The recent survey report, SANS 2025 SOC Survey: Facing Top Challenges in Security Operations, shed some light on some of the recent shifts we are seeing amongst security organizations.
The findings reveal a consistent theme: SOCs are overwhelmed, understaffed, and stuck in reactive mode despite significant technology investments. Here’s what the data shows and what it means for security operations moving forward.
First, we will highlight the findings from the survey report and then we will provide our predictions of what’s to come.
1. Lack of Skilled Staff Blocks Hunting
“A lack of skilled staff remains the top-cited barrier for why teams aren’t taking the time to do more sophisticated hunting.”
True threat hunting capabilities are constrained by staffing, with “most teams described partially automated hunting using vendor-provided tools (48%)” rather than hypothesis-driven analysis. The report emphasizes that “Running Windows Defender with updated signatures…is not threat hunting. It’s basic detection.”
WireX Systems Insight: As a response to the ongoing skills and staffing gap, organizations will increasingly rely on AI-based tools to augment their security teams. However, this shift will escalate an arms race between defenders and adversaries… both leveraging AI. This dynamic heavily favors attackers, who only need to succeed once, whereas defenders must be right every time. This imbalance will make resilient, context-aware defenses essential. Operational tools that provide deep context and actionable insights will enable teams to level up skills and leverage automation to even the playing field.
2. Network Security Tops Skill Deficits
“information systems and network security (14%) and digital forensics (12%) as the highest [skill deficits]”
Fundamental networking and forensics skills remain the most significant gaps in SOC hiring, representing the top technical skill deficits when organizations seek new staff.
WireX Systems Insight: With fundamental networking and forensics skills among the top gaps in SOC hiring, organizations will increasingly invest in tools that do the heavy lifting for them – automating packet and payload-level analysis, surfacing relevant insights, and guiding investigators through each step. Solutions that simplify complex network investigations will be critical to closing the expertise gap and enabling faster, more confident response.
This shift will enable even junior staff to operate with the speed and precision typically expected from seasoned analysts.
3. Enabling Internal Incident Response
“Incident response is a fully integrated part of our internal SOC capability” (50.9%)
Enabling internal incident response isn’t just a goal—it’s a necessity for organizations that want to move from reactive security to proactive defense. By leveraging the intuition of internal staff who already understand the environment, organizations can cut through alert fatigue and immediately focus on real threats. This means faster response times, reduced risk, and a force-multiplied SOC where institutional knowledge is amplified.
WireX Systems Insight: Empowering internal teams to lead incident response is no longer optional—it’s essential. By equipping staff who know the environment best with tools that surface clear, contextual insights, organizations can cut through alert noise and respond faster.
Having incident response capabilities integrated into the SOC will enable faster, more informed decisions and ensures that institutional knowledge is put to work when it matters most.
4. Incident Response Is Reactive, Not Proactive
“incident response starts are primarily triggered by internal security alerts (85%).”
The SOC’s incident response capability is primarily reactive, with the vast majority of organizations waiting for alerts before investigating threats. The report shows that “incident response is a fully integrated part of our internal SOC capability” (50.9%) but remains alert-driven rather than proactive. Most SOCs operate in a detection-response cycle rather than actively seeking out threats before they trigger alerts.
WireX Systems Insight: Organizations will invest in solutions that enable proactive threat hunting through extended data retention and historical analysis capabilities. The ability to investigate months-old activities when new threat intelligence emerges will become increasingly valuable for identifying previously undetected threats. Until organizations invest in analysts focused on threat hunting, the industry will continue to see a steady rise in sustained or persistent security breaches. The same number of threats will exist, but only through hunting will sophisticated attacks be uncovered and their dwell time reduced.
5. Dump Everything in the SIEM
“42% of SOCs dump all incoming data into a SIEM, often without a retrieval or management plan.”
Organizations are collecting massive amounts of security data but lack coherent strategies for managing, analyzing, or retrieving this information effectively. The report notes that SOCs “store more data than ever before…creating visibility issues.” This creates storage costs and potential performance issues.
WireX Systems Insight: Data management and retention policies will become critical SOC priorities. Organizations will look for solutions that provide intelligent data tiering, automated archiving, and improved search capabilities to handle growing data volumes more efficiently. The pressure will increase for security tools to interoperate across a distributed security ecosystem. Organizations want tools that can operate independently and collaboratively, without relying on pushing all data into a central SIEM.
6. SIEM Skills Top the Wish List
“43% of respondents say SIEM is the top tech skill they seek when hiring—more than double the next highest response.”
SIEM expertise remains the most sought-after technical skill in SOC hiring, significantly outpacing other competencies. This represents a substantial gap between what organizations need most and what candidates typically possess.
WireX Systems Insight: As more cyber solution providers move into platform-based “Next-Gen” SIEM, organizations will increasingly shift between SIEM technologies. The most valuable analysts will not be defined by the specific SIEM language they know, but by their ability to understand the context and relevance of the underlying data sources. There will be a growing need to interpret and work with data outside of the SIEM platform itself. Tools that provide the most accessible and actionable insight, regardless of platform, will stand out.
7. CTI Primarily for Incident Response
“69% of SOCs use cyber threat intelligence (CTI) data primarily for incident response.”
Organizations are using threat intelligence reactively rather than proactively. Additionally, “most information comes from external sources, indicating there’s a growing need to generate threat intelligence from internal data sources.” The most common analysis method is that “analysts use their experience and intuition” rather than structured analytical approaches.
WireX Systems Insight: While threat hunting and incident response will remain as much an art as a science, the ability to quickly understand raw data will become a key differentiator. The faster an analyst can interpret and validate what the data is saying, the sooner they can determine whether something is worth pursuing. Tools that support the analyst’s experience and intuition while improving clarity and access to internal data will grow in importance.
8. AI/ML Adoption Lacks Governance”
42% of SOCs use AI/ML tools ‘out of the box’ with no customization.”
SOC employees are adopting AI/ML tools individually without organizational oversight or integration into formal workflows. “Interestingly, data shows that the majority (40%) use the tools, but they are not part of the defined operations.” This creates potential security risks and prevents organizations from maximizing the value of these technologies.
WireX Systems Insight: AI governance will continue to evolve with a focus on data residency, consistency across models, and open access to all source data to enable more organization specific customizations i.e. BYOLLM (Bring Your Own Large Language Model).
9. We Already Have a SIEM and EDR
“We already have a SIEM and EDR” represents the most common objection security teams encounter when evaluating new solutions.
While not directly from the SANS survey, this objection reflects the reality that organizations have invested heavily in existing security infrastructure and are hesitant to add new tools. The survey data supports this, showing that SOCs struggle with tool effectiveness rather than tool quantity, with “AI/ML tools continue to underperform…two ranked at the very bottom” in satisfaction ratings.
WireX Systems Insight: The most common pushback—“We already have a SIEM and EDR”—underscores a deeper issue: security teams aren’t lacking tools, they’re lacking answers. Many existing tools fall short in effectiveness, with some AI/ML solutions ranking lowest in satisfaction. The future won’t be about stacking more tools—it will be about deploying the right ones that deliver answers, not just alerts. Organizations will shift toward solutions that fill critical visibility and investigation gaps left by traditional platforms.
10. Data Sovereignty Questions Coming
“SOCs should be prepared to respond to tough questions around cross-border visibility, third-party monitoring, and data residency.”
Increasing geopolitical tensions are creating new compliance requirements that will impact SOC architecture and vendor selection decisions. The report warns that “Security leaders should anticipate deeper engagement from legal, compliance, and business stakeholders as these topics rise on the agenda.”
WireX Systems Insight: Data sovereignty will become a primary factor in SOC technology selection. Organizations will require detailed documentation of data flows and processing locations from all security vendors, driving demand for regionally-deployed security platforms.
What This Means for Your SOC
These findings paint a clear picture: traditional approaches to SOC operations are reaching their limits. Organizations are drowning in data they can’t effectively analyze, struggling to find skilled staff, and remaining trapped in reactive security postures despite massive technology investments.
The solution isn’t tool sprawl with disconnected point solutions. Instead, successful SOCs will focus on tool consolidation that provides more value with less operational risk. Smart organizations are reducing SIEM storage costs by leveraging comprehensive security monitoring and analysis with fully open solutions, and deploying automation across complete data sets rather than relying on vendors to pre-filter which records matter.
How WireX Systems Addresses These Challenges
WireX Systems Ne2ition directly addresses many of the core issues identified in this survey:
- Closes the Skills Gap with Contextual Automation
WireX automates packet and payload-level analysis and guides investigators step-by-step—empowering even junior analysts to work at a higher level. - Delivers Answers, Not Just Alerts
WireX shows what happened, what data was accessed, and how—turning detection into clarity and cutting investigation time dramatically. - Automated Investigations
Our automatic investigation engine eliminates the manual correlation work that consumes analyst time, moving teams from hours and days to minutes for threat response. - Enables Proactive Threat Hunting and Long-Term Forensics
WireX retains full payload data over extended periods, enabling threat hunting months after the fact and uncovering stealthy attacks. - Reduces SIEM Overload and Storage Costs
By offloading investigation and forensics from the SIEM, WireX minimizes data ingestion costs while maximizing visibility. - Supports Internal IR and External Collaboration
WireX equips internal teams to lead response while seamlessly enabling MSSPs or IR firms to contribute as an added layer of defense. - Automated Investigation Engine
WireX Systems automation drastically shortens time-to-resolution by eliminating manual correlation, reducing response time from hours to minutes. - Compliance & Visibility
Built-in capabilities for compliance reporting, network segmentation validation, and rogue asset discovery address emerging regulatory requirements.
In summary, WireX Systems enables proactive defense by delivering deep visibility, intelligent context, and actionable detections—amplifying the effectiveness of security teams and turning network data into an active sensor grid.
The survey’s findings confirm what we’ve seen firsthand: SOC teams need solutions that make their existing staff more effective, not tools that require additional expertise to manage.
As SOCs face increasing pressure to do more with limited resources, the winners will be those who choose technologies that multiply human capability rather than simply adding to the noise.
