Do you have something cool to share? Some questions? Let us know:
This session features an in-depth technical and strategic discussion regarding the purported "death" of Security Information and Event Management (SIEM). Raffy Marty, a veteran in the space since 1999, argues that while "SIEM is obsolete" is a potent marketing slogan, the reality is a market in mid-correction. The conversation explores the rise of "AI SOC" startups, the logistical challenges of decoupled vs. centralized architectures, the "Trojan Horse" of data pipelines (e.g., Cribl), and the shifting importance of network telemetry in a post-cloud-only world.
The core thesis is that incumbents are failing on pricing and alert fatigue, but new entrants often only "patch" symptoms rather than solving the underlying detection engineering crisis.
Detailed Conversation Summary
I. The "Death" of SIEM: Marketing vs. Reality
The discussion opens with the provocative question of whether SIEM is dead. Marty contends it is not, but rather that the industry has seen a massive influx of capital into "AI SOC" and "New SIEM" companies because incumbents (like Splunk and Exabeam) failed to deliver on their original promises of scale and cost-efficiency.
The Gap: New entrants win on "cheaper architecture" and "better detections." However, Marty views these as temporary advantages. If incumbents leverage their massive R&D budgets and existing data gravity, they can close these gaps.
The AI SOC Hype: Marty warns that many AI SOC startups—which promise to reduce alert volume by 80%—are essentially providing a "temporary fix." They use heuristics to suppress false positives (e.g., recurring service account errors), but these capabilities are easily subsumed by the SIEM platform itself.
II. Architecture: Decoupled, Federated, and "Uncle's Flooded Basement"
Chuvakin raises the tension between centralized platforms and the emerging trend of "decoupled" SIEM (separating storage from compute).
The Access Pattern Dilemma: Marty argues that while "pushing compute to the data" (federation) sounds ideal, the reality of incident response requires centralization. An analyst or AI agent performing a deep-dive investigation inevitably needs to pull data back to a central point for enrichment and cross-correlation.
The Hybrid Approach: The consensus is a hybrid model. High-volume, low-value data (like raw system calls) should stay at the edge (EDR), while high-fidelity signals must be centralized to correlate across firewalls, identity, and endpoints.
III. Data Pipelines as a Trojan Horse
A significant portion of the dialogue focuses on the strategic role of data pipelines (e.g., Cribl, Tenzir). Marty describes these as a "Trojan Horse" because they own the data integration layer.
Unsticking the SIEM: Once a pipeline is in place, the SIEM becomes a "pluggable" component. A customer can easily route a feed to a cheaper data lake or swap "SIEM A" for "SIEM B" without reconfiguring every log source.
Vendor Evolution: Marty advises that legacy vendors must integrate pipeline features (routing, filtering, optimization) directly into their products to prevent being commoditized.
IV. The Gordian Knot of SIEM Pricing
The participants concede that no one has "solved" pricing.
The Volume Problem: Pricing by data volume penalizes security (the more you see, the more you pay).
The "Bring Your Own Storage" (BYOS) Model: Startups are increasingly telling customers to store data in their own buckets (S3/GCS). While this avoids vendor markups and helps the vendor's margins, Marty notes it is a "cop-out" for SMBs who lack the resources to manage their own cloud infrastructure.
The MSP Perspective: In the MSP world, "per seat" or "per device" pricing remains the only predictable model for business owners, even if it doesn't align with the underlying cloud costs.
V. Detection Engineering and the Context Graph
Marty identifies the "Holy Grail" of security operations: the Context Graph.
Beyond Rules: Instead of just writing Sigma rules, the industry needs a dynamic risk register that tracks entities (users, apps, endpoints).
Dynamic Risk: If a user’s risk score is low (verified location, known browser string), the system should be more permissive. If signals are anomalous, the friction increases.
The Failure of Detection: Marty notes it is "baffling" that SIEMs still don't tell users when a detection rule is "broken" because the underlying data feed has stopped or changed.
VI. The NDR Revival
The episode concludes with a look at Network Detection and Response (NDR). Despite the shift to EDR and encrypted traffic, NDR is seeing a revival.
Repatriation: Marty observes a trend of companies moving workloads from the public cloud back to private data centers (particularly in Europe due to GDPR and political sovereignty).
The Unmanaged Gap: In environments with OT, IoT, or "unmanageable" devices where EDR cannot be installed, the network remains the only source of truth.
Key Topics Timeline
Introduction and SIEM Pedigree
Hosts introduce Raffy Marty; discussion of his long-standing rivalry/collaboration with Anton Chuvakin.
The Viability of SIEM in 2026
Analysis of new market entrants and why the "SIEM is dead" narrative is primarily marketing.
The "Alert Fatigue" problem and how startups are exploiting it.
The Architecture Debate
Centralized vs. Federated vs. Decoupled models.
The logistical necessity of centralizing data during active investigations.
Data Pipelines as Strategic Infrastructure
How pipelines create an abstraction layer that makes SIEMs less "sticky."
The evolution of pipeline vendors into "Lite SIEMs."
The Logic of Pricing
The difficulty of balancing vendor margins with customer predictability.
The "Bring Your Own Compute/Storage" trend and its pitfalls for smaller organizations.
The Future of Detection Engineering
Moving from static rules to "Context Graphs" and entity-based risk scoring.
The persistent difficulty of effective anomaly detection.
The NDR and Network Telemetry Comeback
Why encryption didn't kill network visibility.
The impact of cloud repatriation and European data sovereignty on security strategy.
Closing Advice
Recommendations for vendors to focus on "boring" onboarding and customer education.
Recommended reading (Marty’s blog and the value of LinkedIn for industry discourse).
