This GigaOm Research Reprint Expires Jul 30, 2025

GigaOm Radar for Security Information and Event Management (SIEM)v4.0

1. Executive Summary

The security information and event management (SIEM) solution space is mature and competitive. Most vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly minor. However, there’s an increasing number of younger SIEM vendors entering the market that can benefit from all the lessons learned across the 2010s to offer modern, lightweight, and often cloud-native solutions.

To improve differentiation, SIEM vendors are developing advanced platforms that provide greater context and deploy ML and automation capabilities to augment security analysts’ efforts. These solutions deliver value by giving security analysts deeper and broader visibility into complex infrastructures, increasing efficiency and decreasing the time to detection and response.

Vendors offer SIEM solutions in various forms, such as physical appliances, virtual appliances that can be installed in the customers’ on-premises or cloud environments, cloud-hosted solutions on either dedicated or shared infrastructure, and software as a service (SaaS) models. Many vendors have developed multitenant SIEM solutions for large enterprises or managed security service providers (MSSPs). Customers often find SIEM solutions challenging to deploy, maintain, or even operate, leading to a growing demand for managed SIEM services, whether provided by the SIEM vendor or third-party partners.

SIEM solutions continue to vie for space with other security solutions, such as user and entity behavior analytics (UEBA), endpoint detection and response (EDR), security orchestration, automation, and response (SOAR), and security analytics solutions. All SIEM vendors support integrations with other security solutions. Many vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether that’s just a SIEM solution, a SIEM and a SOAR solution, or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers who want the extra features but are not ready to invest in multiple solutions.

This is our fourth year evaluating the SIEM space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 24 of the top SIEM solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading SIEM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

2. Market Categories and Deployment Types

To help prospective customers find the best fit for their use case and business requirements, we assess how well SIEM solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

  • Small-to-medium business (SMB): Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based SIEM solutions.
  • Large enterprise: Large enterprises require high-performance SIEM solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure are key differentiators for them.
  • Regulated industries: These typically include verticals such as finance, healthcare, and government, for which vendors need to adhere to strict rules and regulations as well as support on-premises deployments.
  • Public sector: These are local and central government bodies as well as international entities that have strict requirements around data sovereignty, vendor certifications, and technology supply chains.
  • Cloud service provider (CSP): CSPs must be able to monitor the large number of tenants that use the provider’s underlying infrastructure, ensuring visibility across shared devices to prevent lateral movement and lower the risk inherited from each tenant.
  • MSSP: MSSPs require multitenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.

In addition, we recognize five deployment models for solutions in this report:

  • Physical appliance: These are hardware solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though they may purchase support services through the vendor or a third-party service provider.
  • Virtual appliance: This is a software version of the solution that can be installed on a customer’s on-premises equipment or in private clouds.
  • Public cloud image: The solution can be purchased from a public cloud provider’s marketplace and run in the customer’s public cloud environment.
  • Hosted and managed by vendor: In this model, the customer purchases the solution and outsources its management to the SIEM vendor, who hosts and manages it on the customer’s behalf.
  • SaaS: Compared to cloud-hosted models, software as a service has a different licensing and consumption model in which customers often subscribe using a pay-as-you-go plan without purchasing the solution outright and paying separately for management.

Table 1. Vendor Positioning: Target Market and Deployment Model

Vendor Positioning: Target Market and Deployment Model

Target Market

Deployment Model

Vendor

SMB Large Enterprise Regulated Industries Public Sector CSP MSSP Physical Appliance Virtual Appliance Public Cloud Image Hosted & Managed by Vendor SaaS
Datadog
Devo
DNIF
Elastic
Exabeam
Fortinet
Graylog
Hunters
Huntsman
Logpoint
LogRhythm
Logsign
ManageEngine
Microsoft
Netwitness
OpenText
Panther Labs
Rapid7
Securonix
SolarWinds
Splunk
Sumo Logic
UTMStack

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

3. Decision Criteria Comparison

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Multiple ingest streams
  • Flexible storage
  • Configurable alarms
  • Root cause analysis
  • Dashboards and visualizations
  • Certifications, compliance, and audits

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

  • Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a SIEM solution.
  • Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
  • Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating SIEM Solutions.

Key Features

  • Alarm fidelity and self-tuning: Alarm fidelity considers the capabilities of the alarm-triggering engine that defines the detection rules used to identify suspicious or threatening events. Calibrating alarm fidelity is a balancing act between detecting all suspicious events and not triggering false positives.
  • Data enrichment: On their own, security event logs contain limited information. During incident investigations, the security team must analyze those events in context. Many SIEM solutions now gather information from user directories, asset inventories, threat intelligence feeds, asset metadata, network information, geo-location, vulnerability management systems, and many other data sources to provide that context.
  • Collaboration and case management: Collaboration enables multiple security analysts to work together on an incident. Analysts can share information, assign tasks, and communicate within the SIEM platform to identify, categorize, and respond to threats.
  • Automation: Automation within SIEM platforms has been continuously evolving to make the platforms easier to onboard and use. Setup actions, such as connecting to data sources for log collection, can be done automatically with prepackaged connectors rather than custom code. Other activities like threat enrichment and extracting contextual information can also be defined via playbooks.
  • Threat hunting and retrospective analysis: With extensive storage capabilities, SIEM solutions can tap into years of collected data to analyze data retrospectively. This activity is referred to as threat hunting, and it complements real-time incident detection and response. This criterion evaluates the solution’s capability to support analyst-driven searches of historic data for suspicious activity that evaded real-time detection.
  • Monitoring ephemeral resources: Ephemeral resources such as containers and serverless functions pose new security threats. These resources can be infected when they are alive, spun up by malicious actors, or fed malicious data. SIEM tools can integrate with monitoring tools for containerized and ephemeral environments to ingest data.
  • Data analysis and risk scoring: All SIEM vendors offer some basic behavioral analytics capabilities. Stronger solutions can leverage multiple ML models to analyze data, look for anomalies, and identify threats, then either flag them for analysts to investigate or respond automatically. Often, the resulting action is based on a calculated risk score, which can take into consideration the impact of the threat on the customer’s real-world environment.
  • Multitenancy: Multitenancy is typically a requirement reserved for large enterprises and MSSPs. This feature looks at a solution’s capability to handle multiple tenants and isolate them at various levels.

Table 2. Key Features Comparison

Key Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Key Features Comparison

Vendor

Average Score

Alarm Fidelity & Self-Tuning Data Enrichment Case Management & Collaboration Automation Threat Hunting & Retrospective Analysis Monitoring Ephemeral Resources Data Analysis & Risk Scoring Multitenancy
Datadog 3.9
Devo 4.1
DNIF 1.6
Elastic 3.6
Exabeam 2.8
Fortinet 3.9
Graylog 3.3
Hunters 4.3
Huntsman 3.3
Logpoint 3.4
LogRhythm 3.1
Logsign 2.1
ManageEngine 3.1
Microsoft 3.6
Netwitness 2.6
OpenText 4.1
Panther Labs 2.1
Rapid7 2.6
Securonix 4.4
SolarWinds 1.6
Splunk 3.1
Sumo Logic 4
UTMStack 3.8

Emerging Features

  • Large language model (LLM) integrations: LLMs offer users a non-GUI way of interacting with the product. Via integrations with LLMs such as OpenAI’s GPT4 or Anthropic’s Claude, SIEM tools can take commands in natural language. These can be used to write queries, generate reports, search through documentation, conduct threat hunting, or identify suggested next steps.
  • Cost optimization: Considering that SIEMs eat a large percentage of an organization’s security budget, solutions are being developed that can help customers reduce their bill also at a technology level rather than just at a pricing level.
  • DevSecOps: Some SIEM solutions support DevOps practices in security operations teams, enabling them to define detection rules using code rather than applying them after development is complete. At a high level, this refers to the ability to manage and configure various aspects of a SIEM solution using code repositories, version control, and automated deployment processes.
  • Security content: While content offered as prepackaged rulesets and out-of-the-box integrations has been available in SIEM for a long time, some SIEM vendors are delivering security content to users as soon as new threats, vulnerabilities, and technologies are discovered and deployed.

Table 3. Emerging Features Comparison

Emerging Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Emerging Features

Vendor

Average Score

LLM Integrations Cost Optimization DevSecOps Security Content
Datadog 2.5
Devo 1.3
DNIF
Elastic 2.5
Exabeam 1.8
Fortinet 3
Graylog 2.3
Hunters 3.3
Huntsman
Logpoint 0.5
LogRhythm
Logsign
ManageEngine 1.3
Microsoft 2.8
Netwitness 1.8
OpenText 1.8
Panther Labs 2
Rapid7 0.5
Securonix 3
SolarWinds 0.5
Splunk 1.5
Sumo Logic 1.5
UTMStack 3.8

Business Criteria

  • Ecosystem: This business criterion evaluates a SIEM vendor’s partner ecosystem, which may include third-party MSPs, professional services providers, and channels to market. The ecosystem may also include specialized third-party tools and integrations with commonly deployed technologies.
  • Scalability: No SIEM can be infinitely scalable. Even cloud-based solutions that can scale up the underlying infrastructure to support more data have some limitations, as well as usability and performance concerns. However, solutions should be able to serve large deployments and respond to changes in the amount of data ingested.
  • Attack surface coverage: While most vendors talk about the types of logs their solution can ingest, this metric translates that information into the types of infrastructure and services the solution can support. For example, solutions must be able to support the data generated natively by various entities or be able to parse or normalize it, such as MQTT generated by IoT devices.
  • Documentation and support: To help customers in adopting and running the solution at the scale they need, vendors should offer comprehensive technical documentation and support services.
  • Threat research units: This business criteria evaluates whether the SIEM vendor operates an in-house threat research unit that can produce security content and reports and help customers navigate emerging threats.
  • Professional services: These are add-on services customers can purchase for instances falling outside of normal support use cases. They may include deployment, configuration, and calibration of the solution, incident response, security posture and compromise assessment, digital forensics, and the like.
  • Licensing: This criterion evaluates how a solution supports customers in managing their SIEM costs in a transparent and predictable way. Licensing models can be based on events per second (EPS), on GB ingested, or seat-based. They can include storage-related costs based on total retention, hot and cold storage, or pay-as-you-go and pay-as-you-grow mechanisms. Other considerations may be whether free tiers are available and whether other modules, such as UEBA and SOAR, are included in the base price.

Table 4. Business Criteria Comparison

Business Criteria Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Business Criteria

Vendor

Average Score

Ecosystem Documentation & Support Scalability Attack Surface Coverage Threat Research Units Professional Services Licensing
Datadog 3.6
Devo 3.6
DNIF 1.7
Elastic 4.4
Exabeam 3.1
Fortinet 3.7
Graylog 4
Hunters 4.3
Huntsman 2.7
Logpoint 3.6
LogRhythm 3
Logsign 2.6
ManageEngine 3.1
Microsoft 4.1
Netwitness 3.6
OpenText 4.4
Panther Labs 1.7
Rapid7 3
Securonix 4.3
SolarWinds 2.4
Splunk 3.7
Sumo Logic 3.6
UTMStack 3.1

4. GigaOm Radar

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SIEM

As you can see in Figure 1, vendors are spread throughout all quadrants of the Radar chart, with the majority on the platform side. They are categorized along the Feature/Platform axis depending on whether they natively offer SOAR capabilities, and along the Innovation/Maturity axis based on their scores across the emerging technologies and other novel features.

Noteworthy developments include the removal of IBM, which sold its security SaaS portfolio, including the SIEM business, to Palo Alto Networks. Logz.io also discontinued its SIEM product and has therefore been removed. In addition, though LogRhythm and Exabeam announced in May 2024 the intent to merge, they are evaluated as separate entities in this report. Three new vendors have been added: Devo, Hunters, and UTMStack.

In the Maturity/Feature Play quadrant, Rapid7, Splunk, SolarWinds, and Trellix offer purpose-built SIEM solutions, but SOAR-like capabilities, if any, are delivered through additional solutions. The Maturity/Platform Play quadrant has the largest concentration of vendors and includes Devo, DNIF, Exabeam, Huntsman, Logpoint, Logsign, ManageEngine, NetWitness, OpenText, and Sumo Logic. These vendors provide robust SIEM solutions that include native SOAR capabilities.

Vendors in the Innovation/Platform Play quadrant—Datadog, Elastic, Hunters, Securonix, and UTMStack—offer SIEM capabilities that natively integrate SOAR-like capabilities and score well across emerging technologies. Lastly, in the Innovation/Feature Play quadrant, Graylog, Fortinet, and Panther offer SIEM solutions that score well across emerging features but require separate solutions to implement orchestration and response capabilities.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

5. Solution Insights

Datadog

Solution Overview
As part of a wider portfolio of infrastructure observability, Datadog Cloud SIEM is built natively into the Datadog Observability and Security Platform and provides extended coverage of security services. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, allowing users to pivot seamlessly from a potential threat to relevant monitored data so as to quickly triage security alerts.

Datadog Cloud SIEM provides real-time monitoring, threat detection, and response capabilities across complex, dynamic cloud environments, leading to better protection against potential cyberattacks. Cloud SIEM applies advanced analytics to security-related logs from cloud environments, identity providers, and SaaS applications. Leveraging an extended set of data streams from the rest of the IT infrastructure, it uses application, infrastructure, and cloud provider logs to provide deeper insights into application and security activity. The solution supports niche use cases, such as generating a security signal to alert you automatically when a support administrator creates a new API or application key for a service.

Strengths
Case management features are built into the Datadog platform and take just one click from within Cloud SIEM. Cases can be created directly from security signals and alerts, and they get populated with all relevant telemetry data, analyst contacts, asset owners, and third-party messaging and issue-tracking links. War rooms can be easily created, and stakeholders can collaborate virtually with built-in co-screen meeting tools.

For data enrichment, Datadog Cloud SIEM offers threat-intelligence feeds curated by specialized threat-intelligence partners such as IPinfo and GreyNoise. This feature enriches all ingested logs with curated threat intelligence in real time, detecting activity from known threat actors and automatically surfacing relevant context within security alerts. The solution also includes information such as the activity category (for example, scanner, attack, or abuse) and the actor’s intention (such as malicious or benign, if known) as new attributes, providing rich context for users investigating security alerts. Threat intelligence also adds relevant context that reduces false positives and accelerates triage of security signals by automatically summarizing context from all triggering events.

Datadog can define automation logic using workflows and webhooks as script-based connectors that link Datadog to other tools. By setting up webhooks that respond to your Datadog security notifications, users can create simple, automated remediation workflows that neutralize threats in real time. Webhooks deliver their payloads to the services you want to automate whenever a detection rule is broken.

Cloud SIEM now provides native incident response capabilities–such as alerts, notifications, and automated remediations–to enable security teams to respond quickly to and mitigate security incidents. It integrates with other Datadog services on the platform, such as triaging tools like case management and security automation through workflows. Newly released features include detection rule testing and unit testing, which incorporate detection-as-code methodologies to better integrate testing into deployment workflows of newly built detections.

Datadog also offers Content Packs, a centralized hub for all out-of-the-box content related to an integration. Content Packs can contain pre-built detection rules, dashboards, workflow automation blueprints, or visual/graphical Investigator widgets. Customers can see a preview of this content prior to activating a content pack. Content Packs are available in the following categories: cloud audit, authentication, collaboration, network, cloud developer tools, and endpoint.

Challenges
Datadog scores lower on the data analysis and risk scoring key feature and does not currently offer integrations with large language models. It also scores lower on the professional services business criteria, as the vendor focuses on providing customers with an intuitive product experience but has no done-for-you professional services for deployment or configuration.

Purchase Considerations
Datadog’s business model is subscription-based SaaS. As a result, its products linked to volumes, like Indexed Logs and Cloud SIEM, are priced by volume. Datadog offers discounts for multiyear subscriptions or large volume deployments. On-demand prices are publicly available.

Cloud Siem can be used for security threat detection, investigation, and response, rule testing using historical data, threat hunting, improved regulatory compliance and security auditing and reporting, threat intelligence, and historical trend analysis. As it is part of a wider observability platform, the solution also has access to infrastructure and application performance monitoring.

Radar Chart Overview
Datadog has moved from the Maturity/Feature Play quadrant to the Innovation/Platform Play quadrant as it scores high on emerging technologies such as DevSecOps and now offers native SOAR-like capabilities with the SIEM solution. It has high scores on the decision criteria we evaluated making it a Leader in this report.

Devo

Solution Overview
Devo’s comprehensive security operations products include Devo SIEM, which is part of the Devo Platform, a cloud-native SaaS-delivered solution with integrated SOAR, UEBA, and autonomous threat investigation and hunting.

In late 2022, Devo acquired LogicHub, a purpose-built SOAR vendor, and integrated its capabilities natively in the SIEM product. The solution also includes Devo HyperStream, a proprietary, real-time data analytics engine, and Devo DeepTrace for performing autonomous investigations and threat hunting. The Devo Exchange, a community-based app and marketplace that provides on-demand access to a growing library of curated security content created by Devo, partners, and customers, is free to every Devo customer.

Strengths
The vendor scores high on a large number of criteria described in the report, including alarm calibration, curation, and correlation, autonomous operations, behavioral analytics and contextual risk-based scoring, case management and collaboration, data and threat enrichment, retrospective analysis and threats categorization, and zero-day response. A distinguishing feature is that Devo includes 400 days of hot data with the platform, a longer period than is offered by other vendors featured in the report.

For alarm calibration and curation, the solution can use prepackaged alarm rules available in Devo Exchange. AI-triggered alarms can be single-metric or multimetric time-series anomaly detections that detect problems based on historical baselines. Devo Behavior Analytics, the vendor’s UEBA capability, is overlaid against alerts and cases to provide additional context and reduce false positive alarms.

Devo DeepTrace is an alert investigation and threat hunting capability that allows security analysts to autonomously perform full investigations on alerts or suspicious events. DeepTrace’s attack-tracing AI pieces together the activity of malicious users or external actors, enabling analysts to analyze and report results in the form of traces, which are artifacts that chronologically document each attack chain.

For contextual risk-based scoring, an entity analytics feature provides context for analysts, such as an “entity battlecard” that ties together valuable data points like the entity impact score and the alerts, investigations, and enrichments associated with the entity. It also provides visual representations that show the connections between entities and the outcomes of several machine-learning models.

The solution can collect binaries, URLs, and files for sandboxing, and it can perform volatile memory analysis at the time of an incident to detect threats hiding in RAM. Devo’s security research team, SciSec, offers its customers a proprietary threat intelligence feed, dubbed Collective Defense, for data collection and sharing. It delivers early warnings about emerging threats via cross-customer threat hunting analysis and accelerated investigations using validated and enriched threat intel from all participating Devo customers.

Challenges
Devo will implement the case management and collaboration capabilities inherited from the LogicHub SOAR acquisition to its wider platform. This means that the vendor needs to make adjustments to the case management system to also support SIEM-specific use cases.

Purchase Considerations
Devo offers three security packages, the Intelligent SIEM Starter, Intelligent SIEM, and Intelligent SIEM+. All three include Devo Analytics Cloud, the SaaS log analytics capability of the Devo Platform. The licensing metric for each package is data ingestion. All packages include SIEM, SOAR, and UEBA at no additional cost.

Each package supports unlimited users and includes 24/7 customer support, a customer success manager, 400 days of hot data, unlimited queries, the Devo Exchange, cloud usage costs, full platform management by Devo, and data encryption at rest and in flight.

With integrated SOAR and UEBA capabilities, Devo’s solution can be used to automate processes, orchestrate third-party tools, and monitor anomalous user and entity behaviors. It can also be used for a variety of other use cases–including services and IT infrastructure monitoring, applications performance monitoring, networks status and performance, and customer experience management–across multicloud and hybrid environments.

Radar Chart Overview
This is the first iteration of the report that features Devo. With an integrated SIEM and SOAR solution, the vendor is positioned in the Maturity/Platform Play quadrant. The company has a good release cadence, making it a Fast Mover. It has high scores in the decision criteria we evaluated, making it a Leader in this report.

DNIF

Solution Overview
DNIF HYPERCLOUD from NETMONASTERY is a cloud-native security analytics tool that brings the functionality of SIEM, UEBA, and SOAR into a single SaaS-delivered solution. DNIF HYPERCLOUD leverages SaaS deployment advantages to offer a fully managed scalable product with database management and short deployment times. The solution can onboard devices by auto-configuring itself to recognize log sources, auto-detecting the log type and attaching the relevant extractor required, and auto-configuring enrichment and enabling the correct enrichment buckets.

DNIF HYPERCLOUD SIEM integrates data from multicloud platforms, machine data, modern enterprise applications, and enterprise users into a single scalable data lake. It uses advanced analytics and ML to deliver continuous visibility and actionable threat intelligence.

Strengths
The solution uses ML to analyze incoming data, develop an understanding of user behavior patterns, and find any deviations. It can analyze and identify anomalies and suspicious activities and investigate threats based on the ML models applied to the streams. Analysts can also view the list of signals raised for anomalies detected.

DNIF offers no-code ML frameworks with threat models via DNIF Query Language, Python Code Block for ML/Data Manipulation, and native support for Structured Query Language. The no-code ML model builder can be used to build behavior analytics services that track behavior across users, teams, and organizations.

For automation, DNIF supports orchestration capabilities as part of the common threat management workflow. The platform has a multitenant case management system built in.

For data enrichment, the solution can enrich events with threat intelligence, geo data, and organizational context before they are indexed. Threats are validated using third-party providers after they are raised as signals.

For alarm fidelity, the solution connects alerts across various correlation rules using graph-based ML techniques to visualize attributes, pre-alert normal events and track the chain of events to a potential breach. The solution can map signals on the MITRE ATT&CK framework to visualize attack progression across the stages.

Challenges
While SaaS deployment models have benefits for time to value and easier management, HYPERCLOUD’s SaaS-only deployment models won’t suit all enterprises, as some require other deployment models.

Purchase Considerations
DNIF’s solution comes in three plans–Essential, Professional, and Enterprise–with increasing pricing ranges and feature sets. Professional offers a library of detection workbooks and the Enterprise plan includes features such as UEBA. The solution can also include add-ons such as SOAR and network traffic analysis (NTA). DNIF HYPERCLOUD offers 365 days of hot retention, and there is no penalty on running analytics on older datasets.

DNIF supports a range of use cases, such as alert analysis with signal tagging, threat hunting, and investigation. With a built-in UEBA module (in the Enterprise plan), the solution can monitor user activity to detect suspicious behavior. The add-on SOAR capabilities allow users to orchestrate third-party security tools and automated response capabilities.

Radar Chart Overview
With its purpose-built SIEM solution with native SOAR capabilities, and the new distribution of vendors in the chart, DNIF has moved from the Innovation Platform Play quadrant to the Maturity/Platform Play quadrant. Due to a lack of major feature releases over the past year, DNIF is positioned as a Forward Mover. It has lower scores across the decision criteria we evaluated and is positioned as an Entrant in this report.

Elastic

Solution Overview
Elastic Security stands out from other SIEM solutions because it’s built on the open-source Elastic Search AI Platform, which the company continues to extend as “free and open.” It’s worth noting that other SIEM vendors are using Elasticsearch as the underlying engine to query and extract information from their databases.

With the latest 8.14 release, Elastic offers major features such as Attack Discovery, which triages large numbers of alerts to highlight only the significant ones; enhancements to Elastic AI Assistant for Security; and the Elastic Search Query Language (ES|QL).

Elastic Security offers a superior user experience and an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail combine to rank it high on the threat hunting key feature. Furthermore, the platform features graphical views of events and timelines, which equips security analysts with the right tools to investigate long-term threats in a context-rich environment.

Strengths
The Elastic AI Assistant is a generative AI feature that allows users to interact with Elastic Security for tasks such as alert investigation, incident response, and query generation or conversion using natural language. The solution also uses retrieval-augmented generation (RAG) for alerts, which enables Elastic AI Assistant to give context about more alerts in the environment.

Elastic offers native orchestration and response capabilities powered by Elastic Agent. It provides a terminal-like interface that lets practitioners view and invoke response actions quickly, and it also offers self-cleaning via an automated remediation feature that erases attack artifacts from a system. When malicious activity is identified on a host, self-cleaning automatically returns the host to its pre-attack state by reversing changes implemented during the attack.

The latest anomaly detection modules enable the platform to perform several actions, such as identifying OS processes that show unexpected network activity and searching for unusual listening ports, unusual web URL requests from hosts, rare processes running on multiple hosts in a fleet or network, activity from users who are not normally active, and many other use cases.

Elastic Security supports excellent communication among security analysts by allowing annotations and comments on most functions, accompanied by full audit trails that ensure visibility across all the actions undertaken on the platform.

For risk scoring, Elastic Security can measure host and user risks to highlight suspicious entities. This feature uses a transform with a scripted metric aggregation to calculate risk scores based on alerts generated within the past five days for hosts or 90 days for users.

Challenges
Organizations interested in Elastic Security need to take into account the learning curve associated with using the product. While the product has extensive capabilities, organizations will have a longer time-to-value as long as they tune the alarm system and train security analysts to use the solution.

Purchase Considerations
While the Elastic Stack is free and open source, enterprises can choose between four Elastic Security plans–Standard, Platinum, and Enterprise–each with increasing prices and feature sets. This report considers the solution’s capabilities as available with the Enterprise plan. Elastic Cloud can be deployed on any of the major public cloud providers—AWS, Azure, or Google Cloud. Customers who want to manage the software themselves–whether on public, private, or hybrid cloud–can download Elastic.

Elastic Security can cater to a wide variety of use cases, such as detection and investigation for both current threats and historical ones. With some built-in SOAR capabilities, the solution can orchestrate third-party applications and automate response capabilities. Elastic has powerful search capabilities, enabling analysts to parse large amounts of data. With services certified to meet compliance standards, it can also help organizations comply with various industry standard regulations.

Radar Chart Overview
Due to the new distribution of vendors in the Radar chart, Elastic has moved from the Maturity/Feature Play quadrant to the Innovation/Platform Play quadrant. Elastic scores high on emerging technologies such as LLM integrations and DevSecOps, and it offers native SOAR-like capabilities. With a consistent release train, Elastic is a Fast Mover and positioned in the Leaders circle.

Exabeam

Solution Overview
Exabeam Fusion SIEM combines XDR with the conventional capabilities of centralized data storage and compliance reporting, and it adds rapid and intelligent search. Fusion SIEM is a cloud-delivered solution that uses ML and automation for threat detection, analysis, and response. It also offers SOAR-like capabilities.

Exabeam’s Outcomes Navigator feature analyzes environments to assess the level of protection for specific use cases. Outcomes Navigator provides security engineers and leaders with an interactive view to compare their current coverage with the available product coverage. This feature helps to identify gaps and provides recommendations for enhancing coverage. This tool provides a more efficient method for gaining visibility into security outcomes and enables users to take action to improve their security posture.

Fusion SIEM can be integrated with existing security stacks through many prebuilt integrations with technologies like endpoint protection systems, business support systems, network modules, and cloud environments. These integrations span the full threat detection and incident response (TDIR) lifecycle, from data ingestion and normalization to response automation.

Strengths
Fusion SIEM has a short time-to-value because it leverages prescriptive threat-centered use-case packages that provide repeatable workflows and prepackaged content that spans the entire TDIR lifecycle. These packages provide a standardized way to quickly achieve effective, repeatable security outcomes for specific threat types. They include all of the content necessary to operationalize that use case, including prescribed data sources, parsers, detection rules and models, investigation and response checklists, and automated playbooks.

A mature feature in the Fusion SIEM solution is the machine-built timelines that automatically gather evidence and assemble it into a cohesive step-by-step representation of an attack that can be used to perform an initial investigation.

The behavior analytics module, called Automated Incident Diagnosis, analyzes abnormal user activity to automatically classify incidents by threat-centric use cases and diagnose threats associated with an incident. It classifies the threats by use case to guide investigations with tailored checklists that prescribe the appropriate steps for resolving specific threat types. The UEBA module, known as Behavior-Based Detection, detects threats such as credential-based attacks, insider threats, and ransomware.

For risk scoring, Exabeam calculates a user or asset risk score depending on the score associated with events concerning user or asset sessions. For example, a session comprising five login events all with a score of 10 would have a total score of 50 assigned to it.

Challenges
Fusion SIEM is a cloud-delivered solution, so customers who require on-premises deployments via either physical or virtual appliances may not find the solution suitable. In addition, the platform could improve capabilities for the monitoring ephemeral resources key feature.

Purchase Considerations
Considering the recent merger announcement from Exabeam and Logrhythm, prospective buyers need to evaluate the long-term plan for integrating and running the two solutions. At the time of writing, there are very few details about how the resulting company and product will look, but the merging process will likely cause a medium-term disruption until the products and companies are integrated.

With a strong UEBA module, the solution can cater to a wide range of user behavior monitoring use cases, such as detecting data exfiltration and lateral movement. The SOAR-like capabilities allow users to define third-party tool orchestration and automated response capabilities. It’s also suitable for compliance requirements with industry-specific standards.

Radar Chart Overview
Exabeam maintains its position in the Maturity/Platform Play quadrant as the vendor offers a purpose-built SIEM with native SOAR-like features. In the previous iteration of the report, Exabeam was positioned in the Leaders circle, but this year, it falls in the Challengers circle. This is because the Radar report now uses a 0-5 point scale rather than a 0-3 point scale in its capabilities evaluation, and the scope for the features evaluated in the report has increased.

Fortinet

Solution Overview
Fortinet is a key player in the security space. Its FortiSIEM product consolidates its position in the market, and it ranks high on many key criteria described in the report, including data enrichment, collaboration, and automation. FortiSIEM enables true cross-team collaboration and integration, namely between the security operations center (SOC) and network operations center (NOC).

FortiSIEM encompasses all core SIEM capabilities including log management, event correlation, real-time alerting, and incident response. It enhances these features with native automation capabilities, simplifying the process of threat detection, analysis, and response. Furthermore, FortiSIEM can be extended with FortiSOAR, Fortinet’s solution for streamlining security operations center processes through orchestrated automated workflows.

Strengths
FortiSIEM’s distributed event correlation engine can detect complex threats in near real time. In this context, threats can be user or machine behavioral anomalies, specified in terms of event patterns sequenced over time. The FortiSIEM rule engine can include any data in a rule, such as performance and change metrics and security logs. This feature can generate a dynamic watch list that can be used recursively in a new rule to create a nested rule hierarchy and use the SIEM’s native configuration management database (CMDB) objects to define rules. The CMDB helps organizations to maintain a detailed inventory of all their IT assets and supports performance monitoring to ensure systems operate at optimal levels.

FortiSIEM also scores full marks on the automation criterion because it has automated many processes that were traditionally carried out by security and network analysts. These include infrastructure discovery, incident mitigation, and detecting network configuration changes. Customers with more advanced automation requirements can take advantage of FortiSOAR, a standalone product that can be integrated with and enhance the SIEM solution but must be separately deployed.

FortiSIEM’s rapid-scale architecture allows organizations to scale up the platform quickly by deploying additional worker and collector nodes. This scalability, combined with the platform’s multitenancy capability, makes Fortinet’s SIEM suitable for MSSPs. FortiSIEM has a built-in ticketing feature and can also integrate with third-party ticketing systems.

FortiSIEM’s ML-based UEBA models offer a built-in rules library for use cases such as login behavior anomalies. The behavioral anomaly rules work out of the box but can also be adapted by users for their own environment. A framework is provided so users can write new rules via the GUI, test them with real events, and then deploy in production. Additionally, the solution includes an agent-based file integrity monitoring (FIM) system that helps in monitoring changes to files, ensuring the changes are tracked and recorded for security auditing and compliance purposes.

A distinguishing feature is FortiSIEM’s business service, which allows the prioritization of incidents and performance metrics from a business service perspective, which, in the FortiSIEM context, is defined as a container of relevant devices and applications serving a common business purpose.

Fortinet further solidifies its strong position for MSSPs with the new release of FortiSIEM Manager, which can be used to monitor and manage multiple FortiSIEM instances. It is available as a VM, a hardware appliance, and a SaaS model, catering to diverse organizational needs and infrastructural setups.

Challenges
FortiSIEM could improve the breadth of potential use cases by integrating SOAR-like capabilities natively, as well as by further developing UEBA functions.

Purchase Considerations
FortiSIEM’s licensing model is based on events per second, number of agent log collectors and file integrity monitoring agents, number of UEBA endpoint collector agents, and an add-on fee for Fortinet’s indicators of compromise (IoC) service. MSSPs can use a consumption-based mechanism that consists of an annual fee plus the number of devices monitored, number of advanced agents, and number of UEBA endpoint telemetry collector agents.

FortiSIEM can be used for log management, compliance management, incident detection, case management, and performance monitoring. The solution can be used for various issue alerting possibilities, whether from application, cloud, network, server, or storage performance. Other use cases can include host discovery, network discovery, brute force logon attempts, malware and ransomware detection, and credential theft and harvesting.

Radar Chart Overview
Fortinet is positioned in the Innovation/Feature Play quadrant. It has high scores in the decision criteria we evaluated and is a Leader in this report. It offers a purpose-built SIEM solution and FortiSOAR product and has high scores on emerging technologies such as LLM integrations, cost optimization, and security content. With a consistent feature release train, Fortinet is a Fast Mover.

Graylog

Solution Overview
Graylog Security is a comprehensive SIEM solution built on the Graylog platform, an open source SSPL-licensed centralized log management solution designed for log data aggregation, analysis, and management. The SIEM solution offers anomaly detection services built on prepackaged content, known as Graylog Illuminate, which addresses common cybersecurity and log management functions, such as correlation and alerting, dashboards, dynamic lookup tables, schedule reports, search templates, streams, and pipelines for routing log messages into categories.

Graylog is focused on offering use-case specific content, such as Threat Detection Rules, Anomaly Detection, Saved Searches for Threat Hunting, and Dashboards. These are generated in partnership with SOC Prime, a cyberdefense platform that provides a threat detection marketplace, with exclusive content packs available to Graylog customers.

Strengths
Graylog’s alerting mechanism works by performing periodic searches that can trigger notifications when a defined condition is satisfied. Alert time frames can be set to search only a specific time in the past and to perform the searches only at certain intervals of time. Data from logs is aggregated, and alerting is triggered when the result of an aggregation is met through a statistical computation. Aggregation has been improved to group results by fields, allowing individualized alerts per field. Multiple groupings can also be created per alert.

Illuminate offers index-on-write and data organizing with pipelines and streams so that data is well structured and searches can be limited to the relevant data set. The Anomaly Detection module uses the Graylog environment structured by Illuminate, which receives log data, then normalizes and enriches it. Graylog then feeds the enriched data into the Anomaly Detection tool, which breaks the data into time slices and looks for data points outside the expected range based on historical data.

When anomalous data points are detected, they are logged into a special anomaly index in the Graylog instance. Users can create alerts and receive notifications regarding these anomalies based on configuration settings. Additionally, these anomalies are represented on security dashboards with various customizable widgets, offering users interactive and actionable analytics.

The anomaly detection module can self-learn with a minimum amount of historical data, improve over time without manual tuning, and adapt to new data sets. To define baselines, the module combines user, entity, and network profiling. Graylog’s anomaly detection feature aggregates, normalizes, and correlates events such as unauthorized web activity, new host authentication, authentication using a new application, account creation and deletion, short-lived account creation, and local and global privilege escalation.

Challenges
The solution should improve its automation capabilities to support playbook builders, which can provide a no-code method for automating tasks within the product. Graylog should also further develop is multitenancy features to introduce data segregation and infrastructure isolation capabilities.

Purchase Considerations
Graylog has three different versions. Graylog Open is built to open-source standards and freely available as a self-managed, SSPL-licensed centralized log management solution designed for log data aggregation, analysis, and management. Graylog Enterprise is licensed using a consumption-based subscription model based on daily data allowances. Enterprise adds onto Graylog Open with data and user management features, including continuous updates to log processing and enrichment. Lastly, Graylog Security is also licensed using a consumption-based subscription model based on daily data allowances and adds relevant security features to Graylog Enterprise, including anomaly detection, investigations, asset context, and continuous updates, providing value-added content such as Sigma Rules, Dashboards, and Anomaly Detectors. This report evaluates features as available under Graylog Security.

Graylog’s Illuminate is an ongoing content delivery service, providing customers with readily used content, including correlation rules, aggregation rules, anomaly detectors, sigma rules, saved searches, and dashboards aligned to meet specific security and compliance use cases.

Radar Chart Overview
Compared to the last iteration of the report, Graylog has moved from the Maturity/Platform Play quadrant to the Innovation/Feature Play quadrant due to the new method of distributing vendors in the Radar chart. Graylog scores well on emerging features such as cost optimization and security content but does not offer native SOAR capabilities. The vendor has a good development pipeline, making it a Fast Mover. It scored well on the decision criteria we evaluated, making it a Leader in this report.

Hunters

Solution Overview
The Hunters SOC Platform is a cloud-native security operations solution delivered as a multi-tenant SaaS offering that runs on AWS and Snowflake or Databricks. It ingests, normalizes, and analyzes data from all security and IT sources so that security teams are connected to organizational data without having to deploy and maintain ingestion pipelines. The platform delivers built-in and regularly updated detection capabilities based on the MITRE ATT&CK framework that do not require analysts to regularly build and maintain detection rules.

Hunters leverages commercial data warehouse technologies such as Snowflake and Databricks to scale to large data volumes cost-effectively. It has an open security data lake strategy that allows customers to bring their own warehouses, or it can manage the data infrastructure on the customers’ behalf.

Strengths
Hunters’ distinguishing capabilities for alert calibration, curation, and correlation stem from its pre-built and continuously validated library of detection and investigation capabilities that automatically manage content at scale. The detectors are preverified on real-world customer data to remove any false positives and excessive alerting, then deployed directly to all customer tenants without requiring any action or tweaking. The threat coverage of the organization is automatically mapped onto the MITRE ATT&CK framework. Some of Hunters’ detectors rely on AI/ML models, and customers can customize and build their own to address their bespoke use cases. Through the multitenant architecture, the vendor continuously tunes and optimizes analytics based on data from all tenants.

Upon detection, the solution automatically enriches and contextualizes data using various sources from the customer’s environment, including network, host, and identity data. Hunters’ research team constantly builds scoring functions that are mapped to entity types and different detectors. Each scoring function can make a decision based on the data extracted in the detection phase, investigation phase, and static context like asset sensitivity.

Hunters’ detection mechanism is capable of backfilling and new detection capabilities are always researched and run against historical data. This capability works for tactics, techniques, and procedures detectors as well as for IoCs. This is based on a unique architecture that allows users to efficiently run new IoCs against historical data and match seen IoCs to updated feeds.

Hunters’ graph-based correlation engine connects events across multiple data sources, creating detailed attack “stories.” This provides a holistic view of threats, helping customers understand the entire timeline of an attack and respond effectively. Threat Clustering is a method applied to every detector, aggregating new leads with other similar leads, reducing redundant triage efforts. The clustering is based on similarities in malicious intent, impact, and/or context, which are uniquely defined for each detector. Threat Clustering uses two levels of aggregation, allowing analysts to quickly identify and scope the root cause of a threat, its prevalence, and its impact on the organization.

Some of Hunters’ newly released features include host investigation, which provides a host-specific timeline of raw data ingested in relation to a specific host; multiple data lake support for running on either Snowflake and Databricks; SQL-as-Detection for advanced detection use cases leveraging the power of SQL directly against the data lake backend; Detection-as-code for building GitOps-based detections and interacting with the platform as part of the CI/CD process; and Workflows for defining no-code automation playbooks for ticketing, chatops, email, or other systems.

Challenges
Hunters is an opinionated platform that offers less flexibility than some solutions, especially compared to solutions built on top of open source software. This approach can be both an advantage and a disadvantage depending on the level of control needed and willingness to invest development resources.

Purchase Considerations
Hunters’ license is based on the number of customer entities monitored, with unlimited data ingested per entity. A license is required for every monitored endpoint, workstation, server, virtual machine, and EC2 instance within the monitored environment. Ephemeral devices can be counted using a daily average of those devices visible over the course of a 30-day period. The company offers two data lake options— customers can bring their own Snowflake or Databricks and pay those companies directly for credit consumption, or they can purchase a Hunters-managed data lake with storage terms up to 36 months.

The Hunters solution can be used to automate incident response workflows, automatically triage, enrich, cluster, prioritize alerts, utilize automated workflows, identify and respond to cloud-specific threats, continuously monitor cloud environments and leverage advanced analytics for threat detection, detect and respond to on-premises threats in real-time, correlate data across endpoints and networks, and streamline incident response workflows. It is also multitenant-friendly for MSSPs, enabling them to deliver comprehensive security services to their clients.

Radar Chart Overview
This is the first iteration of the SIEM report that features Hunters. The vendor is positioned in the Innovation/Platform Play quadrant, scoring well on emerging features such as LLM integrations and DevSecOps, as well as offering native SOAR-like capabilities. With a consistent release train, Hunters is a Fast Mover. It has high scores in the decision criteria we evaluated, making it a Leader in this report.

Huntsman

Solution Overview
Huntsman Security is an Australian company with a strong presence in the UK market and clients in the private and public sectors, including defense, intelligence, and law enforcement agencies. Its SIEM offering includes SIEM Enterprise and SIEM MSSP, each with a strong focus on simplifying and optimizing security operations through automation and workflow support. Huntsman also provides an integrated SOAR solution and an optional scorecard module that gives details about a system’s patch status and software versions in addition to misconfigurations and other vulnerabilities.

Huntsman’s SIEM solution is a single product, delivered as software, and deployable on-premises or in public and private cloud environments, but the vendor does not currently offer a SaaS option. Its SIEM MSSP product supports multitenancy to manage business units as separate silos or as federated units managed by a single team able to share threat intelligence across multiple end customers.

Strengths
Huntsman’s patented Behaviour Anomaly Detection (BAD2) engine is integrated into its SIEM to provide real-time ML capabilities to detect unknown threats. BAD2 supports use cases such as higher or unusual volumes of network session or user traffic on a per-user or per-host basis, volumes of events such as file accesses or other activity on hosts and workstations, changes in the usage profile of application servers, or query operations on databases and changes in the frequency or prevalence of operations. The detection engine adapts to changes and trends over time, either adjusting and relearning “normal” values or using fixed, preset baselines, depending on the nature of the environment and risk.

Huntsman Security’s Enterprise SIEM, with fully integrated SOAR and Mitre ATT&CK analysis capabilities, is a cybersecurity analytics platform that deploys across large or small customer organizations to provide a complete cyberthreat detection and incident management, response, and reporting system.

For MSSPs and larger or federated organizations, Huntsman’s solution supports the creation of multitenancy silos of data, reports, policies, and alerts to enable simultaneous handling of multiple MSSP customers or organizational units from a single instance. The segmentation permits separate business units or the security operations of large or federated organizations to be managed separately.

For alarm fidelity, rules are created or customized in the GUI by selecting from drop-downs and tick boxes covering alert logic definition (triggers, correlators, and reference sources), alert text, recipients, and actions (emails, reports, scripts/workflows, and the like). The SIEM solution correlates across different event types using a multistage correlator that caches key event data in RAM for real-time matching. Data is checked against open alert descriptors to see if further conditions are met. Alerts trigger when all conditions are met or expire if time windows elapse. Correlation rules can be combined with behavioral rules to refine anomalous alerts and/or minimize false positives.

Challenges
Huntsman has been focused primarily on Australian and UK compliance requirements and public sector customers. As it moves into other markets, it may need to develop reporting capabilities for a wider range of compliance regimes.

Purchase Considerations
Huntsman supports three licensing models—a CapEx-based model, which is a traditional software license model with support renewed annually; an OpEx-based model for periodic subscription; and a pay-as-you-go model for highly flexible usage-based utility billing. License fees are based on events per second but can be converted to other scaling metrics, such as per user or per device.

The Huntsman SIEM solution can cater to a variety of use cases, particularly for meeting compliance standards and requirements in highly regulated industries. With the anomalous behavior detection, the solution can track and audit user activity to protect against unauthorized access. It can also be used for threat hunting, investigation, orchestration of third-party services, and response automation.

Radar Chart Overview
Compared to the last iteration of the report, Huntsman has moved from the Maturity/Feature Play quadrant to the Maturity/Platform Play quadrant due to the new way of distributing vendors on the chart. The vendor offers a purpose-built SIEM solution that provides native SOAR capabilities as well. With a good development pipeline, Huntsman is a Fast Mover, and a comprehensive feature set positions it in the Challengers circle.

Logpoint

Solution Overview
Headquartered in Copenhagen, Denmark, the Logpoint SIEM solution is a solid one with exceptional security and privacy controls. Its distinguishing feature is its high level of compliance, having been awarded the Common Criteria EAL3+ certification in 2015 and 2020, and a SOC2 Type II attestation in 2023. To achieve and maintain EAL3+ certification, the highest software security standard achieved by any SIEM vendor, the on-premises solution is developed on a hardened OS maintained by Logpoint. This makes the Logpoint SIEM eminently suitable to be deployed in highly regulated industries, including national governments and international agencies.

Logpoint has converged SIEM, SOAR, EDR, and UEBA capabilities into a single end-to-end security operations platform. Supported by case management and threat intelligence features, Logpoint ensures a converged experience both with on-premises and in cloud-hosted deployments.

Logpoint has taken a modular approach to security monitoring and analytics. The Logpoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management, incident detection, and investigation capabilities. Logpoint’s Director for SIEM module provides multitenancy capabilities for MSSPs or large enterprise deployments.

Strengths
Logpoint also ranks high on threat hunting, offering security analysts a wide range of features for searching vast amounts of information and creating macros. It leverages ML-enabled UEBA capabilities and integrates the MITRE ATT&CK framework as visualizations and predefined alerts mapped to the techniques.

Logpoint offers predictable pricing based on the number of devices sending logs to the SIEM solution rather than data volume or events per second (EPS). It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

Besides being compliant across many industries and regulations, the solution is also distinguished by its business integrity monitoring, which looks to detect fraud and financial and value-chain anomalies. This helps analysts eliminate financial and reputational losses in organizations by detecting flaws and deviations from standards in business processes that are vulnerable to fraud.

Logpoint uses threat intelligence data, vulnerability data, asset information, security configuration templates, OpenSCAP, and many more sources combined into a single view. Mapping of CTI data and vulnerability data enables the system to achieve a higher level of contextual information about observations in the SIEM solution. Coupling this information with an understanding of potentially non-compliant machines, machines that fail security content automation protocol (SCAP) tests, and so on allows for a structured approach to risk scoring, driven by ML.

Challenges
While Logpoint scores well across most key features and business criteria, the SIEM solution could be improved to include emerging features such as LLM integrations, cost optimization, and DevSecOps capabilities.

Purchase Considerations
Logpoint’s licensing model depends on the modules used by customers. The on-premises SIEM is licensed by number of devices (nodes) sending data, and the SaaS SIEM by data ingestion and retention.

SOAR is licensed by the number of concurrent analysts. Every Logpoint SIEM license (both on-premises and SaaS) comes with one SOAR seat at no additional costs. AgentX is included at no additional cost with every Logpoint SIEM license (both on-premises and SaaS). UEBA is licensed by the number of users and entities the customer wants to track.

Logpoint’s unified SIEM, UEBA, and SOAR, as well as the EAL3+ certification, make it suitable for a wide range of use cases–such as security log ingestion and management, orchestration of third-party services, and automated response–as well as monitoring of user activity to watch privilege escalation and unauthorized access behaviors.

Radar Chart Overview
Logpoint has moved from the Maturity/Feature Play quadrant to the Maturity/Platform Play quadrant in this iteration of the report due to the new distribution of vendors across the chart. The company offers a purpose-built SIEM solution with native SOAR capabilities, and its slower pace of feature releases makes it a Forward Mover in the report. The report’s move from a 0-3 point scale to a 0-5 point scale, and the increase in scope for the features evaluated are contributing factors as to why Logpoint moved from the Leaders circle to the Challengers circle.

LogRhythm

Solution Overview
The LogRhythm SIEM delivers comprehensive security analytics, UEBA, network traffic analysis, and SOAR within a single, integrated platform for threat detection, response, and neutralization. LogRhythm offers two SIEM flavors: LogRhythm SIEM, which can be deployed on-premises, and LogRhythm Axon, a cloud-native alternative.

LogRhythm’s NetMon, a self-hosted network traffic analytics tool provides real-time visibility to monitor an organization’s entire network. LogRhythm UEBA extends SIEM detection capabilities and offers extra layers of security monitoring and ML to detect user-based anomalies, helping analysts prioritize the findings for investigation and response.

Strengths
The platform ranks high on advanced analytics, offering comprehensive ML models in UEBA and network detection and response (NDR) and a wide variety of out-of-the-box deterministic rules in the AI engine. It provides event progression rule alerting and creates the base architecture for IoC-based AI engine rules to be auto-deployed within the organization’s environment. The solution can also integrate pretuned AI engine rules for any environment, offering dynamic ranking for emerging threat severity.

For alert tuning, LogRhythm’s false positive probability feature is used in risk-based priority calculation for AI engine rules. It estimates how likely the rule is to generate a false positive response. A low value indicates the pattern the rule matches is almost always a true positive. However, a high value indicates the pattern the rule matches is very likely to be a false positive.

LogRhythm’s Financial Fraud Detection module can assist financial institutions collecting transactional data with LogRhythm in identifying and preventing fraudulent activity on their customers’ accounts. The NDR module detects unusual or malicious user activity occurring within customers’ networks by using deep forensic visibility into network traffic to detect a wide variety of advanced threats.

The solution also has capabilities to monitor ephemeral resources, protect containers against cryptomining malware, use malicious keywords to locate unapproved containers, and discover the location where the attack originated.

Challenges
LogRhythm scores lower across the emerging features described in the report, such as LLM integrations and DevSecOps suitability. This means that the company may be behind competitors for organizations who are looking to integrate DevOps-like processes in their security operations or using LLMs as an additional way of interacting with the solution besides graphical user interfaces.

Purchase Considerations
Considering the recent merger announcement between Exabeam and LogRhythm, prospective buyers need to evaluate the long-term plan for integrating and running the two solutions. At the time of writing, there are very few details about how the resulting company and product will look, but the merging process will likely cause a medium-term disruption until the products and companies are integrated.

With integrated SOAR and UEBA capabilities, the LogRyhythm solution is able to automate response workflows and orchestrate third-party tools for remediation purposes. The UEBA module can detect anomalous user and entity behaviors. The solution is also suitable for compliance purposes, offering a range of out-of-the-box reports including for ISO 27001​, PCI-DSS, and HIPAA.

Radar Chart Overview
LogRhythm is positioned in the Maturity/Platform Play quadrant, as it offers a well-established SIEM with integrated SOAR capabilities. LogRhythm has a consistent release cadence, making it a Fast Mover, and it scores well across some of the report’s decision criteria, positioning it in the Challenger circle.

Logsign

Solution Overview
Logsign is a unified security operations platform with integrated modules for SIEM, threat intelligence, UEBA, and threat detection and incident response.

The UEBA module can be used to detect inside attacks, stop data exfiltration, and detect risky users and watch their behaviors to prevent the spread of infections. The analytics module provides information as to why a user behavior is suspicious using 400 predefined behaviors and indicates how this behavior is expected to progress. For example, it monitors multiple failed login attempts in a specific period of time to determine brute force attacks.

Logsign Unified SecOps Platform offers flexible deployment options, including an on-premises model, where customers can manage the platform within their own data centers, and a cloud-based model to deploy instances in a public or private cloud environment.

Strengths
For incident and case management, the solution provides a detailed page for analysts to collaborate, take the necessary actions, and conduct investigations. Logsign provides detailed incidents in case management with timelines, visual cards for investigations, an incidents summary with detailed views, and lifecycle management according to the least-similar incident. Lifecycle stages are possible, and using the magic button can produce automated or semi-automated responses for some detections.

For threat hunting, analysts can pull relevant threat information without pivoting using the magic button, which brings up the response integrations. Analysts can, for example, check the confidence score of the IP address or connect to the virus total to get IP reputation. From there, they can respond to and contain threats, undertaking actions such as rebooting the affected asset, killing processes, or terminating connections. Following the remediation stage, the solution enables analysts to update firewall rules or endpoint agents. Threat hunting can also be conducted with respect to the MITRE ATT&CK framework.

For alarm fidelity, the Logsign SIEM platform leverages over 500 predefined correlation rules and associated use cases, uses risk-based scoring based on behavior analytics, and filters security signals easily according to severity level or MITRE ATT&CK technique.

Challenges
Logsign could further improve its capabilities for certain key criteria by developing features such as automation workflows as well as multitenancy capabilities that cater to MSSPs. Likewise, the vendor could expand its deployment models to include cloud-hosted or SaaS versions.

Purchase Considerations
Logsign’s licensing model is subscription-based and primarily determined by the number and type of log data sources connected to the platform. This ensures a pricing model aligned with the volume of data analyzed.

Modules available include UEBA and threat intelligence, which are added to the Logsign Unified SecOps Platform, allowing customers to choose the specific features they need. For managed security services providers, the UEBA and TI modules are included by default in Logsign Unified SecOps Platform for the MSSPs.

Logsign’s tiered service models offer customers options for the level of proactive support, expert guidance, and hands-on management included with the platform.

Logsign Unified SecOps Platform can deliver on use cases such as threat detection and incident response, as well as meeting compliance requirements. The solution can proactively identify threats to production systems and sensitive data, track and audit user activity to protect against unauthorized access, and generate detailed reports to demonstrate compliance with various standards.

Radar Chart Overview
Logsign offers a purpose-built SIEM solution that natively offers SOAR capabilities. With a consistent release train Logsign is classified as a Fast Mover. It has room for improvement in its scores across the decision criteria we evaluated and is positioned in the Entrant circle.

ManageEngine

Solution Overview
ManageEngine’s suite of products is the Swiss Army knife of SIEM. Its main SIEM platform, Log360, takes a modular approach to information and event management, integrating several products into a single console. Users can mix and match multiple products to create a bespoke solution or choose the whole suite for a comprehensive SIEM platform.

Log360’s UEBA add-on is powered by ML and can detect anomalies by recognizing subtle shifts in user or entity activity. It helps identify, qualify, and investigate threats that might otherwise go unnoticed by extracting more information from logs to give better context. Administrators can identify the network’s count, time, and pattern anomalies based on users and their peer groups. Out-of-the-box analytics are provided for use cases such as insider threats, account compromise, and data exfiltration.

Customers can choose the security features that they need, including threat intelligence feeds for enriched data analysis. It integrates with threat intelligence feeds like STIX and TAXII, Webroot’s BrightCloud and AlienVault OTX, and Constella. The incident workbench can be invoked from anywhere inside the SIEM console of Log360 as they traverse through different dashboards like Reports, Log Search, Compliance, and Correlation.

Strengths
Log360 has good automation capabilities and supports the creation of workflows that automate common procedures carried out by security analysts. The solution also features an analytics system, which classifies events in trend reports and system events to help security practitioners with analysis and response. It features out-of-the-box correlation rules, including for common ransomware attacks. The custom correlation rule builder allows analysts to correlate seemingly unrelated events across the network to detect attacks.

Log360 supports a variety of use cases, including event-log correlation and compliance management, and it audits network devices, servers, and applications. Risk scores are calculated for each user and entity based on deviations from their baseline behavior.

ManageEngine’s Log360 is a comprehensive SIEM tool that gives enterprises an overview of all suspicious user activity on their network in a single pane of glass. It can be deployed in on-premises, cloud, and hybrid environments.

Log360’s UEBA component is powered by supervised and unsupervised ML models that analyze user behavior, spot anomalous patterns, and identify threats. The solution also features a native SOAR, which incorporates automation that allows admins to build workflows that kick in as the initial response to an incident. The solution can also monitor cloud networks to generate in-depth reports of network activity on AWS, Azure, and Google cloud platform applications.

Challenges
ManageEngine should further improve its collaboration and case management features. The solution is not currently able to monitor ephemeral resources such as containers, container services such as AWS ECS, or microservices.

Purchase Considerations
To deploy the Log360 SIEM, customers are required to monitor components, namely the domain controllers, Windows servers, Windows Workstations, and syslog devices. Add-on components include file integrity monitoring and file server auditing, application monitoring, IIS and SQL server auditing, Active Directory reporting, cloud source auditing, Office365 tenants, AWS accounts, UEBA, advanced threat analytics, and exchange server auditing.

Log360 can support use cases such as user behavior and critical systems monitoring for watching privileged user activity, and it can identify anomalies through ML and detect suspicious attempts like privilege escalation and unauthorized access. It can also be used for network threat detection to monitor traffic through unusual connections or port activity, auditing changes such as firewall policy modifications, to monitor threat intelligence feeds for malicious IP/URL blocking, and for rogue device detection with automated response workflows. Log360 also has a FIM module that tracks all file and folder activity, such as access, creation, deletion, and modification. FIM also generates detailed reports and triggers alerts for unauthorized actions. The solution can help organizations comply with industry specific regulations with built-in reporting templates for PCI DSS, SOX, HIPAA, and other regulations.

Radar Chart Overview
ManageEngine has maintained its position in the Maturity/Platform Play quadrant. The vendor offers a purpose-built SIEM solution that natively offers SOAR capabilities. The vendor has a good development pipeline and comprehensive capabilities, maintaining its position in the Challengers circle as a Fast Mover, which, considering the report’s extended scope compared to last year, denotes a steady progression for the solution.

Microsoft

Solution Overview
Microsoft Sentinel is a cloud-native SIEM solution that uses built-in AI to help analyze large volumes of data. Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud. Microsoft Sentinel is built on the Azure platform. It provides a fully integrated experience in the Azure portal that seamlessly integrates with existing services such as Microsoft Defender for Cloud and Azure ML.

Microsoft Sentinel supports Jupyter notebooks in Azure ML workspaces, including full libraries for ML, visualization, and data analysis. They can be used to extend the scope of what you can do with Microsoft Sentinel data, such as performing analytics that aren’t built in Microsoft Sentinel, creating bespoke data visualizations, and integrating data sources outside of Microsoft Sentinel.

Strengths
To help reduce noise and minimize the number of alerts generated, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that indicate an actionable possible threat that can be investigated and resolved. Microsoft Sentinel also provides ML rules to determine baseline network behavior and look for anomalies.

The platform has good automation capabilities enabled by a playbook engine that integrates with Azure services and the organization’s existing tools. To build playbooks with Azure Logic Apps, users can choose from a set of pre-built playbooks, such as ticketing integrations with ServiceNow.

The solution provides contextual and behavioral information for threat hunting, investigation, and response using built-in entity-behavioral analytics features. It also has a mature querying function that can be written to extract data before, during, and after a compromise. Before an incident occurs, analysts can be proactive by running any threat-hunting queries related to the data being ingested to provide early insight into events that may confirm that a compromise is in process. During a compromise, analysts can use livestreaming to run a specific query constantly, presenting results as they come in. After a compromise, analysts can improve coverage and insight to prevent similar incidents in the future.

Microsoft’s ML capabilities can deliver good alarm fidelity by identifying suspicious behavior and presenting a condensed list of the most probable attacks or vulnerabilities to a human cybersecurity worker. The model then takes feedback and actions carried out by the security analysts into its model and rules system to better identify threats.

The Risk Scoring Module incorporates two modules that work together to calculate a risk value. Each module has its own set of variables defined that specifies the multiplier to be applied for each row passed along and a score per item that indicates whether the score is calculated on a per-item basis. The values generated by these included modules are summed up within this module to obtain a final total.

Azure Lighthouse enables multitenant management with scalability, higher automation, and enhanced governance across resources. It allows service providers to deliver managed services using comprehensive and robust tooling built into the Azure platform. Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken. Enterprise organizations managing resources across multiple tenants can use Azure Lighthouse to streamline management tasks.

Challenges
As a cloud-native Azure-based solution with no option for deploying the solution on-premises, Sentinel may not be suitable for organizations that require a non-Azure deployment model.

Purchase Considerations
Customers are billed for the volume of data analyzed in Microsoft Sentinel and stored in Azure Monitor Log Analytics workspace. Data can be ingested from two different types of logs: Analytics Logs and Basic Logs. Analytics Logs in Microsoft Sentinel support all data types and offer full analytics, alerts, and no query limits. Basic Logs are usually verbose and contain a mix of high-volume and low-security value data without the full capabilities of analytics logs. Sentinel also offers a pay-as-you-go pricing model, where customers are billed per gigabyte (GB) for the volume of data ingested for security analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace.

Microsoft Sentinel is a comprehensive SIEM that is particularly suitable for customers who have bought into the Microsoft ecosystem. With a built-in SOAR, the solution can be used for automation of response tasks and orchestration of third-party services.

Radar Chart Overview
Compared to the last iteration of the report, Microsoft has moved to the Innovation/Platform Play quadrant. The vendor offers a purpose-built SIEM that includes native SOAR-like capabilities and scores well on emerging features such as LLM integrations and DevSecOps. With extensive capabilities and a good development pipeline, Microsoft is positioned in the Leaders circle and is a Fast Mover.

NetWitness

Solution Overview
Having developed its SIEM over the past 15 years, NetWitness fully embraces the concept of an evolved SIEM solution. Its SIEM is also part of the larger NetWitness Platform, integrating with other NetWitness detection and response solutions such as network (NDR) and endpoint (EDR), which together provide comprehensive visibility, correlation, detection, and remediation capabilities.

NetWitness Logs is the SIEM component of NetWitness Platform. It collects security, compliance, OS, resource access, and administrative events and parses the events into respective meta keys to further enrich the data with relevant threat, priority and business context, or comprehensive investigations and complex correlation. It natively supports application-layer monitoring using log ingestion, API integrations, network protocols, and endpoint data, including log ingestion from security platforms such as UTM, SaaS, and IaaS vendors.

NetWitness Plugin Framework enables monitoring and analysis of API-driven applications such as Office365, SFDC, Dropbox, Slack, and other applications or services. It has over 400 integrations, including open source log collectors such as Logstash, FluentD, and Elastic. In addition, NetWitness Logs has parsers for most major operating systems, such as SAP ERP, GE PACS IW, and J4Care Healthcare Connector.

NetWitness SIEM can be deployed wherever a customer needs threat detection, including on-premises hardware, virtual software, major cloud providers, or any hybrid combination. It can also be deployed as a SaaS and managed security solution or managed detection and response offering for organizations that prefer to outsource some or all of the administrative and/or investigative burden.

Strengths
A distinguishing feature of NetWitness is its integration of a fully featured network capture and analytics solution (NTA/NDR). This combination of packet and metadata capture, static file analysis, threat intelligence, and orchestration workflows enables analysts to perform thorough investigations and identify threats that are not detectable with logs alone.

These capabilities are further backed up by NetWitness UEBA, a cloud-based behavior-analytics solution powered by AWS that applies unsupervised ML to data captured by the NetWitness Platform to rapidly detect unknown threats.

For data enrichment, NetWitness can add business context to threat analysis so organizations can prioritize threats based on potential impact to their businesses. In addition, intelligence gathered from industry research and crowdsourced from its customer base and the organization’s own data is fully aggregated and operationalized at ingestion. That context is provided in a form that is easily understandable and usable by security personnel.

Enrichment includes elements such as: threat intelligence from NetWitness FirstWatch, business context, technical context, Mitre ATT&CK mapping, and geolocation data. Having that data applied at ingestion time – something few vendors do – is an important step so it can be used by all detection techniques that happen downstream. Customers are enabled and encouraged to add their own helpful enrichments. The enriched context information makes searches extremely fast and provides an easy method for point-and-click navigation and hunting.

All NetWitness detection techniques, including behavioral analysis, are informed by its FirstWatch threat intelligence research and threat content production team. This specialized team is focused on keeping up with the ever-changing threat landscape and making sure NetWitness can detect those threats.

The NetWitness Log Parser Tool (NWLTP) allows the customer to easily create log parsers for custom applications. SIEM correlates log events from multiple event sources but also with network packet data, NetFlow, endpoints, and other integration sources, allowing comprehensive visibility, detection, forensics, and response across sources. It provides automation and control with orchestration (SOAR) modules that are completely integrated with a unified datastore and data architecture, a single seamless interface that allows visibility across all types of data, so security analysts can see the entirety of any security situation and provide a truly informed and comprehensive response.

Challenges
NetWitness currently does not offer a complete SaaS deployment model, although its UEBA and Orchestrator products are available as SaaS. A common challenge NetWitness users may experience is the learning curve and the overall experience of managing a large number of features within a single platform.

Purchase Considerations
NetWitness offers the following types of licenses:

  • Throughput, which is based on the amount of data used per day for logs (SIEM), or network (packets) or malware measured in gigabytes per day for logs and in terabytes per day for packets. The total amount of throughput is selected based on the total amount of throughput per day that is being licensed across the entire enterprise deployment of NetWitness Platform.
  • UEBA, which looks at the number of active users from the previous day and sends it to the licensing server. Entitlement is measured for logs and endpoint events for the number of active users and checked against a user ID.
  • Endpoint, which is based on the number of active agents deployed.

With an integrated SIEM and EDR approach, Netwitness can support a variety of use cases, including discovery of infrastructure, such as host and network discovery, network threat detection for monitoring traffic, and change auditing such as firewall policy modifications. With the UEBA module, it can monitor user behavior and identify anomalies using machine learning. The solution can help organizations comply with industry specific regulations, such as PCI DSS, SOX, and HIPAA.

Radar Chart Overview
NetWitness has maintained its position in the Maturity/Platform Play quadrant. It is an Outperformer, with plans for a large release later in 2024 as part of NetWitness Next, which will include a new UI/UX, a new analytics engine, and a full SaaS version of the product. While NetWitness was positioned in the Leaders circle last year, it is now positioned in the Challengers’ circle. This is mainly because the GigaOm scoring method has been updated from a 0-3 point scale to a 0-5 point scale, and the scope of the feature definitions has been extended.

OpenText

Solution Overview
ArcSight is well-known within the security space, having been developed over more than 20 years. Recently acquired by OpenText, the SIEM platform is a central element of OpenText’s security strategy. The OpenText solution offers a complete security operations (SecOps) solution that consists of SIEM, UEBA, SOAR, and big-data threat hunting technologies. These features reside on a unified platform that includes common storage, a shared data platform, and a unified interface.

ArcSight’s approach to layered analytics is a distinguishing feature that simplifies threat detection. It can provide SOCs with an end-to-end, enterprise-security operations platform powered by an advanced correlation engine that can detect known threats in real time. Furthermore, ArcSight leverages unsupervised ML to detect unknown threats using behavioral analysis and big-data threat hunting.

Strengths
ArcSight provides its own threat intelligence feed but can also integrate with a variety of threat intelligence platforms to obtain threat definitions as they evolve. Those threat definitions or identifiers are then turned into various lists that the real-time rules use to match against new events coming into the system. As the threat evolves and the threat intelligence platform is updated, those definitions will be synced automatically into ArcSight, and new events will match.

Similarly, ArcSight also ranks high on the automation criterion because it offers a fully integrated SOAR solution within the SIEM platform at no additional cost. In creating a fully integrated solution that can scale, OpenText faces several challenges that buyers should investigate. While having many advanced capabilities on a single platform may enhance the user experience in some areas, it also introduces the potential for a more complex user experience and a longer learning curve. This level of product depth may also require the vendor to align a significant portion of its resources to ensure that any change-management issues can be addressed quickly.

Challenges
Currently, OpenText’s SIEM solution is not oriented toward serving NSPs, whose requirements include geographically distributed infrastructure serving both enterprise customers and consumers.

Purchase Considerations
There are three licensing models offered by the ArcSight platform. The events-per-second model is the primary one for the platform. It employs a post-filter/pre-aggregation construct and is used for log management (storage/retention), threat hunting, and real-time threat detection. The flat-fee model is reserved for add-on functionalities such as high availability, Compliance Insight Packs (CIPs), and ArcSight ThreatHub Feed Plus. Lastly, the per managed entity model covers capabilities such as advanced behavioral analysis.

For no additional charge, OpenText includes SOAR and ThreatHub Feed Basic, both of which are aligned with the ArcSight ThreatHub Research online platform. Through the ArcSight Marketplace, customers can access hundreds of supporting content packages from its partners, community, and security experts, the majority of which are freely available to customers.

ArcSight supports a variety of real-world use cases to detect modern threats, such as threat, ransomware, and insider detection and incident response, sensitive data and IP protection, threat hunting lead generation, financial fraud detection and response, compliance and regulation real-time detection and long-term reporting, and forensics investigation. The solution also offers infrastructure, DDoS, IoT, and mobile attack detection and response.

Radar Chart Overview
OpenText offers a purpose-built SIEM solution that natively includes SOAR capabilities and has maintained its position in the Maturity/Platform Play quadrant. The vendor is an Outperfomer, as it has a comprehensive development pipeline and a broad company strategy around using proprietary generative AI across OpenText products, including the SIEM solution. OpenText is positioned in the Leaders circle due to high scores across the decision criteria we evaluated.

Panther Labs

Solution Overview
Panther’s cloud-native SIEM solution is built for AWS, empowering cloud-native security teams to ensure real-time threat detection, log aggregation, incident response, and continuous compliance.

The Panther Console is Panther’s web interface, and the Panther Developer Workflows–including CI/CD, API, and the Panther analysis tool (PAT)–are non-console workflows that can be used to interact with a Panther account. Teams can also customize, create, and harden detections leveraging Python, unit tests, and standard CI/CD workflows to tailor detections specifically for their environment.

Strengths
For threat hunting and retrospective analysis, Panther pushes normalized data into a security data lake inside Snowflake, where it is readily available for investigation using SQL queries. Panther’s data analysis tools enable analysts to search collected and normalized log data in data lakes. Log sources can be queried with the indicator search tool or query builder or by using SQL in Data Explorer. Data Explorer is useful for conducting a complex or highly customized search—for example, joining database tables or controlling which fields are returned by adding additional clauses.

Security logs inside the security data lake are enriched with events and non-event contextual information, such as identity context (user, host, IP addresses), vulnerability context (scan reports), and business context. Analysts can create custom lookup tables or use out-of-the-box providers such as GreyNoise, IPinfo, and Tor.

A distinguishing feature is the cloud security scanning feature that scans AWS accounts, modeling the resources within them and detecting misconfigurations. Common security misconfigurations detectable by Panther include S3 Buckets without encryption, security groups allowing inbound SSH traffic from 0.0.0.0/0, access keys kept more than 90 days, and permissive identity and access management policies.

For alarm fidelity, Python functions take in log events to identify suspicious behavior and trigger alerts. There are three types: rules, scheduled rules, and policies. Rules are Python functions that detect suspicious activity in security logs in real time. Scheduled rules are Python functions that run against results from scheduled queries on data lakes. Policies are Python functions that scan and evaluate cloud infrastructure configurations to identify misconfigurations. Each of these types of detections, when finding a match, triggers an alert, and alerts are then routed to destinations based on configurations on the detection and destination.

For automation, Panther supports alert runbooks, which are sets of instructions for remediating issues triggering an alert. Runbooks also describe the severity of the issue’s risk and the remediation effort, as well as a description of the conditions that triggered the alert.

Challenges
While Panther’s approach has clear differentiators, the solution is currently limited to monitoring AWS environments, making it unsuitable for organizations who have a non-AWS or hybrid environment.

Purchase Considerations
Panther does not publicly disclose its pricing and licensing models. It offers one-year data retention policies and allows customers to bring their own Snowflake instance. Panther can run queries directly in the data lake service.

Panther is particularly strong in supporting DevSecOps practices, as it built its solution with a detection-as-code-first approach. With the distinguishing AWS misconfiguration detection features, the solution is highly suitable for DevOps-led AWS-native organizations.

Radar Chart Overview
This is the second iteration of the report that features Panther, and the vendor has maintained its position in the Innovation/Feature Play quadrant. Panther is a purpose-built SIEM that does not currently offer native SOAR-like capabilities but scores well on emerging technologies such as DevSecOps and security content. The vendor is a Fast Mover, with a good feature release cadence, and is positioned in the Entrant circle, as it scored lower on some of our decision criteria.

Rapid7

Solution Overview
Rapid7’s InsightIDR is a cloud-native integrated SIEM and XDR solution. InsightIDR has many modules available natively and supports a robust library of third-party integrations to supplement its out-of-the-box endpoint, network, and user coverage. The solution offers a constantly updated library of ATT&CK-mapped detections and can deliver capabilities such as EDR, UEBA, embedded threat intelligence, deception technology, incident response, and investigations.

The InsightIDR solution’s native network traffic analysis feature provides network visibility and detection as well as data from the rest of the environment. Its enhanced network traffic analysis feature leverages proprietary packet capture to access additional network metadata for an understanding of the full scope of activity.

Strengths
For data enrichment, InsightIDR leverages external threat intelligence from Rapid7’s open-source community, advanced attack surface mapping, and proprietary ML. Detections are constantly curated by Rapid7’s threat intelligence and detections engineering team. The solution auto-enriches every log line with user and asset details and correlates events across different data sources displaying visual investigation timelines.

Last year, Rapid7 added the InsightIDR and Threat Command integrations for XDR features, which offers an improved external and internal attack surface view within Rapid7. Customers can view Threat Command alerts alongside their broader detection set in InsightIDR to prioritize and investigate these alerts by using InsightIDR’s investigation management capabilities, then seamlessly pivot back and forth between the two products. Threat Command detection rules can be tuned directly in InsightIDR with respect to the rule actions, rule priorities, and exceptions.

The solution also includes a UEBA module, which continuously baselines normal user activity to identify anomalies. Correlated user data also offers rich context for other attacker alerts to help speed your investigations and response. Besides UEBA, InsightIDR also has an attacker behavior analytics (ABA) module, which identifies the way attackers gain persistence on an asset and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior. The UEBA and ABA detection rules are flexible, and analysts can modify out-of-the-box rules, create custom alerts, and subscribe or contribute to community threat intelligence.

For automation, InsightIDR includes prebuilt workflows for containing threats on an endpoint, suspending user accounts, and integration with ticketing systems. InsightIDR also integrates seamlessly with InsightConnect (Rapid7’s SOAR solution) for more advanced workflow-building capabilities.

Challenges
InsightIDR’s capabilities around monitoring ephemeral resources and automation can be supported natively at a basic level, but more advanced functions require InsightCloudSec and InsightConnect. While InsightIDR can integrate with third-party case management systems, the solution should further develop its native case management and collaboration capabilities.

Purchase Considerations
Threat Complete is Rapid7’s licensing package for InsightIDR and includes two tiers, Threat Complete Advanced and Threat Complete Ultimate. In this report, we evaluated the features as available under the InsightDR Ultimate package: centralized log management, search, reporting and dashboards, FIM, IDS, network traffic analysis, threat intelligence, EDR, Attacker Behavior Analytics, User Behavior Analytics, Deception Technology, SOAR, Attack Surface Monitoring, and Security Configuration Assessment (Policy Assessment).

The solution’s distinguished XDR and SIEM approach enables a range of use cases, including automated endpoint response and comprehensive environment visibility. The solution provides native engineer-vetted detections, embedded threat intelligence, and threat investigation tools.

Radar Chart Overview
Compared to last year, Rapid7 has moved from the Maturity/Platform Play quadrant to the Maturity/Feature Play quadrant, as it offers a purpose-built SIEM, as well as SOAR capabilities with a separate standalone product rather than natively in InsightIDR. Rapid7 has a steady pace of feature releases, making the vendor a Fast Mover. It’s positioned in the Challengers circle due to its scores across the decision criteria we evaluated.

Securonix

Solution Overview
Securonix Unified Defense SIEM provides organizations a threat detection, investigation, and response (TDIR) solution built on a highly scalable data cloud. The cloud-native solution adopts a cybersecurity mesh architecture to agnostically integrate with multiple clouds, data lakes, and security solutions. The SIEM offers organizations with 365 days of hot data for fast search and investigation, powered by the Snowflake Data Cloud. It relies on threat content-as-a-service to deliver a frictionless unified TDIR experience.

Securonix’s strategy is to create a next-generation SIEM platform that is well-integrated, comprehensive, and can provide a true end-to-end security analytics and operations solution. Securonix differs from other vendors of solutions with similar capabilities in its approach to the cloud. It is one of only a few vendors that provide a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud version.

Strengths
Securonix’s Autonomous Threat Sweeper (ATS) service automatically performs threat hunting retroactively, using historic logs to scan customer environments for threats that have only been recently discovered.

While other SIEM vendors implement ML capabilities to enhance existing features, Securonix took a different approach, putting ML at the platform’s core. It leverages both supervised and unsupervised ML to achieve capabilities such as behavior pattern and rare event detection, automated phishing, and spam identification.

Another differentiator is the vendor’s Threat Research Lab, which continuously monitors emerging threats and develops detection content that customers can apply in production. In addition, Securonix offers prepackaged content that can be deployed using its automated content dispenser. The content includes use cases such as insider threat detection, fraud analytics, threat hunting, compliance reporting, and identity and access analytics.

Securonix recently announced the incorporation of Adaptive Threat Modeling and Insider Threat Psycholinguistics as part of its AI-reinforced strategy, and the company is exploring additional capabilities, such as noise-canceling for alerts and a generativeAI-based assistant, Policy Genie, for policy creation.

The vendor scores well on several key features, criteria, including alarm fidelity, data enrichment, automation, and threat hunting. For convergence, the Securonix platform includes capabilities relating to security data lakes (SDLs), UEBA, security orchestration, automation, and XDR. Buyers interested in Securonix’s SIEM platform need to consider user experience, the learning curve, and available documentation. These factors will be essential to ensuring that the platform’s capabilities are used as intended and that its complexity will not be a hindrance for security analysts.

Challenges
To support security analysts in using Securonix’s comprehensive SIEM, it’s important to consider the learning curve and overall user experience. This process could address challenges related to the platform’s time-to-value and disruptions caused by security analyst churn.

Purchase Considerations
Securonix offers four licensing tiers with increasing features and prices, all priced on a GB per day ingestion rate. Autonomous Threat Sweeper, SOAR, and Investigate are available as add-ons to the Basic, Standard, and Advanced packages, and all add-ons are included in the All-in package. The capabilities evaluated in this report are the ones included in the All-in package.

The most popular use cases for the Securonix solution are focused on detection of insider threats, privilege misuse, and advanced cyberattacks. Securonix supports over 1,000 out-of-the-box use cases and over 100 threat models that are available to customers as prepackaged content. Threat chain models are combinations of use cases (IoCs) that, if seen together, indicate a much stronger likelihood of a security compromise.

Radar Chart Overview
Securonix is positioned in the Innovation/Platform Play quadrant: it’s a purpose-built SIEM that offers native SOAR capabilities and scores high for emerging technologies such as LLM integrations and security content. Securonix has a comprehensive development pipeline and scores well across most decision criteria described in the report, which positions the vendor in the Leaders circle as an Outperformer.

SolarWinds

Solution Overview
SolarWinds’ Security Event Manager (SEM) is a mature SIEM solution that offers deep visibility into IT environments. SEM collects, consolidates, normalizes, and visualizes logs and events from firewalls, IDS/IPS devices and applications, switches, routers, servers, operating systems, and other applications. Features include log management, threat detection, normalization and correlation, file integrity monitoring, threat intelligence, compliance, and reporting. The solution can be deployed as a virtual appliance.

SolarWinds’ Security Observability is a distinctive offering resulting from the integration of Hybrid Cloud Observability with Security Event Manager and Access Rights Manager. Security Observability helps organizations protect distributed and complex IT infrastructures by rapidly detecting, alerting on, and remediating security incidents, enabling the solution to rank high on the attack surface decision criterion.

Strengths
For threat hunting, the solution’s search and event-time correlation capabilities help carry out forensic analysis and network security audits by processing and normalizing log data before it’s written to the database. SEM offers predefined rules and a custom correlation rule builder to automatically alert on possible security breaches and other critical issues. The SEM log analyzer tool can forward correlated log data to an external source for further analysis if and when required.

For automation, the solution can respond to suspicious activity using predefined processes (including blocking USB devices), killing malicious processes, logging off users, quarantining infected machines, blocking IP addresses, and adjusting Active Directory settings.

For alert triage, SEM supports rule definitions that include use cases such as IDS/IPS systems with infection symptoms, antivirus software addressing potential infections, system errors, and crash reports.

SEM includes built-in report templates for internal and external regulatory compliance, including PCI DSS, GLBA, SOX, NERC CIP, and HIPAA. It can correlate system and user activities to reconstruct a compliance violation or mitigate an emerging security threat, filter information to customize reports for specific departments or recipients, and produce graphical summaries to enhance high-level reports.

The FIM feature delivers broader compliance support and deeper security intelligence for insider threats, zero-day malware, and other advanced attacks. FIM can detect and alert changes to key files, folders, and registry settings. The correlation engine can leverage sources such as Active Directory and file audit events to obtain information on which user was responsible for accessing and changing a file and to identify other users’ activities occurring before and after the file change.

Challenges
While SEM covers the core functionality of SIEM solutions very well, more advanced features such as data enrichment using internal and external sources and ephemeral resource monitoring are limited. The solution also lacks multitenancy features that can be required by large enterprises or MSSPs.

Purchase Considerations
SolarWinds has a wider infrastructure monitoring and observability solution, which includes network, systems, databases, application, and IT service management. Customers who are already using products from the SolarWinds ecosystem can benefit from adding security monitoring along their existing observability solutions.

SolarWinds SEM can be used for compliance management and reporting for multiple standards and regulations, and for threat hunting and investigation across a wide range of infrastructure services and applications.

Radar Chart Overview
Compared to last year’s report, SolarWinds has moved from the Maturity/Platform Play quadrant to the Maturity/Feature Play quadrant. SolarWinds’ solution is a purpose-built SIEM that does not offer native SOAR-like capabilities. The vendor has been consistently releasing new features and is classified as an Outperfromer. However, it has lower scores on some of the decision criteria we evaluated, putting it in the Entrant circle.

Splunk

Solution Overview
Splunk Enterprise Security (ES) is a mature and powerful application that equips security analysts with all the information they need to conduct investigations and respond to threats. It ranks high on the alarm fidelity, threat hunting, and data analysis and risk scoring criteria.

Splunk ES supports multiple deployment models, including on-premises appliances, virtual instances in public or private clouds, SaaS, or a combination of any of those. The solution’s out-of-the-box detection rules makes it easy to use and lowers the learning curve for analysts. This content helps create and tune alerts, perform contextual searches, and increase the speed of detection and analysis. Furthermore, the use-case library enables faster detection of and incident response to both new and known threats.

Strengths
The Splunk ES solution can help analysts investigate compromised systems using event sequencing, investigation timelines, and investigation workbenches. These features are designed to tackle common challenges security analysts face, making the platform rank high on the threat hunting key feature.

A useful feature in the Splunk ES portfolio is risk-based alerting (RBA), which enables analysts to create risk attributions for entities when something suspicious happens. Then, instead of triggering an alert for each attribution, the attributions are sent to the risk index so that a notable event is triggered when an entity’s risk score meets a predetermined threshold. The behavioral analytics service uses anomalies along with notable events and RBA events from Splunk ES and Splunk Cloud Platform to generate risk scores for any entity.

Spunk ES evaluates and identifies threats from three categories. First, unknown-unknowns are identified using behavioral analytics services that cluster related entities to identify new threats based on peer or group analysis and profile entities to find new threats based on multiclass, deep neural net classifiers. Following that, known-unknowns are threats that have been identified, and the behavioral analytics services perform predictive analytics to understand when these events might occur in the future. Lastly, known-knowns are detected using correlation rules, threat intelligence, and risk-based priority sorting for notable events.

Threat Topology allows analysts to gauge the extent of an incident by mapping all the associated risk and threat objects. Analysts can immediately discover the scope of a security incident and quickly pivot between affected assets and users in the investigation, saving time and increasing productivity.

Challenges
The solution ranks lower on capabilities such as collaboration and monitoring ephemeral resources. While Splunk offers a separate SOAR product, the native automation capabilities in the platform are limited.

Purchase Considerations
Splunk Enterprise Security is a premium app, which is used in conjunction with Splunk Enterprise or Splunk Cloud Platform. This means that customers must have a Splunk Enterprise or Splunk Cloud Platform along with a Daily Indexing Volume or vCPU usage license to download the app from the Splunk Support portal.

For example, if customers purchase a 1 GB Daily Indexing Volume license for Splunk Enterprise and purchase Splunk Enterprise Security app, they can only ingest 1 GB of data to use in Splunk Enterprise and Enterprise Security. Splunk Enterprise Security monitors Splunk indexes for Daily Indexing Volume and vCPU consumption, irrespective of whether you are using the on-premises or cloud version.

Splunk monitors the daily indexing volume into Splunk and the use of that data for security use cases. It also monitors the vCPU usage based on the data summarized in Splunk Enterprise Security-specific summary and metrics indexes.

Splunk can serve security use cases such as incident management for shortening investigation cycles by confirming high priority incidents with enhanced visualizations of risk thresholds, indicators and trends, compliance use cases for meeting regulatory body standards regulations, detecting and investigating attacks and new threats through early and rapid behavior-based detections and correlations, and threat hunting and automation of repetitive tasks during an investigation and incident response process.

Radar Chart Overview
Splunk has maintained its position in the Maturity/Platform Play quadrant, as it built its SIEM solution on top of its underlying observability platform and offers SOAR capabilities with a separate standalone product rather than natively in Enterprise Security. Splunk is positioned as a Challenger in the report, due to its lower scores on some of the decision criteria we evaluated, such as multitenancy. With a good cadence for feature releases, Splunk is a Fast Mover.

Sumo Logic

Solution Overview
Sumo Logic Cloud SIEM is a SaaS-delivered solution built from the ground up as a multitenant microservices architecture that scales elastically and supports large volumes of data ingestion. Sumo Logic’s SIEM offers a range of features, including the Insight Rules Engine that features over 900 out-of-the-box rules, an entity timeline and Entity Relationship Graph for threat hunting, the Insight Global Confidence Scores module, the Automation Service that offers playbooks for Insight enrichment, notifications, and containment actions, and a MITRE ATT&CK Threat Coverage Explorer.

Strengths
The “global intelligence for security insights” feature provides a crowd-sourced and ML-predicted global confidence score that offers security analysts validated and fully contextualized events. Insights with a higher confidence score signify that an insight is more likely to be a true positive based on the actions from other Sumo Logic Cloud SIEM customers as well as previous actions taken on similar signals by that customer.

Sumo Logic’s Cloud SIEM is one of few solutions featured in this report that ranks high on monitoring ephemeral resources. The solution provides visibility into Kubernetes clusters and provides out-of-the-box integration with Falco, an open-source runtime security tool that monitors for privilege escalation using privileged containers, unexpected network connections or socket mutations, and read-writes to well-known directories.

Cloud SIEM’s Insight Engine pulls together alert signals from multiple sources into a single insight tied to specific entities. It reduces triage and investigation time by automatically correlating related activities and potential threats. It also provides a powerful view back in time, evaluating all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores, which help analysts prioritize their work based on the likelihood that the insight is a true event.

An entity criticality tool provides the control to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher signal severity. To allow for this calibration, you define a criticality, a single arithmetic expression used to adjust the severity of signals on entities the criticality is assigned to.

Cloud SIEM includes automated enrichment and supports ingestion of threat-intelligence data that is automatically merged with entities (like IP addresses) detected in insights. For customers needing threat intelligence, Sumo Logic includes the CrowdStrike threat intelligence feed with its Sumo Logic platform free of charge.

Some of the vendor’s feature releases include an insight trainer, which uses ML to provide rule tuning recommendations and severity adjustments that significantly reduce the burden of manual tuning, and the entity relationship graph, a graphical visualization of all related entities in a case as well as additional relationships beyond the case.

In addition, Sumo Logic provides native integrations with best practice data sources for Kubernetes—Prometheus, OpenTelemetry, FluentD, Fluentbit, and Falco. With the easy to setup collection deployed using Helm, you get instant access to performance metrics, logs, traces, and Kubernetes system and security events. The solution works for any Kubernetes setup, anywhere—on-premises, AWS, Azure, and GCP.

Challenges
While Sumo Logic’s cloud-native SaaS delivery may be an advantage for seamless enterprise deployments, Cloud SIEM is not suitable for organizations that are prohibited from using SaaS-delivered services. Also, while not inherently a challenge, it’s worth noting that Sumo Logic’s Automation Service is a subset of automation capabilities adapted from Cloud SOAR, which is available to the entire Sumo Logic log analytics platform.

Purchase Considerations
Sumo Logic has a $0 ingest fee, as all pricing is based on the analysis of the data. The solution has three tiers–Free, Essential, and Enterprise Suite–with only the last plan offering the CloudSIEM capabilities. The Free tier includes a maximum 1Gb/day log ingestion capacity and seven days of data retention but no security-specific capabilities. The Enterprise Suite allows customers to define their own data retention and offers 24/7 support for P1 incidents, and it includes Cloud Infrastructure Security, Cloud SIEM, and Cloud SOAR.

Sumo Logic Cloud SIEM can deliver on use cases such as meeting data security and privacy compliance regulations such as PCI DSS, incident response to identify how an attack breached enterprise security systems and what hosts or applications were affected by the breach, vulnerability management to proactively test network and IT infrastructure, and threat intelligence.

Radar Chart Overview
Sumo Logic is positioned in the Innovation/Platform Play quadrant, having moved from the Maturity/Platform Play quadrant in the previous report. Sumo Logic built its SIEM solution on top of its analytics platform. It offers a standalone SOAR product, with some of the SOAR features being available natively in the SIEM product. This positions Sumo Logic in the Platform Play half but close to the Feature Play side. Sumo Logic is a Fast Mover, as it has a good release cadence. It scored well on the decision criteria we evaluated, making it a Leader in this report.

UTMStack

Solution Overview
The UTMStack Open Source SIEM is a threat detection and response solution powered by threat intelligence and real-time correlation before ingestion. UTMStack is a single product that can be deployed on-premises or inside the customer’s cloud, or as a platform using the UTMStack SaaS. UTMStack has mainly been deployed as a single product installed within the customer’s network.

UTMStack has the following components: Dashboard Builder, Alert and Incident Management, User Activity Auditor, Log Analyzer, File Changes Tracker, Threat Intelligence, Built-In SOAR, Compliance Reporting, Vulnerability Management, and an LLM enhanced by RAG for automated alert and incident investigation.

Strengths
UTMStack normalizes ingested data using logstash parsing rules and an in-house-built correlation engine written and compiled in GO. In UTMStack, logs are correlated before ingestion to reduce detection and response times. This can improve correlation detection times and lowers resource utilization. Alarm or alert definitions are written in simple YAML text correlation rule files that are easy to understand and can be created by a security analyst without coding experience.

UTMStack built-in SOAR handles incident response automation and workflows for alert automation, host isolation, host shutdown, IP blocking at firewalls, and malware activity intervention. The system supports PowerShell and Bash automation. Automation features include low-code playbooks, external API requests, agent-based command execution, SSH command execution, and scripting using PowerShell and bash.

UTMStack uses the MITRE ATT&CK framework for alert classification and scoring and can determine risk based on user, device, workload and identity context, resource’s level of exposure to the public internet or other external networks, behavior deviation from the baseline, heuristic analysis, and threat intelligence IoC analysis.

UTMStack has two approaches to multitenancy: one instance per customer or a single instance shared among multiple customers. As UTMStack supports on-premises and bring your own cloud deployments, MSSPs have the ability to manage all these deployments remotely using a “federation service” that orchestrates the deployment of multiple UTMStack instances and provides a single pane of glass for monitoring all instances, as well as a useful tool for security operations teams.

The solution can cater to DevSecOps audiences, as all of its code is open source and available on GitHub, supporting CI/CD with Github Actions, implementing unit testing, and exposing its functions via an API.

UTMStack has its own internal research team that focuses on researching Dark Web data hunting, IOC and attack patterns investigation, and honeypot networks spun up for threat intelligence investigation and malware hunting. UTMStack hosts its proprietary threat intelligence platform, Threatwinds, and the threat research is integrated into UTMStack by default in all deployments.

Challenges
While the solution has good capabilities, enterprises need to evaluate the vendor’s capacity to support large deployments, such as whether it can deliver large-scale ticket, chat, and remote session support, training sessions, assistance with product configuration and integration, and case escalations.

Purchase Considerations
UTMStack has a free open source version, making the solution a low-risk, no-cost opportunity for organizations to deploy the product. The solution has two paid tiers, Cloud SIEM and support, and an on-premises enterprise edition. UTMStack licensing is based on individual data sources of logs, such as firewalls, Windows Servers, Office 365, and antiviruses.

The solution can cater to a wide range of use cases, including log management, compliance management, and reporting for regulations such as HIPAA, GDPR, GLBA, SOC and ISO, file tracking and classification, user activity tracking, and threat intelligence source for firewalls.

Radar Chart Overview
This is the first iteration of the report that features UTMStack. The vendor is positioned in the Innovation/Platform Play quadrant, as it built its enterprise solution on top of open source software and offers an integrated SOAR solution. It has solid scores across the decision criteria we evaluated and is positioned in the Leaders circle. UTMStack is a Fast Mover, as it has a good cadence of feature releases and a good development pipeline.

6. Analyst’s Outlook

Most vendors in the SIEM space have well-developed core capabilities in alert ingesting, storage, scalability, and reporting. To develop new features, SIEM solutions are now entering the realm of other security services, such as UEBA, SOAR, and XDR. Vendors are tackling these new sets of capabilities by either developing them natively in the SIEM solution or developing or acquiring these capabilities as separate products and closely integrating them. It appears that integrations with third-party point-solution vendors still exist, but the focus has shifted to having the capabilities available in-house.

One interesting observation is the approach to ML. While trying to apply ML-based analytics directly over SIEM logs has not produced proven results, almost all vendors are achieving implementation of ML through UEBA. UEBA has ML at its core for understanding baseline behavior and detecting deviations or anomalies from that baseline. Vendors that have started in the UEBA space and transitioned into the SIEM space are leveraging more experience and development in this area. Today, most SIEM vendors offer ML-based UEBA capabilities, albeit at different maturity levels. To illustrate this point further, point-solution SIEM vendors who do not play in the UEBA space have little to no ML capabilities.

Another aspect that differentiates vendors in the SIEM space is the deployment model. Some vendors offer only cloud-native SaaS deployments, while more mature vendors provide most types of deployments, from physical appliances to virtual and cloud-hosted versions, with SaaS being on the roadmap for most players. As the main tool for security operations, SIEM solutions are crucial for regulated industries in which on-premises deployments are often required. Cloud-native vendors are therefore unable to cater to companies in this space, making it much easier for vendors who offer more deployment models to capture that part of the market.

Looking forward, we expect SIEM solutions to be increasing their capabilities to operate autonomously, mainly through prepackaged content, self-tuning capabilities, playbook changes, ML-based applications, and AIOps.

To learn about related topics in this space, check out the following GigaOm Radar reports:

7. Methodology

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Andrew Green

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today’s technology landscape, and his research covers networking and security.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "GigaOm Radar for Security Information and Event Management (SIEM)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Interested in more content like this? Check out GigaOm Research Reports Subscribe Now