Cloud Security Podcast
EP267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty
Why It Matters
Understanding the tension between legacy SIEMs and AI‑SOC startups is crucial for security leaders making investment decisions in a market flooded with hype. The episode highlights practical considerations—pricing, data architecture, and detection accuracy—that determine whether organizations can achieve sustainable threat visibility without vendor lock‑in.
Key Takeaways
- •Legacy SIEMs lag in scalability, detection, pricing efficiency.
- •AI SOC startups target alert triage, but often patch symptoms.
- •Data pipelines become sticky layer, enabling SIEM vendor lock‑in.
- •Hybrid architecture balances edge collection with centralized correlation.
Pulse Analysis
The episode opens with a candid assessment of today’s security information and event management (SIEM) landscape. Long‑standing vendors such as Splunk and Exabeam still dominate, but their platforms struggle with scalability, detection accuracy, and pricing structures that no longer fit modern MSSP or enterprise budgets. Rafi Marty argues that the perceived death of SIEMs is a marketing myth; instead, incumbents must quickly address these gaps or risk being eclipsed by nimble AI‑SOC startups promising cheaper, faster alert reduction.
A central theme is the rise of AI‑SOC solutions that focus on triage and alert suppression. While these newcomers can cut false positives by up to 80 percent, the conversation highlights a recurring pattern: many are merely patching symptoms rather than solving core data‑collection and correlation challenges. The panel debates federated versus centralized architectures, noting that pure edge‑only models create a catch‑22 where analysts still need to pull data back for deep investigation. The consensus leans toward a hybrid approach—pushing compute to the edge for low‑value telemetry while centralizing high‑value events for cross‑correlation and advanced analytics.
Pricing emerges as a thorny issue. Traditional seat‑based or data‑volume models often misalign with the realities of MSSPs, who juggle dozens of customers and cannot predict data ingest rates. The hosts explore alternative structures, such as tiered alert‑per‑price or mixed‑metric schemes, emphasizing fairness for both vendors and end‑users. Ultimately, the discussion underscores that data pipelines act as a Trojan horse: they lock customers into a vendor’s ecosystem, making migration difficult but also offering a pathway for pipeline providers to evolve into full‑fledged SIEMs. For security leaders, the takeaway is clear—invest in flexible, hybrid architectures and pricing models that reward true detection value rather than superficial alert reduction.
Episode Description
Subscribe at YouTube
Subscribe at Spotify
Subscribe at Apple Podcasts
Guest:
Raffael Marty, Operating Advisor, a SIEM legend since 1999
Topics covered:
Resources:
Video version
The SIEM Maturity Framework: A Practical Scoring Tool for Security Analytics Platforms and raffy.ch/SIEM/
The Gaps That Created the New Wave of SIEM and AI SOC Vendors
How AI Impacts the Cyber Market and The Future of SIEM
Why Venture Capital Is Betting Against Traditional SIEMs
EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
EP125 Will SIEM Ever Die: SIEM Lessons from the Past for the Future
Decoupled SIEM: Brilliant or Stupid?
Decoupled SIEM: Where I Think We Are Now?
Do you have something cool to share? Some questions? Let us know:
Web:
cloud.withgoogle.com/cloudsecurity/podcast
Mail:
cloudsecuritypodcast@google.com
Twitter:
@CloudSecPodcast
Comments
Want to join the conversation?
Loading comments...