS/IPS devices and applications, switches, routers, servers, operating systems, and other applications. Features include log management, threat detection, normalization and correlation, file integrity monitoring, compliance, and reporting. The solution can be deployed as a virtual appliance. 

SolarWinds’ Security Observability is a distinctive offering resulting from the integration of SolarWinds Observability Self-Hosted with Security Event Manager and Access Rights Manager. Security Observability helps organizations protect distributed and complex IT infrastructures by rapidly detecting, alerting on, and remediating security incidents, enabling the solution to rank high on the attack surface reduction criterion. It also scans network nodes to enable customers to identify environment-based risks and vulnerabilities.

The solution includes built-in report templates for internal and external regulatory compliance, including PCI DSS, GLBA, SOX, NERC CIP, and HIPAA. It can correlate system and user activities to reconstruct a compliance violation or mitigate an emerging security threat, filter information to customize reports for specific departments or recipients, and produce graphical summaries to enhance high-level reports. 

The FIM feature delivers broader compliance support and deeper security intelligence for insider threats, zero-day malware, and other advanced attacks. FIM can detect and alert about changes to key files, folders, and registry settings. The correlation engine can leverage sources such as Active Directory and file audit events to obtain information identifying which user was responsible for accessing and changing a file and to identify other users’ activities occurring before and after the file change. 

SolarWinds is positioned as an Entrant and Forward Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
SolarWinds scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: The solution’s search and event-time correlation capabilities help carry out forensic analysis and network security audits by processing and normalizing log data before it’s written to the database. It offers predefined rules and a custom correlation rule builder to automatically alert on possible security breaches and other critical issues. The log analyzer tool can forward correlated log data to an external source for further analysis if and when required.

• Automation: The solution can respond to suspicious activity using predefined processes (such as blocking USB devices), killing malicious processes, logging off users, quarantining infected machines, blocking IP addresses, and adjusting Active Directory settings.

• Alarm fidelity and self-tuning: The tool supports rule definitions that include use cases such as IDS/IPS systems with infection symptoms, antivirus software addressing potential infections, system errors, and crash reports. 

Opportunities
SolarWinds has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can improve by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with other teams, and using data stored as global context for LLM agents or copilots.

• Automation: While the solution can define automation logic using workflows, it can further improve on this capability by implementing triggers such as generic HTTP, events, LLM chats, and time schedules. It could also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring. 

• Data analysis and risk scoring: While the vendor offers built-in rule templates to detect and respond to suspicious user activities, such as adding or removing users from admin groups or accessing a business-critical server after office hours, it can improve by offering monitors levels of inbound and outbound application traffic, connections with other services, and Layer 7 content; offering context aware risk scores; predicting next steps of a threat’s lifecycle, such as identifying lateral movement targets; threat modeling to detect advanced threats that surface over long periods of time; and categorizing threat actors’ activity.

SolarWinds was classified as a Forward Mover given its limited year-on-year releases and feature developments.

Purchase Considerations
SolarWinds has a wider infrastructure monitoring and observability solution, which includes network, systems, databases, application, and IT service management. Customers who are already using products from the SolarWinds ecosystem can benefit from adding security monitoring along with their existing observability solutions.

Use Cases
SolarWinds SEM can be used for compliance management and reporting for multiple standards and regulations, and for threat hunting and investigation across a wide range of infrastructure services and applications.

Splunk (Cisco): Splunk Enterprise Security (ES) 

Solution Overview
Splunk Enterprise Security (ES) is a mature and powerful application that equips security analysts with all the information they need to conduct investigations and respond to threats. It ranks high on the alarm fidelity, threat hunting, and data analysis and risk scoring criteria.

Splunk ES supports multiple deployment models, including on-premises appliances, virtual instances in public or private clouds, SaaS, or a combination of any of those. The solution’s out-of-the-box detection rules make it easy to use and lowers the learning curve for analysts. This content helps create and tune alerts, perform contextual searches, and increase the speed of detection and analysis. Furthermore, the use case library enables faster detection of and incident response to both new and known threats.

Splunk (acquired by Cisco) is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Splunk (Cisco) scored well on a number of decision criteria, including:

• Threat hunting and retrospective analysis: The solution can help analysts investigate compromised systems using event sequencing, investigation timelines, and investigation workbenches. These features are designed to tackle common challenges security analysts face. Threat topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity. 

• Alarm fidelity and self-tuning: A useful feature included is risk-based alerting (RBA), which enables analysts to create risk attributions for entities when something suspicious happens. Then, instead of triggering an alert for each attribution, the attributions are sent to the risk index so that a notable event is triggered when an entity’s risk score meets a predetermined threshold. 

• Data analysis and risk scoring: The tool evaluates and identifies threats from three categories. First, unknown unknowns are identified using behavioral analytics services that cluster related entities to identify new threats based on peer or group analysis and profile entities to find new threats based on multiclass, deep neural net classifiers. Following that, known unknowns are threats that have been identified, and the behavioral analytics services perform predictive analytics to understand when these events might occur in the future.

Opportunities
Splunk (Cisco) has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the solution natively supports case management features, it could be improved by implementing war rooms where multiple analysts communicate in real time with case-specific data, handling non-security collaboration with other teams, and using data stored as global context for LLM agents or copilots.

• Automation: While the solution can define automation logic using workflows, it could improve on this capability by implementing triggers such as generic HTTP, events, LLM chats, and schedules. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring.

• Monitoring ephemeral resources: Even though the solution can ingest Kubernetes logs, it can improve by implementing detection of attacks such as privilege escalation attempts within pods and changes to RBAC; networking data to detect unauthorized pod connections, network tunneling, or a reverse shell; runtime security data; and changes to security policy, secrets, and configmaps.

Purchase Considerations
Splunk Enterprise Security is a premium app, which is used in conjunction with Splunk Enterprise or Splunk Cloud Platform. To use Splunk ES, customers must have a Splunk Enterprise or Splunk Cloud Platform deployment with an appropriate license based on either daily indexing volume (ingestion-based licensing) or vCPU usage (workload-based licensing). Splunk ES can be downloaded from Splunkbase or provisioned as part of a Splunk Cloud deployment. For example, if customers purchase a 1 GB daily indexing volume license for Splunk Enterprise and purchase Splunk Enterprise Security app, they can ingest only 1 GB of data to use in Splunk Enterprise and Enterprise Security. Splunk Enterprise Security monitors Splunk indexes for daily indexing volume and vCPU consumption, irrespective of whether you are using the on-premises or cloud version.

Splunk (Cisco) monitors the daily indexing volume into Splunk and the use of that data for security use cases. It also monitors the vCPU usage based on the data summarized in Splunk Enterprise Security-specific summary and metrics indexes. 

Use Cases
Splunk (Cisco) can serve security use cases such as incident management for shortening investigation cycles by confirming high priority incidents with enhanced visualizations of risk thresholds, indicators and trends, compliance use cases for meeting regulatory body standards and regulations, detecting and investigating attacks and new threats through early and rapid behavior-based detections and correlations, and threat hunting and automation of repetitive tasks during an investigation and incident response process.

Sumo Logic: Cloud SIEM

Solution Overview
Sumo Logic Cloud SIEM is a SaaS-delivered solution built from the ground up as a multitenant microservices architecture that scales elastically and supports large volumes of data ingestion. Sumo Logic’s SIEM offers a range of features, including the Insight Rules Engine that features over 1,000 out-of-the-box rules, an entity timeline and Entity Relationship Graph for threat hunting, the Insight Global Confidence Scores module, the automation service that offers playbooks for insight enrichment, notifications, and containment actions, and a MITRE ATT&CK Threat Coverage Explorer.

Sumo Logic is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the GigaOm Radar for SIEM chart.

Strengths
Sumo Logic scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: The solution pulls together alert signals from multiple sources into a single insight tied to specific entities. It reduces triage and investigation time by automatically correlating related activities and potential threats. It also provides a view back in time, evaluating all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores.

• Data analysis and risk scoring: An entity criticality tool provides the control to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher signal severity. The solution provides a crowd-sourced and ML-predicted global confidence score that offers security analysts validated and fully contextualized events. 

• Data enrichment: The tool includes automated enrichment and supports ingestion of threat-intelligence data that is automatically merged with entities (like IP addresses) detected in insights. For customers needing threat intelligence, Sumo Logic includes the CrowdStrike threat intelligence feed and Intel471 with the platform free of charge. Sumo Logic provides native integrations with best practice data sources for Kubernetes—Prometheus, OpenTelemetry, FluentD, Fluentbit, and Falco. 

Opportunities
Sumo Logic has room for improvement in a few decision criteria, including:

• Case management and collaboration: While the vendor natively supports case management features, it can further improve by implementing war rooms, collaboration with non-security teams, using data stored as global context for LLM agents or copilots, and serving as a shared resource among analysts and for onboarding new ones.

• Automation: While the solution can define automation logic using workflows, it can improve on this capability by implementing triggers such as generic HTTP, event-driven triggers using protocols such as Kafka, LLM chats, and scheduled triggers. It can also implement advanced playbook capabilities such as retries, timeouts, rate limits, parallel execution, nested playbooks, live editors, workflow rollback, and workflow monitoring such as execution times and response codes. The solution can also implement scripting-based automation using languages such as Python.

• Threat hunting and retrospective analysis: Sumo Logic can support threat hunting use cases via its querying and automation engines but can further improve by applying newly optimized rules to historical data to identify untriggered alarms and retrospectively identify infections, and displaying interactive timelines that highlight event clusters and frequency analysis that identifies unusual timing patterns. Interactive dependency maps between affected assets with drill-down capabilities would also improve this solution.

Purchase Considerations
Sumo Logic has a $0 ingest fee, as all pricing is based on the analysis of the data. The solution has three tiers–free, essential, and enterprise suite–with only the last plan offering the CloudSIEM capabilities. The free tier includes a maximum 1Gb/day log ingestion capacity and seven days of data retention but no security-specific capabilities. The enterprise suite allows customers to define their own data retention periods, offers 24/7 support for P1 incidents, and includes Cloud Infrastructure Security, Cloud SIEM, and Cloud SOAR.

Use Cases
Sumo Logic Cloud SIEM can deliver on use cases such as meeting data security and privacy requirements for compliance with regulations such as PCI DSS, incident response for identifying the way an attack breached enterprise security systems and what hosts or applications were affected by the breach, vulnerability management to proactively test network and IT infrastructure, and threat intelligence.

UTMStack: Open Source SIEM

Solution Overview
The UTMStack Open Source SIEM is a threat detection and response solution powered by threat intelligence and real-time correlation before ingestion. UTMStack is a single product that can be deployed on-premises or inside the customer’s cloud, or as a platform using the UTMStack SaaS. UTMStack has mainly been deployed as a single product installed within the customer’s network.

UTMStack has the following components: Dashboard Builder, Alert and Incident Management, User Activity Auditor, Log Analyzer, File Changes Tracker, Threat Intelligence, Built-In SOAR, Compliance Reporting, Vulnerability Management, and an LLM enhanced by RAG for automated alert and incident investigation.

UTMStack has two approaches to multitenancy: one instance per customer or a single instance shared among multiple customers. As UTMStack supports on-premises and bring your own cloud deployments, MSSPs have the ability to manage all these deployments remotely using a “federation service” that orchestrates the deployment of multiple UTMStack instances and provides a single pane of glass for monitoring all instances, as well as a useful tool for security operations teams.

UTMStack has its own internal research team that focuses on researching dark web data hunting, IOC and attack patterns investigation, and honeypot networks spun up for threat intelligence investigation and malware hunting. UTMStack hosts its proprietary threat intelligence platform, Threatwinds, and the threat research is integrated into UTMStack by default in all deployments.

UTMStack is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the GigaOm Radar for SIEM chart. 

Strengths
UTMStack scored well on a number of decision criteria, including:

• Alarm fidelity and self-tuning: UTMStack normalizes ingested data using logstash parsing rules and an in-house-built correlation engine written and compiled in GO. In UTMStack, logs are correlated before ingestion to reduce detection and response times. Alarm or alert definitions are written in simple YAML text correlation rule files that are easy to understand and can be created by a security analyst without coding experience. UTMStack uses the MITRE ATT&CK framework for alert classification and scoring and can determine risk based on user, device, workload and identity context, a resource’s level of exposure to the public internet or other external networks, behavior deviation from the baseline, heuristic analysis, and threat intelligence IoC analysis.

• Automation: UTMStack built-in SOAR handles incident response automation and workflows for alert automation, host isolation, host shutdown, IP blocking at firewalls, and malware activity intervention. The system supports PowerShell and Bash automation. Automation features include low-code playbooks, external API requests, agent-based command execution, SSH command execution, and scripting using PowerShell and Bash.

• DevSecOps suitability: The solution can cater to DevSecOps audiences because all of its code is open source and available on GitHub, supporting CI/CD with Github Actions, implementing unit testing, and exposing its functions via an API.

Opportunities
UTMStack has room for improvement in a few decision criteria, including:

• Data enrichment: The vendor offers a good range of data enrichment sources but can improve by including a proprietary threat intelligence and research, providing enrichment at ingestion time for full downstream context, storing enrichment data locally for easy retrieval, checking the integrity enrichment data, and performing network traffic analysis.

• Threat hunting and retrospective analysis: While the solution can retrospectively identify infections related to newly discovered vulnerabilities and automate threat-hunting workflows, it could improve by displaying the progression of threats in a timeline view, generating interactive dependency maps that display relationships among assets and critical information for each affected artifact, and providing drill down capabilities into a correlation visualization to view each affected entity’s details. 

• Data analysis and risk scoring: While the vendor supports analysis and risk scoring capabilities via capabilities such as CVSS scores and identifying deviations from standard behavior, it could improve by offering monitors levels of inbound and outbound application traffic, connections with other services, and Layer 7 content; context aware risk scores; prediction of next steps of a threat’s lifecycle; threat modeling to detect advanced threats that surface gradually; and categorizing threat actors’ activity.

Purchase Considerations
UTMStack has a free open source version, making the solution a low-risk, no-cost opportunity for organizations to deploy the product. The solution offers two paid tiers: Cloud SIEM and support, and an on-premises enterprise edition. UTMStack licensing is based on individual data sources, such as firewalls, Windows Servers, Microsoft 365, and antivirus solutions.

Use Cases
The solution can cater to a wide range of use cases, including log management, compliance management, and reporting for regulations such as HIPAA, GDPR, GLBA, SOC, and ISO, file tracking and classification, user activity tracking, and threat intelligence source for firewalls.

Most vendors in the SIEM space have well-developed core capabilities in alert ingesting, storage, scalability, and reporting. To develop new features, SIEM solutions are now expanding into other security services, including UEBA, SOAR, and XDR. Vendors are tackling these new sets of capabilities by either developing them natively in the SIEM solution or developing or acquiring these capabilities as separate products and closely integrating them. Integrations with third-party point-solution vendors still exist, but the focus has shifted to having the capabilities available in-house. 

One interesting observation is the varying approaches to ML. While applying ML-based analytics directly to SIEM logs has not yielded proven results, almost all vendors are achieving ML implementation through UEBA. UEBA has machine learning (ML) at its core for understanding baseline behavior and detecting deviations or anomalies from that baseline. Vendors that have started in the UEBA space and transitioned into the SIEM space are leveraging more experience and development in this area. Today, most SIEM vendors offer ML-based UEBA capabilities, albeit at different maturity levels. To illustrate this point further, point-solution SIEM vendors that do not operate in the UEBA space typically have little to no machine learning (ML) capabilities.

Another aspect that differentiates vendors in the SIEM space is the deployment model. Some vendors offer only cloud-native SaaS deployments, while more mature vendors provide most types of deployments, from physical appliances to virtual and cloud-hosted versions, with SaaS being on the roadmap for most players. As the primary tool for security operations, SIEM solutions are essential for regulated industries that often require on-premises deployments. Cloud-native vendors are therefore unable to cater to companies in this space, making it easier for vendors offering more deployment models to capture that part of the market.

Looking forward, we expect SIEM solutions to increase their capabilities to operate autonomously, primarily through prepackaged content, self-tuning capabilities, playbook changes, ML-based applications, and AIOps.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Security Information and Event Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.