85% of Analysts Say Endpoint Alerts Drive Response, Yet 42% of SOCs Lack a Strategy for Managing Incoming Data
Dubai, United Arab Emirates, September 9, 2025 – The 2025 Global SOC Survey from SANS Institute reveals a stark disconnect between alert response and data strategy in Security Operations Centers (SOCs). While 85% of SOC analysts cite endpoint security alerts as their primary response trigger, 42% of SOCs admit to dumping all incoming data into a SIEM without a plan for retrieval or analysis. Recently released, the report highlights this and other critical insights drawn from thousands of practitioners worldwide and offers the industry’s most comprehensive, vendor-neutral benchmark of SOC maturity, tooling, and staffing.
“SOCs are the backbone of modern cyber defense, but many remain overwhelmed and under-resourced,” said Christopher Crowley, Certified Instructor at SANS Institute and lead author of the survey. “This year’s data offers a clear look at how SOCs are adapting to the demands of 24/7 operations, AI integration, and remote work – while also surfacing common missteps and areas for growth.”
Key findings from the 2025 report include:
· 82% of SOCs report operating 24/7.
· 85% of SOC analysts cite endpoint alerts as their primary response trigger.
· 73% allow some degree of remote work for SOC personnel.
· 42% send all incoming data to a SIEM without a defined strategy for management or retrieval.
· 42% use AI/ML tools in an out-of-the-box capacity without customization.
“If company leadership isn’t prepared to fully commit the resources to make a tool effective, it would be better not to deploy it at all,” said Crowley. “A shiny new technology that seems like a great solution requires budget, training, time and integration into workflow.”
“We define a SOC by its capabilities, architecture, staffing, and whether those functions are internal or outsourced,” added Crowley. “This report helps security leaders understand how others are building and evolving their SOCs, and where they stand in comparison.” To access the full report or register for the webcast, visit: https://www.sans.org/webcasts/sans-2025-soc-survey/
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 85 courses at in-person and virtual cybersecurity events and OnDemand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 50 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s and bachelor’s degrees, graduate certificates,
and an undergraduate certificate in cybersecurity. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet’s early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community. sans.org
####
Contact:
Ioiana Pires Luncheon
SANS Institute Il*******@**ns.org
+31615357364
