Market split as midrange sales offset SME slump: A year on, Context’s data shows that this ongoing convergence of SIEM with security tools such as XDR and SOAR has triggered a structural split in the market.”Large midmarket firms are doubling down on unified platforms for compliance, while smaller organizations are investing less in SIEM entirely in favour of MDR and vulnerability management,” according to Context’s Turner.The overall SIEM market slid from 20% growth in 2024 to a far more modest 4% in 2025. By contrast, the midmarket (5011,000 seats) saw 288% year-on-year growth, the main driver being the desire to demonstrate compliance with the EU’s NIS2 directive.”The full enforcement of the NIS2 directive in Europe has forced midtier companies to move from basic monitoring to auditable security operations,” Context’s Turner explains. “These companies are too large for simple tools but too small for massive 24/7 internal SOCs. They are buying the SIEM++ platforms to serve as their central source of truth for auditors.”By contrast the SMB market (under 500 seats) for SIEM products dropped 23% last year.”SMBs are investing much more into managed detection and response (MDR), which grew 35% in the 1050 seat band and 26% in the 50-500 seat band,” according to Turner.The strong shift away from SIEM among smaller businesses is driven by cold hard economics: A cheaper alternative technology offers better results with less implementation headaches for small businesses.”Why pay $66 per seat for a tool you can’t run? SMBs are perhaps choosing to buy the result (MDR) rather than the engine (SIEM),” Turner says. Turbulent times for cloud-based SIEM: The shift to cloud-based SIEM, previously seen as a way organizations seek a more scalable and cost-effective platform, has fallen out of favour.”Cloud-native SIEMs reduce operational overhead and enable faster investigations and collaboration across security, DevOps, and platform teams, key for modern security operations,” says Vera Chan, senior product marketing manager of cloud SIEM at cloud and security monitoring firm Datadog.Cloud-based SIEM solutions are plug-and-play security platforms, so organizations can subscribe, integrate assets via API, automate responses using SOAR, and set up tailored detection rules.”Modern cloud-based SIEM goes beyond log management,” Muhammad Ali, cyber solutions consultant at comms and cyber-security provider Exponential-e tells CSO. “It’s an intelligent security hub with built-in SOAR capabilities, seamless API integrations with cloud-based XDR/EDR solutions, and real-time global threat intelligence.”Cloud-based SIEMs remove the need for expensive hardware upgrades associated with traditional on-premises deployments, offering scalability and faster response times alongside potentially more cost-effective usage-based pricing models. According to Context, the cost of SIEM on-prem went up 116% to an average of $93 per seat in 2024, whereas cloud-based SIEM costs went down 26% to $77 per seat over the same period.Fast forward 12 months, however, and the market has turned on its head.Cloud-based SIEM costs continued to decline in 2025, but at a slower rate to $66 per seat. Context sees AI costs playing a factor in the slowdown. “Vendors are passing on the high compute costs of gen AI features to the end-user,” Turner says.By contrast, on-prem SIEM costs have dropped 39% year-on-year to reach $63 per seat, lower than SIEM in the cloud.”Legacy vendors have entered a price war to stop cloud repatriation,” Turner says. “For high-volume data, on-prem is now ironically the value choice for the first time in a long time.”The easy phase of “cloud is cheaper” looks to be over.”Going into 2026, cloud SIEM is the premium choice for those who want AI-driven automation, while on-prem has become the go to for budget-conscious, high-volume log storage,” Turner concludes.Managed SIEM has also taken a hit, as 2025 witnessed an 88% drop in SIEM delivered via MSPs, bucking a recent trend of significant growth for SIEMaaS, previously seen as a means to avoid hiring or retaining an in-house security team.”MSPs have stopped reselling ‘managed SIEM’ as a line item,” according to Context’s Turner. “Instead, they are bundling SIEM technology into MDR services.”The 88% drop in MSP-delivered SIEM isn’t a collapse; it’s a shift toward platformization and integration, Turner emphasizes.”SIEM has become the ‘Intel Inside’ if you will “¦ of the MDR market,” Turner says. “It’s there, but the customer is paying for the protection, not the platform.” AI reshaping the SIEM landscape: Static rule-based SIEMs struggle to keep pace with today’s sophisticated cyber threats, which is why AI-powered SIEM platforms use real-time machine learning (ML) to analyze vast amounts of security data, improving their ability to identify anomalies and previously unseen attack techniques that legacy technologies might miss.ML models establish baseline behavior for users, assets, and network traffic, continuously monitoring for deviations that indicate potential threats. When an anomaly is detected, the trained model generates alerts, leading to faster threat detection and response.”AI-powered SIEM solutions not only detect threats but also automate investigation processes, correlating real-time incidents with global threat intelligence,” Exponential-e’s Ali says. “By integrating with SOAR and XDR/EDR platforms, automated responses can be triggered or incidents escalated to security analysts for further action.”Ali adds: “This significantly improves incident response efficiency and supports a more efficient and agile security operations center that’s one step ahead of attackers.”AI-powered SIEMs can prioritize critical alerts, recommend response actions, and automate remediation, reducing noise and fatigue.”As adversaries leverage AI, security teams must adopt AI-driven automation to stay ahead,” Datadog’s Chan says. Industry consolidation: The SIEM market is experiencing rapid consolidation as vendors look to develop more comprehensive and powerful platforms.”Organizations demand fewer tools, deeper integrations, and frictionless end-to-end security operations, and vendors that can deliver this will shape the future of cybersecurity,” Datadog’s Chan says.Notable SIEM M&A activity over the past few years includes:
Google acquiring Siemplify (a SOAR company) in 2022 to integrate into Google Chronicle SIEMLast July, Palo Alto Networks (PAN) acquired CyberArk for around $25 billion in a deal that extends privileged identity protection into its security platform, paving the way to secure the new wave of autonomous AI agents. The deal follows PAN’s acquisition of IBM’s Qradar SaaS business for $500 million in September 2024.Zscaler agreed to acquire Red Canary for around $675 million in May 2025. The deal delivers MDR outcomes directly via the cloud stack, bypassing MSPs (managed service providers).CrowdStrike bought Spanish cybersecurity startup Onum for around $290 million in August 2025. The acquisition offers CrowdStrike the opportunity to reduce cloud ingestion costs for its SIEM clients using intelligent optimization, clearing the path towards faster incident response.Exabeam merging with LogRhythm in July 2024Cisco buying Splunk for approximately $28 billion in March 2024See also:
What is SIEM? Improving security posture through event log dataSIEM buyer’s guide: Top 15 security information and event management tools, and how to chooseCostly and struggling: the challenges of legacy SIEM solutions
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3829750/4-key-trends-reshaping-the-siem-market.html
