Largest and Longest Analysis of SIEM Detection Engineering Assembled – Spanning Nearly 2.5 Million Log Sources and 13,000 Unique Detection Rules
TEL AVIV, Israel and BOSTON, June 5, 2025 -- CardinalOps, the unified threat exposure management company, today announced the release of its Fifth Annual Report on the State of SIEM Detection Risk. This year's report is the largest and most comprehensive study ever conducted on SIEM detection engineering, analyzing real-world data from enterprise-grade SIEMs across various industries and geographies.
Drawing from an expansive dataset of 2.5 million total log sources, over 23,000 distinct log sources, more than 13,000 unique detection rules, and hundreds of production SIEM environments, including Splunk, Microsoft Sentinel, IBM QRadar, CrowdStrike Logscale, and Google SecOps, the report uses the MITRE ATT&CK framework as a benchmark. This year's findings highlight major detection coverage gaps and systemic detection engineering challenges that impact the effectiveness of enterprise SIEMs in detection and responding to adversary activity.
Key Findings:
Using the MITRE ATT&CK framework as a baseline, organizations are generally improving year-over-year in understanding SIEM detection coverage and quality, but plenty of room for improvement remains. Some of the key findings from the 2025 report include:
- Only 21% of MITRE ATT&CK Techniques Are Covered: Despite a two percent increase in coverage from 2024, on average, enterprise SIEMs have detection coverage for just 21% of adversary techniques defined in the MITRE ATT&CK framework – leaving 79% of techniques uncovered and organizations vulnerable to attack.
- 13% of SIEM Rules Are Broken: A significant portion of existing detection rules – 13% on average – are non-functional and will never trigger due to issues like misconfigured data sources and missing log fields. While the data represents a five percent decrease from 2024, the persistence of broken rules in SIEM environments poses a huge risk where active threats can go unnoticed.
- Vast Data Goes Underutilized: SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90% of MITRE ATT&CK techniques (an increase of three percent from 2024) – but manual, error-prone detection engineering practices continue to limit actual coverage.
- Detection Engineering at Scale Remains Elusive: Despite the scale of available data and detection infrastructure, organizations still struggle to keep pace with evolving threats due to resource constraints and a lack of automation in rule development and validation.
"Five years worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most," said Michael Mumcuoglu, CEO and Co-Founder at CardinalOps. "What's clear is that the traditional approach to detection engineering is broken. Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed – even with modern SIEM platforms and sophisticated telemetry."
CardinalOps' annual report continues to be a key resource for SOC leaders, CISOs, and detection engineers seeking to measure and improve the effectiveness of their detection capabilities against real-world adversary behavior. The 2025 report also includes actionable guidance and best practices for achieving sustainable, scalable detection posture management that reduces an organization's exposure to threats.
Download the full report here: https://cardinalops.com/white-papers/2025-state-of-siem-report-download
CardinalOps will also be hosting a 2025 State of Detection Webinar and Workshop titled "Bird's Eye View" on June 17th. The live event will explore findings from the 2025 State of SIEM Detection Risk Report and cover how to implement best practices aligned to the report's key takeaways. The webinar will feature Dr. Anton Chuvakin, Senior Security Advisor to Google Cloud and former Gartner Analyst, and Daniel Koifman, Security Researcher at CardinalOps.
Sign up for the live webinar and workshop here: https://cardinalops.com/birds-eye-view-2025-state-of-detection-webinar-and-workshop
About CardinalOps
CardinalOps is helping organizations eliminate their exposure risk with AI-powered Threat Exposure Management. CardinalOps is the industry's only platform to integrate both prevention and detection controls to provide unified visibility into exposure risk across multiple domains, facilitating context-driven prioritization, and automated and safe remediation. With unparalleled clarity into risk and exposure – security teams can uncover actionable insights into compensating controls and streamline consistent and efficient remediation workflows to proactively reduce risk and strengthen security posture and detection engineering against the threats that matter most. For more information, visit cardinalops.com.
This News is brought to you by Qube Mark, your trusted source for the latest updates and insights in marketing technology. Stay tuned for more groundbreaking innovations in the world of technology.
