Why SIEM’s obituary was written too soon

At the 2024 Black Hat, I witnessed something peculiar: vendors proclaiming “SIEM is dead” while simultaneously promoting their SIEM solutions. As someone who helped create the first SIEM, I found this message puzzling. Is SIEM really dead or just going through a mid-life crisis?

The way I see it, there are a few fundamental ways SIEM will need to evolve for it to stay relevant and meet today’s cybersecurity challenges: dramatically increasing analytics speed, leveraging AI to enable true scalability, revolutionizing behavior analytics, and rearchitecting for versatility and cost-effectiveness.

The speed imperative

Speed has always been and will always be the number one priority for cybersecurity teams. Here’s the stark reality: when a CEO calls their CISO about the latest breach in the news, the typical response requires mobilizing an entire security team for a weekend of investigation. Why? Traditional security tools force analysts to process threat indicators one at a time, turning what should be minutes of work into days of effort.

Let’s put this in perspective. When a security briefing contains hundreds of potential threat indicators — malicious domains, IP addresses, attack techniques — traditional analysis approaches hit two massive bottlenecks. First, human analysts must manually research each indicator, typically taking 30 seconds per item. For 100 indicators, that’s already nearly an hour. But the bigger bottleneck comes from the security tools themselves. When querying across a year of data, each search might take 30 minutes. Suddenly, that single briefing analysis balloons into a 50-hour project, a full work week! With 63% of enterprises now storing more than 100TB of data, these bottlenecks are only continuing to grow. 

The AI advantage

Of course, speed doesn’t mean anything without scalability. That’s why the introduction of AI has been such an important development for the SIEM market. Some AI engines can analyze thousands of threat indicators simultaneously, returning precise results in seconds. That means that the CISO can now respond to their CEO with a precise impact assessment — in minutes, not days.

Think of it like the automotive industry’s evolution. Twenty years ago, a supercar doing 0-60 mph in under four seconds was revolutionary. Today, we have electric vehicles achieving it in under two seconds at a fraction of the cost. This is the magnitude of the impact of AI on SIEM technology, and it’s why AI-powered SIEMs won’t be facing extinction in the foreseeable future. 

AI also helps us integrate threat intelligence into the security workflow more effectively than ever before. More is not necessarily better. Threat intelligence data can overlap, and sources may interpret the data in different ways, complicating decision-making. What we really need is more “intelligent” intelligence!

This is where AI transforms the process. By automatically validating, attributing, enriching, prioritizing, deduplicating and normalizing threat intelligence, AI helps us convert raw data into actionable insights. The impact is twofold: Security analysts experience reduced alert fatigue and increased efficiency, while organizations maximize both their team’s effectiveness and their threat intelligence investments. 

Far beyond traditional UEBA

When you’re dealing with threats at this scale and speed, you also need to completely rethink how you approach behavior analytics. Traditional behavior analysis simply can’t keep up when you’re processing hundreds of indicators in seconds — the sheer volume of data and the required speed of analysis demands a fundamentally different approach. You can’t rely on systems that need weeks or months to establish baseline behaviors when threats are evolving by the hour.

The evolution of user and entity behavior analytics (UEBA) perfectly illustrates why traditional SIEM approaches need rethinking. Most UEBA solutions try to establish baselines for every user’s normal behavior — essentially boiling the ocean to detect anomalies. With organizations having hundreds of thousands of users, each with unique patterns, this approach generates an overwhelming number of false positives.

The smarter approach flips the script: instead of learning everything about normal user behavior, focus on understanding and detecting known attacker patterns. There are a finite number of attack techniques, well-documented in frameworks like MITRE ATT&CK. By focusing on threat-actor behaviors rather than on user anomalies, modern SIEM solutions can dramatically improve detection accuracy while reducing false positives. To put it another way, we can either choose to focus on when do users stop behaving like themselves, when do they stop behaving like their peers, or when do they start behaving like attackers. Picking the right formula will have a great impact on both effectiveness and efficiency.

Cloud-native architecture: More than a buzzword

Here’s something that might surprise you: most of today’s “cloud-based” SIEM solutions are really just on-premises software that’s been lifted and shifted to the cloud. Many security vendors have simply ported their existing solutions, carrying forward all their performance limitations. True evolution requires rebuilding from the ground up. While some vendors rely on third-party data platforms, leading-edge SIEM solutions are developing proprietary data engines that operate at the same level as dedicated data platforms, but optimized for security use cases.

This architectural advantage isn’t just about technical elegance — it’s about delivering practical benefits. When your data engine can execute complex queries across vast datasets in seconds rather than hours, you unlock entirely new use cases and capabilities that weren’t previously possible.

This is where futuristic and ultra-modern SIEMs come in (next-gen is a term already occupied by the previous generation of SIEMS) — solutions built from the ground up to be cloud-native and designed specifically for modern, elastic environments where the network perimeter is constantly shifting. Unlike traditional or next-gen SIEMs that struggle with dynamic cloud environments, futuristic and ultra-modern SIEM solutions are architected to handle the fluid nature of modern infrastructure, where resources spin up and down on demand and security boundaries are constantly evolving.

An unexpected bonus: Cost savings

There’s another reason that the SIEM market has been flailing — cost. Legacy and next-gen SIEMs have turned into major budget breakers, thanks to licensing tiers based on data storage. As customers invest more and more data into their SIEMs, their costs increase, as well. Some organizations are paying 10X more than they did when they first licensed their SIEMs. This math does not translate into happy customers. 

Ultra-modern SIEMs can scale more cost-effectively. Models like this are already saving organizations between 30% and 80% of what they were previously paying a legacy or next-gen SIEM vendor. 

Looking ahead

The security landscape isn’t getting simpler. The SIEM market has undergone significant consolidation in 2024. Adversaries/attackers are always becoming more sophisticated, data volumes will keep expanding exponentially, and organizations will face increasingly damaging cyber and ransomware attacks that impact their bottom line. The average data recovery cost reached nearly $2.73M in 2024, an increase of almost $1 million since 2023.

SIEM is not dead — it’s undergoing a fundamental transformation. The focus is no longer on collecting logs; it’s about leveraging AI, advanced data engines, and cloud-native architectures to deliver security insights at speeds that match modern threats. Those declaring SIEM's death are looking in the rearview mirror at legacy and next-gen solutions, while the technology itself is accelerating into the future.

The SIEM market’s recent consolidation and projected growth to $7.56B by 2030 isn’t just a reflection of market dynamics. It’s about the recognition that security teams need these evolved capabilities more than ever. The old SIEM might be dead, but its evolution is very much alive and more critical than ever for modern security operations.