SIEMs Are Drowning in Data—But Still Can’t See the Threats That Matter

CardinalOps’ 2025 report exposes systemic failures in security detection across modern enterprise environments

In the high-stakes world of cyber defense, enterprises are stockpiling petabytes of security telemetry—but most of it is going to waste.

That’s the core revelation from the newly released Fifth Annual State of SIEM Detection Risk Report by CardinalOps, which calls into question the true efficacy of modern SIEMs (Security Information and Event Management systems) when it comes to detecting and responding to real-world threats. Drawing on over 2.5 million log sources and thousands of detection rules across SIEM platforms like Splunk, Sentinel, and QRadar, this year’s report is the most extensive yet—and its findings are difficult to ignore.

At the heart of the report lies a sobering statistic: even in 2025, enterprise SIEMs detect only 21% of known adversary techniques as defined by the MITRE ATT&CK framework. That leaves a staggering 79% of techniques effectively invisible to SOC teams.

“Five years’ worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most,” said Michael Mumcuoglu, CEO and co-founder of CardinalOps.

Broken Rules, Broken Trust

Perhaps even more alarming is the state of the detection rules themselves. Thirteen percent of them—nearly one in eight—are functionally broken, meaning they will never fire, no matter how severe or obvious the attack. The root causes range from misconfigured data sources to missing log fields—problems that automation could fix, but rarely does.

This isn’t just an academic problem. Broken rules mean active threats can pass through enterprise defenses undetected. Even when the raw telemetry exists, a failure in detection logic becomes a failure in protection.

More Data, Same Blind Spots

Enterprises are collecting more telemetry than ever before, with the average SIEM now ingesting 259 log types from nearly 24,000 unique log sources. That’s more than enough to detect over 90% of MITRE ATT&CK techniques—if the right detection logic were in place. But manual rule creation and brittle engineering pipelines remain the norm, not the exception.

“What's clear is that the traditional approach to detection engineering is broken,” Mumcuoglu warned. “Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed—even with modern SIEM platforms and sophisticated telemetry.”

The Automation Gap

Despite the scale and sophistication of modern security tools, detection engineering has not evolved at the same pace as the threats they’re meant to defend against. Manual rule development and a lack of automation continue to limit coverage, while understaffed SOC teams are left to triage a flood of alerts that don’t reflect the full risk landscape.

The report argues that true progress requires a shift from reactive engineering to proactive threat exposure management—prioritizing continuous validation, automated rule testing, and adaptive coverage tuning.

A Wake-Up Call for the Industry

The CardinalOps report doesn’t just diagnose problems—it also serves as a benchmark for the state of the industry. It’s already become required reading for CISOs, SOC leaders, and detection engineers looking to understand where they stand and how to improve.

The company will be hosting a webinar on June 17th titled "Bird’s Eye View", featuring Google Cloud advisor and former Gartner analyst Dr. Anton Chuvakin, along with CardinalOps researcher Daniel Koifman. The session aims to provide tactical guidance for detection teams looking to adapt in the face of growing threat complexity and diminishing visibility.

Until then, the takeaway is clear: enterprises may be armed with next-gen SIEMs and massive telemetry pipelines, but without smarter, automated detection engineering, they’ll keep flying blind.