CardinalOps announced the release of its Fifth Annual Report on the State of SIEM Detection Risk. This year's report is the largest and most comprehensive study ever conducted on SIEM detection engineering, analyzing real-world data from enterprise-grade SIEMs across various industries and geographies.

Drawing from an expansive dataset of 2.5 million total log sources, over 23,000 distinct log sources, more than 13,000 unique detection rules, and hundreds of production SIEM environments, including Splunk, Microsoft Sentinel, IBM QRadar, CrowdStrike Logscale, and Google SecOps, the report uses the MITRE ATT&CK framework as a benchmark. This year's findings highlight major detection coverage gaps and systemic detection engineering challenges that impact the effectiveness of enterprise SIEMs in detection and responding to adversary activity.

Key Findings:

Using the MITRE ATT&CK framework as a baseline, organizations are generally improving year-over-year in understanding SIEM detection coverage and quality, but plenty of room for improvement remains. Some of the key findings from the 2025 report include:

• Only 21% of MITRE ATT&CK Techniques Are Covered: Despite a two percent increase in coverage from 2024, on average, enterprise SIEMs have detection coverage for just 21% of adversary techniques defined in the MITRE ATT&CK framework - leaving 79% of techniques uncovered and organizations vulnerable to attack.
• 13% of SIEM Rules Are Broken: A significant portion of existing detection rules - 13% on average - are non-functional and will never trigger due to issues like misconfigured data sources and missing log fields. While the data represents a five percent decrease from 2024, the persistence of broken rules in SIEM environments poses a huge risk where active threats can go unnoticed.
• Vast Data Goes Underutilized: SIEMs now process an average of 259 log types and nearly 24,000 unique log sources, providing more than enough telemetry to detect over 90% of MITRE ATT&CK techniques (an increase of three percent from 2024) - but manual, error-prone detection engineering practices continue to limit actual coverage.
• Detection Engineering at Scale Remains Elusive: Despite the scale of available data and detection infrastructure, organizations still struggle to keep pace with evolving threats due to resource constraints and a lack of automation in rule development and validation.

"Five years worth of data tells a stark story: organizations are sitting on a mountain of data but still lack the visibility needed to detect the threats that matter most," said Michael Mumcuoglu, CEO and Co-Founder at CardinalOps. "What's clear is that the traditional approach to detection engineering is broken. Without being able to leverage AI, automation, and continuous assessment of detection health, enterprises will remain dangerously exposed - even with modern SIEM platforms and sophisticated telemetry."

CardinalOps' annual report continues to be a key resource for SOC leaders, CISOs, and detection engineers seeking to measure and improve the effectiveness of their detection capabilities against real-world adversary behavior. The 2025 report also includes actionable guidance and best practices for achieving sustainable, scalable detection posture management that reduces an organization's exposure to threats.

Download the full report here: https://cardinalops.com/white-papers/2025-state-of-siem-report-download