Blog
SIEMs falling short: 80% of threat techniques go undetected
Despite significant investments, modern SIEM platforms fail to detect nearly 80% of known MITRE ATT&CK techniques. This critical gap means that even heavily invested SIEMs can miss standard techniques, allowing attackers to remain undetected for extended periods. Relying solely on SIEMs for threat detection is risky in today's evolving threat landscape.
SIEMs are falling short: logging is not detecting
SIEMs (Security Information and Event Management) solutions are familiar beasts in cybersecurity defenses. Organisations use them to collect and analyse log and event data from their IT environments. Often, SIEMs are also used to detect, investigate, and respond to potential threats. And that approach was feasible perhaps 5 to 10 years ago.
However, today the threat landscape is entirely different and relying on SIEMs for threat detection is a risky move. SIEMs are, at their core, log management systems and not threat detection and response solutions. And latest research supports this perspective.
Despite significant capabilities of modern SIEMs and growing investments in SIEM platforms, most organisations gain very little real visibility into adversary behaviour. CardinalOps’ latest report reveals that modern SIEMs fail to detect nearly 80% of known MITRE ATT&CK techniques, leaving critical gaps in enterprise defence strategies. Put plainly, this means that even if you invested heavily in leading SIEM, attackers can still leverage a very common technique like Process Injection (T1055) and fly under the radar for 90+ days due to missing detection rules.
When evaluating detection coverage, it’s not enough to simply count rules or log sources. What matters is whether your detections align with the actual techniques real adversaries use. That’s where the MITRE ATT&CK framework comes in — a globally recognised knowledge base that maps the tactics, techniques, and procedures (TTPs) employed by threat actors across the attack lifecycle. By measuring your SIEM or SOC’s coverage against ATT&CK, you get a clear, adversary-focused view of your detection strengths and gaps. This approach helps prioritise engineering efforts, reduces blind spots, and ensures you’re not just reacting to yesterday’s threats — but actively preparing for today’s and tomorrow’s.
While detection coverage improved marginally by 2% in 2024, the average SIEM still covers only 21% of relevant techniques. Compounding the issue, 13% of existing detection rules are non-functional, often due to misconfigured data sources or missing log fields, meaning organisations are unknowingly flying blind against common TTPs.
This is not a data availability issue. On average, SIEMs ingest 259 log types from nearly 24,000 unique sources, which theoretically enables coverage of 90%+ of the MITRE ATT&CK framework. However, manual rule creation and brittle detection engineering workflows prevent organisations from capitalising on this telemetry.
According to CardinalOps, the root cause lies in outdated detection engineering practices. Without automation, continuous validation, and AI-driven optimisation, organisations are stuck reacting slowly while adversaries iterate rapidly.
SIEM platforms are not plug-and-play detection engines. Without proper engineering, many remain little more than log storage platforms. Worse, misalignment between log ingestion and detection content — such as missing process command lines or network connection metadata — leads to silent failure.
Organisations often assume that just because logs are ingested, they’re being analysed. But ingestion does not equate detection. Without proper correlation logic, rule health, and validation, most attacks bypass detection even when telemetry exists.
SIEMs can be important. But they are not enough for threat detection.
It is not that SIEMs are inherently bad. They can be somewhat justified for compliance with log retention requirements from EU regulations (such as NIS2 and DORA). However, we must be careful not to fall for vendor marketing and misunderstand that SIEMs are capable of reliable threat detection and/or response. For the latter, XDRs prove to be much more effective.
XDRsare also not perfect, though – they still require rule tuning to fit your environment. Detection engineering should be treated as a continuous discipline — not a one-time setup.
If your organisation relies on a SIEM, this is a timely reminder that coverage does not necessarily equate to effectiveness. Threat detection must evolve beyond simple ingestion and rule deployment — toward intelligent, automated, and continuously validated detection strategies. Solutions that fuse MDR, offensive testing, and cyber threat intelligence can bridge these gaps and ensure that critical attacks don’t go undetected. If you want to understand how well your SIEM defends against real-world adversaries, ask yourself: when was the last time you validated your detections?
Join our Threat Intelligence newsletter
That article first appeared in our ThreatInsights newsletter. If you would like to stay on top of the latest cyber threat developments in Europe, sign up here.
About the author
David Kasabji
Principal Threat Intelligence Analyst
David Kasabji is a Principal Threat Intelligence Analyst at the Conscia Group. His main responsibility is to deliver actionable intelligence in different formats according to target audiences, ranging from Conscia’s own cyberdefense, all the way to the public media platforms. His work includes collecting, analyzing, and disseminating intelligence, reverse engineering obtained malware samples, crafting TTPs […]
Related
