In its 2025 State of SIEM report, CardinalOps delivers a stark message to cybersecurity professionals: despite massive investments in Security Information and Event Management (SIEM) platforms, most organizations are blind to a majority of known MITRE ATT&CK techniques. And the situation isn’t improving fast enough.
With data pulled from real-world production SIEM environments, the report exposes persistent detection gaps, redundant rules, and “SIEM sprawl” that undermines both threat visibility and analyst effectiveness.
According to a press release, the report draws from an expansive dataset of 2.5 million total log sources, more than 23,000 distinct log sources, more than 13,000 unique detection rules, and hundreds of production SIEM environments, including Splunk, Microsoft Sentinel, IBM QRadar, CrowdStrike Logscale, and Google SecOps. The report uses the MITRE ATT&CK framework as a benchmark.
This year’s findings highlight major detection coverage gaps and systemic detection engineering challenges that impact the effectiveness of enterprise SIEMs in detection and responding to adversary activity.
Here are key takeaways from the report.
- Detection Coverage Remains Alarmingly Low: Across the MITRE ATT&CK framework, organizations are only actively detecting an average of 36% of relevant techniques—barely an improvement over 2024. Despite adding new rules, overall effectiveness is stagnant.
- Rule Redundancy and Bloat: Many SIEMs contain hundreds of detection rules, yet 28% are either broken or unused. That’s wasted compute—and wasted analyst time.
- Custom Detections Are Lacking: Custom detection rules tuned to an organization’s unique environment account for less than 20% of detections. The rest come from prepackaged content, which often lacks the specificity needed to detect advanced threats.
- Over-Reliance on Endpoint and Authentication Data: More than 80% of detection logic hinges on endpoint and authentication logs. Other telemetry sources like cloud, SaaS, or containerized infrastructure are largely ignored—even as adversaries pivot toward exploiting these layers.
- SIEM as a Cost Sink, Not a Value Engine: As one CISO in the report stated: “We treat our SIEM like a security Swiss Army knife, but don’t use half the blades.”
SIEMs are bloated, under-tuned, and not delivering ROI. This is pushing many to reassess their architecture—or look to SIEM augmentation or replacement altogether.
“Five years worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most,” said Michael Mumcuoglu, CEO and Co-Founder of CardinalOps. “What’s clear is that the traditional approach to detection engineering is broken. Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed—even with modern SIEM platforms and sophisticated telemetry.”
There are broader SIEM trends to watch, as well, including:
-
SIEM + XDR Integration: Vendors are increasingly bundling SIEM and XDR capabilities to close detection gaps and reduce operational overhead. Expect tighter integration between analytics, telemetry, and response actions.
-
Shift Toward Data Lakes: Organizations frustrated by SIEM licensing models are increasingly turning to data lake architecture (e.g., Snowflake, BigQuery) to decouple storage from analytics.
-
Detection Engineering Takes Center Stage: Detection-as-Code (DaC) is gaining traction, enabling security teams to treat detection content like software—versioned, tested, and reproducible.
-
ML-Driven Tuning and Rule Rationalization: Machine learning is now being used to identify noisy, unused, or conflicting rules—helping SecOps teams rationalize and refine detection libraries.
Some basics can help practitioners stay ahead of the game:
- Audit Your Detection Coverage: Map existing rules against MITRE ATT&CK to identify gaps and redundancies.
- Invest in Detection Engineering: Develop a formal process for testing, tuning, and deploying rules—especially for cloud, SaaS, and identity data sources.
- Rethink SIEM ROI: Is your current SIEM truly supporting business risk reduction? If not, consider alternatives like open XDR, threat detection pipelines, or SIEM augmentation tools.
- Start Small, Tune Hard: Adding more rules isn’t the answer. Adding better rules—and validating them—is.
CardinalOps’ latest report makes it clear: security teams are running faster just to stand still. SIEMs, despite their central role in detection strategy, remain underutilized and overburdened. It’s time to shift the narrative from “more rules” to better tuning, smarter coverage, and actual visibility.
To increase SIEM optimization from visibility to value, here’s a checklist cybersecurity teams can use:
Visibility and Coverage
-
Map current detection rules to MITRE ATT&CK
-
Identify techniques relevant to your organization’s threat model
-
Evaluate detection coverage across endpoint, identity, cloud, and network data
Rule Health and Hygiene
-
Remove or revise broken, unused, or duplicated rules
-
Validate detection rules in a test environment before deployment
-
Implement version control for detection rules (Detection-as-Code)
Data Strategy
-
Review data ingestion policies—are you paying to ingest unused telemetry?
-
Normalize data sources for cross-correlation across multiple environments
-
Monitor data volume trends and prioritize high-value logs
Detection Engineering
-
Create a formal detection engineering playbook
-
Regularly tune thresholds to reduce false positives
-
Assign owners for rule maintenance and review cycles
Feedback and Response Loop
-
Use incident response findings to refine or create new detection rules
-
Integrate SIEM with SOAR or XDR to automate repetitive tasks
-
Conduct periodic table-top exercises that validate detection-to-response flow
Metrics and ROI
-
Track rules coverage versus known attack paths
-
Report detection efficacy to leadership in business-relevant language
-
Calculate cost-per-use-case to measure SIEM return on investment
The full report is available here.