Report

SANS 2025 Detection & Response Survey

Blind Spots, Automation Gaps, and the Shift Toward AI-Augmented Defense

This year’s SANS Detection & Response survey reveals a security landscape under strain. 

  • Overreliance on EDR at the endpoint is creating new blind spots.  
  • Automation continues to expand but full trust remains low.  
  • SOC teams face rising false positives, skill shortages, and tightening regulations. 

Find out why detection must move earlier in the kill chain, which type of behavioral analysis must be implemented, and how AI should augment not replace analysts. 

Share this Report

Key Findings

The SANS 2025 data uncovers widening gaps caused by endpoint-heavy security postures, rising complexity,
and inconsistent intelligence sharing.

89%

EDR Remains “Catch-All” Tool

Heavy endpoint focus leaves perimeter and cloud ingress largely unprotected,
creating post-compromise detection gaps.

73%

False Positives Are Surging

False positives overwhelm SOC teams already constrained by staffing shortages.

13%

Full Automation Adoption Drops 

Despite 90% using automated detection tools, 
only a fraction trust fully automated response.

Endpoint Blind Spots

EDR delivers visibility only after malicious files reach the endpoint. Organizations are missing early-stage threats at the perimeter, in the cloud, and across file movement paths.

High Adoption,
Low Realization

SOC teams often lack confidence in automation because tools fail to integrate into human workflows. Effective automation must enrich, correlate, and prioritize—not replace judgment.

Regulatory Pressure Shifts Collaboration

Only 37% share detection rules externally, even as NIS2 and DORA push organizations toward mandatory incident and IOC sharing.

Why This Report Matters

The survey reveals the architectural changes needed to evolve SOC capabilities.
Understand where to modernize detection pipelines and how to reduce workload while improving accuracy.

Analysts Are
Outpaced by Noise

Teams must adopt behavioral sandboxing & machine-learning threat similarity search.

Complexity Expands
Faster Than Expertise

Discover the security impact of multicloud fragmentation and integration gaps.

AI Must Augment
Human Talent

Security teams require natural-language querying, automated IOC extraction, & similarity-based threat correlation.

Strengthen Your Detection Strategy

Get the full SANS Survey Report and learn how to reduce blind spots, scale analyst capacity, and adopt a multi-layer detection pipeline.

Download the Report