SANS 2025 SOC Survey Exposes Critical Gaps and What Top Teams Are Doing Right

The 2025 Global SOC Survey from SANS Institute reveals a stark disconnect between alert response and data strategy in Security Operations Centers (SOCs). While 85% of SOC analysts cite endpoint security alerts as their primary response trigger, 42% of SOCs admit to dumping all incoming data into a SIEM without a plan for retrieval or analysis. Recently released, the report highlights this and other critical insights drawn from thousands of practitioners worldwide and offers the industry’s most comprehensive, vendor-neutral benchmark of SOC maturity, tooling, and staffing.

"SOCs are the backbone of modern cyber defense, but many remain overwhelmed and under-resourced," said Christopher Crowley, Certified Instructor at SANS Institute and lead author of the survey. "This year’s data offers a clear look at how SOCs are adapting to the demands of 24/7 operations, AI integration, and remote work - while also surfacing common missteps and areas for growth."

Key findings from the 2025 report include:

•    82% of SOCs report operating 24/7.
•    85% of SOC analysts cite endpoint alerts as their primary response trigger.
•    73% allow some degree of remote work for SOC personnel.
•    42% send all incoming data to a SIEM without a defined strategy for management or retrieval.
•    42% use AI/ML tools in an out-of-the-box capacity without customization.

"If company leadership isn’t prepared to fully commit the resources to make a tool effective, it would be better not to deploy it at all," said Crowley. "A shiny new technology that seems like a great solution requires budget, training, time and integration into workflow."

"We define a SOC by its capabilities, architecture, staffing, and whether those functions are internal or outsourced," added Crowley. "This report helps security leaders understand how others are building and evolving their SOCs, and where they stand in comparison."