85% of analysts say endpoint alerts drive response, yet 42% of SOCs lack a structured plan for incoming data
The SANS Institute’s newly released 2025 Global SOC Survey underscores a troubling disconnect in Security Operations Centers (SOCs) worldwide. While 85% of SOC analysts identify endpoint alerts as the primary trigger for incident response, 42% of SOCs admit to dumping all incoming data into SIEM platforms without a defined strategy for retrieval or analysis.
The report—considered one of the industry’s most comprehensive vendor-neutral benchmarks—draws insights from thousands of practitioners across the globe and reveals both the strengths and shortcomings of modern SOCs as they adapt to 24/7 operations, AI-driven tooling, and hybrid work environments.
“SOCs are the backbone of modern cyber defense, but many remain overwhelmed and under-resourced,” said Christopher Crowley, Certified Instructor at SANS Institute and lead author of the survey.
Key takeaways from the 2025 survey include:
- 82% of SOCs report operating 24/7.
- 85% of analysts rely primarily on endpoint alerts to initiate response.
- 73% of SOCs allow some degree of remote work for personnel.
- 42% of organizations lack a structured data management strategy, relying on raw ingestion into SIEMs.
- 42% of SOCs use AI/ML tools in an out-of-the-box mode without customization.
Crowley warned that technology without investment is a recipe for failure:
“If company leadership isn’t prepared to fully commit the resources to make a tool effective, it would be better not to deploy it at all. A shiny new technology requires budget, training, time, and workflow integration.”
The report also provides a framework for evaluating SOC maturity based on capabilities, architecture, staffing, and the mix of in-house versus outsourced functions. This benchmarking is expected to help security leaders identify where their SOCs stand relative to peers and where investments are most urgently needed.