The 2025 SANS SOC Survey reveals that while technology keeps evolving, the core problems facing SOC teams remain stubbornly in place. Teams are understaffed. Tool sprawl is growing. And performance metrics often miss the mark.
Many SOCs lack the workflows, strategy, and staff to connect tools, streamline processes, and reduce manual work. And now they face a new challenge: making AI actually deliver value. Let’s dig into the key findings.
SOCs are still struggling to keep top talent
62% of SOC professionals say their org isn’t doing enough to keep top staff.
3–5 years is the most common tenure for SOC staff.
SOC teams have always had a shortage of skilled staff. The data shows that’s still a challenge. Leaders know staff retention is a problem, but many admit they’re not doing enough to fix it. This isn’t just an HR issue. High turnover drains institutional knowledge and weakens security posture.
There’s a silver lining: people want to stay, but only if they see a future. That starts with redefining how the work is managed. Align staffing with business outcomes, not just alert volume.
We’ve done ourselves a disservice by tying so much of our work to the alert-to-incident pipeline. I’m not convinced SOC staffing should be based on how many tickets come in the door.
Automate the repetitive manual tasks (what we call muckwork) and free teams up to focus on what matters. When teams have space to focus on strategic work and feel supported, retention and performance follow.
AI isn’t meeting expectations
Generative AI tools scored lowest in satisfaction across all technologies measured.
42% of SOCs use AI/ML tools "out of the box" with no customization.
AI and ML tools are being adopted quickly, but they’re still not delivering the value teams expect. Many SOCs feel pressure to jump in. Without structure or ownership, AI can add complexity and risk instead of solving problems.
Security teams have seen this before. Tools that promise transformation but create noise instead of insight. LLMs can fall into the same trap if used without care.
Security teams are used to being sold breathless promises. AI can help, but only if we give teams the latitude to test, fail, and learn what works.
Used with purpose, AI can drive real impact. Customize it. Integrate it. Use it where it fits best within your workflows. For example, use agents for non-deterministic or ambiguous tasks, deterministic workflows for critical compliance tasks, and copilots to loop in people where judgment matters. AI should be adaptable and transparent. Not a black box.
Too much SIEM data, not enough strategy
42% of SOCs dump data into SIEMs, often without a retrieval or management plan.
85% of respondents say endpoint security alerts are their primary trigger for response, not the SIEM itself.
The survey points to a clear disconnect. Teams are pouring data into SIEMs without a plan for how to manage, retrieve, or use it effectively. And most alerts aren’t even coming from the SIEM in the first place. That’s a problem. Without a strategy, more data just adds noise. It slows investigations and makes it harder to spot real threats.
A growing number of organizations are defaulting to ‘just store everything in the SIEM.’ It’s easy to justify today and hard to pay for tomorrow.
Instead, a data lake plus SIEM strategy can help balance costs while ensuring that analysts can quickly access relevant data. Normalize and label data so you can correlate across systems. Test alerts before they go live. Tune thresholds. Layer in automation gradually and with intent. Ensure that relevant logs from the data lake can be replayed to the SIEM automatically when needed as well. A SIEM should give you clarity, not bury you in noise.
Metrics are manual and misaligned
69% of SOCs still rely on manual or mostly manual processes to report their metrics.
Nearly half of SOCs say manual reporting is too time-consuming.
Reporting is still a heavy lift for most SOCs. The survey suggests that teams are collecting large amounts of data manually, but not always using it in meaningful ways. Many metrics still focus on technical volume rather than outcomes that matter to leadership.
Without the right visibility, it is harder to drive improvement, justify investment, or show strategic value.
Start by automating metric collection. Then shift your focus from counting activity to measuring results. Good metrics reflect progress, performance, and impact. When reporting ties to business value, it becomes a business lever, not just a technical requirement.
Takeaways for SOC leaders and analysts
SOCs are still grappling with staffing gaps, tool sprawl, and reporting that doesn't reflect impact. But these challenges are solvable. Start by automating the manual, repetitive work. Orchestrate workflows that drive outcomes. Give your team the space and structure they need to focus on what matters. There’s plenty more to explore in the full report.
Download the SANS SOC Survey 2025 here.