At some point in the last decade, SIEMs turned into that one friend who always promises to help you move, then shows up late, eats all your pizza, and still expects gas money.
They were supposed to deliver centralized visibility and faster investigations. Instead, most SOC teams ended up with endless alerts, eye-watering bills, and dashboards that look impressive on the big screen but don't actually stop attackers.
So, how did we end up here?
A short history: when SIEMs were actually useful
Back when firewalls were still exciting, SIEMs solved a real problem: logs scattered everywhere, auditors breathing down your neck, and no way to answer "who logged into what, when?"
Then came the "next-gen" era. Vendors promised smarter detection, correlations across your stack, and even a pinch of threat intel. The promise was fewer false positives and a faster response.
But instead of taming noise, NG SIEMs just amplified it. It was like turning up the volume on a broken radio and calling it a concert.
Where it all went off the rails
Pricing designed for pain
SIEMs typically charge based on raw data volume. That means the wider the visibility, the harder your budget bleeds. Many security leaders wrestle with this dilemma: "Should we ingest DNS logs or just pay the rent this month?"
Vendors benefit when ingestion volume increases, promoting the idea that more logs = more security. In practice, you're just paying for more "hay in the haystack". ESG found that 65% of security leaders have reduced log ingestion because of cost pressures - weakening visibility while still overspending.
Correlation rules don't age well
Correlation rules were once seen as a breakthrough for making sense of disparate logs.
But unlike wine or whiskey, they age badly. Attacker techniques evolve daily, but rule libraries are often updated weeks or months later, leaving a persistent gap. What starts as a promising detection mechanism becomes a noise source as outdated rules generate floods of low-value alerts that overwhelm analysts instead of guiding them.
Consider a typical example: rules that trigger on logins from unusual geographies. A decade ago, an unexpected login from overseas might have been a strong indicator of compromise. Today, with remote work, cloud-based infrastructure, and employees constantly traveling or connecting through consumer VPNs, those alerts fire endlessly on legitimate activity. What was once a high-fidelity signal is now just another stream of background noise.
Alert fatigue at scale
Ponemon research found that 25% of analyst time is wasted chasing false positives — time that should be spent investigating real threats. The 2024 Security Boulevard SOC Efficiency Study reported that nearly one-third of alerts are false positives, while the remainder are often duplicates or redundant noise. And the Verizon 2024 DBIR adds another perspective: in 74% of breaches, alerts were generated but ignored — usually because analysts were overwhelmed by volume.
The picture is consistent: analysts are buried under thousands of alerts daily, and the signal-to-noise problem is draining efficiency and morale.
No usable answers
SIEMs excel at triggering and displaying alerts, but not at providing the why or what's next. Analysts are left with a blinking red light and little else. ESG research shows the average SOC uses more than 20 tools to complete an investigation, because the SIEM can't connect the dots — a classic case of "swivel-chair security." Instead of a centralized and streamlined workflow, teams are forced into time-consuming pivots to gather enough context to decide the alert's maliciousness.
The human toll
If you ask any SOC analyst, you'll often hear the same familiar sentiment:
- Bulk-closing tickets just to keep their head above water.
- Spending more time babysitting correlation rules than investigating and stopping actual threats.
- Watching the SIEM bill increase while key security metrics like MTTD and MTTR remain unchanged.
It's no wonder that SOC burnout is at an all-time high. Multiple studies show that more than 70% of analysts report high stress and job dissatisfaction, and the average tenure for a SOC analyst role is now less than two years. The talent pipeline isn't keeping up either. There simply aren't enough experienced professionals to fill the seats being vacated.
One Fortune 500 company we worked with spent millions yearly on SIEM ingestion. Guess what caused their breach? An alert went off but was ignored, buried beneath 5,000 daily false positives.
Have you ever heard anyone say, "I love my SIEM"? Yeah... neither have I. (:
The end of the SIEM era
No, they're not disappearing tomorrow. They'll stick around as compliance tools and oversized log archives, but their role in driving day-to-day security outcomes is fading fast.
The beating heart of the SOC? Those days are clearly over. SIEMs now:
- Are compliance-first, security-second.
- Are slow where speed is essential.
- Are financially incentivized to grow your workload, not reduce it.
Many SOCs treat them like that cranky printer in the office corner. It still works, but nobody trusts it for mission-critical tasks.
The data tells the story
The shift isn't just anecdotal — research backs it up.
One modern triage system cut alerts by 61% while keeping false negatives to just 1.36%, showing that smarter automation can reduce noise without missing real threats. Oxford researchers highlighted that most alerts are benign and need richer context. Their recommendation: design alarms that are Reliable, Explainable, Analytical, Contextual, and Transferable (REACT) to build trust and cut fatigue.
The economics are just as clear. Ponemon reports the average enterprise SOC now costs $5.3 million annually, up 20% in one year, yet only half of teams consider their engineering effective. 85% of analysts describe SOC work as painful or very painful, underscoring that budgets keep rising while morale keeps sinking. The SIEM is often the single largest line item, yet consistently delivers the least value in the stack.
And complexity adds insult to injury. Ponemon found that 75% of SIEM TCO goes to maintenance, not licensing, while nearly half of users are dissatisfied with the intelligence they get from it. A staggering 78% say it takes significant effort to configure effectively — making it one of the most resource-draining tools in the SOC.
If SIEM and SOAR don't work, what's next?
The building blocks for modern security operations are already here. Cloud-native technologies for ingesting, archiving, and querying security data are now widely accessible and are no longer the proprietary domain of SIEM vendors. That means SOCs no longer have to accept traditional platforms' constraints, costs, and lock-in.
A different model is emerging, one that is lighter, faster, and modular:
- Scalable, affordable log management: Cloud-native data foundations let teams ingest and store everything without punishing costs. Logs live in low-cost, flexible cloud archive storage instead of overpriced vendor vaults, giving organizations both scale and ownership of their data for up to 80% less cost. The most customer-focused vendors go a step further, enabling teams to leverage their own infrastructure to unlock even greater savings and control.
- Automated triage and investigation: Agentic AI SOC analysts filter out false positives, enrich context, and surface only real threats — without the need for complex playbook engineering. Instead of drowning in noise, analysts can focus their time on high-value incidents.
- Integrated response workflows Once alerts are validated as malicious, streamlined workflows and automation allow incidents to be resolved in minutes, not hours — shrinking dwell time and making the SOC more proactive.
The SOC of the future will look less like a ticket factory and more like a focused, efficient operation that keeps pace with attackers while keeping analysts sane.
About Radiant: The new way of doing SOC
Radiant was founded to break the cycle of alert overload and ineffective tooling.
Its Agentic AI SOC analysts triage 100% of alerts from any source, auto-close false positives, and escalate only real threats into incidents, with no pre-training required.
Each incident includes a detailed investigation report with full context and AI reasoning, as well as a one-click remediation plan to respond faster to threats. Integrated log management provides unlimited ingestion and lightning-fast search in the customer's cloud, eliminating the economic burden and lock-in of traditional SIEMs.
Watch a short explainer video or book a demo today to learn more about us.
Shahar Ben-Hador — CEO and Co-founder at Radiant Security https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHI2DlWbFATjVyhCBzh0cHwEN1FHSF6uSinlM-ynd6yVmuJ3IHJxjL1Ip-aHqoU6AzYK2briXjkoExqlMu08PuNbshh9LvcO_jRTrfj91S6OLC8CMtwky0Ne0TWbnmDEvTzcKTOu7yz7XMlH0cTAKUMztVcv7CBFfiHde82GLLdgHvz9t3vaaJDcGuBbk/s728-rw-e365/Shahar.png