85% of Analysts Say Endpoint Alerts Drive Response, Yet 42% of SOCs Lack a Strategy for Managing Incoming Data
Bethesda, MD, July 01, 2025 (GLOBE NEWSWIRE) — The 2025 Global SOC Survey from SANS Institute reveals a stark disconnect between alert response and data strategy in Security Operations Centers (SOCs). While 85% of SOC analysts cite endpoint security alerts as their primary response trigger, 42% of SOCs admit to dumping all incoming data into a SIEM without a plan for retrieval or analysis. Recently released, the report highlights this and other critical insights drawn from thousands of practitioners worldwide and offers the industry’s most comprehensive, vendor-neutral benchmark of SOC maturity, tooling, and staffing.
The report is accompanied by a live webcast on Wednesday, July 9, 2025, at 10:30AM EST (14:30 UTC), where SANS experts will present the key findings and recommendations. Registration is free and open globally at: https://www.sans.org/webcasts/sans-2025-soc-survey/
“SOCs are the backbone of modern cyber defense, but many remain overwhelmed and under-resourced,” said Christopher Crowley, Certified Instructor at SANS Institute and lead author of the survey. “This year’s data offers a clear look at how SOCs are adapting to the demands of 24/7 operations, AI integration, and remote work – while also surfacing common missteps and areas for growth.”
Key findings from the 2025 report include:
- 82% of SOCs report operating 24/7.
- 85% of SOC analysts cite endpoint alerts as their primary response trigger.
- 73% allow some degree of remote work for SOC personnel.
- 42% send all incoming data to a SIEM without a defined strategy for management or retrieval.
- 42% use AI/ML tools in an out-of-the-box capacity without customization.
“If company leadership isn’t prepared to fully commit the resources to make a tool effective, it would be better not to deploy it at all,” said Crowley. “A shiny new technology that seems like a great solution requires budget, training, time and integration into workflow.”
“We define a SOC by its capabilities, architecture, staffing, and whether those functions are internal or outsourced,” added Crowley. “This report helps security leaders understand how others are building and evolving their SOCs, and where they stand in comparison.”
To access the full report or register for the webcast, visit: https://www.sans.org/webcasts/sans-2025-soc-survey/
CONTACT: Jenn Elston SANS Institute 301-654-7267 press@sans.org
- Ad.Com Acquires Public Good to Scale Purpose-Based Digital Advertising and AI Innovation - July 1, 2025
- Community Impact Coalition Issues Statement Applauding Senate Finance Committee’s Approach to Tax Treatment for Nonprofits - July 1, 2025
- Goodin Development Breaks Ground on The Elwood: $26 Million Mixed-Use Development to Transform Downtown Kokomo - July 1, 2025
