COMMENTARY: Security teams have spent the last decade scaling their operations to keep up with cloud adoption,
SaaS sprawl, and an ever-growing attack surface.
That scale shows up in budgets:
global information security spending is projected to exceed $200 billion in 2025, underscoring how central SOC operations have become to the enterprise. Most teams accepted a tradeoff, giving up data ownership in exchange for detection and response from tools they don’t fully control.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
That tradeoff felt tolerable.
SIEMs centralized logs, enabled correlation and gave analysts a place to work alerts. But as data volumes grew and AI entered the security conversation, the cost of closed systems became harder to ignore financially, operationally, and strategically.
Security teams don’t lack data. They lack control over it.
When the SIEM owns the company's security history
Traditional SOC platforms ingest massive volumes of logs, normalize them into proprietary schemas, and expose them through vendor-specific query languages and interfaces. Teams build detections, investigation workflows and institutional knowledge that only works inside that ecosystem.
In practice, the SIEM becomes the operational backbone of the SOC, with
most teams measuring analyst workload and investigations directly from SIEM alerts and ticket data, reinforcing how tightly daily operations are bound to a single platform.
The longer a platform stays in place, the harder it becomes to leave. Historical data is expensive to store, query, and export. Teams cannot reuse detection logic elsewhere. Basic analysis requires staying within the tool’s constraints. What begins as convenience becomes lock-in.
This affects how security teams operate every day. When data gets trapped, teams struggle to experiment, integrate new tools and adapt workflows as threats evolve. They optimize around the platform instead of around the problem.
Scale changed the equation and AI accelerated it
Cloud environments changed SOC economics. Security teams now process terabytes of logs per day across cloud infrastructure, identity systems, SaaS platforms, and custom applications. Human-driven alert triage does not scale with that growth. Automation and AI became unavoidable.
Attackers are adopting the same technologies. Analysts forecast that
generative AI will be involved in a significant share of cyberattacks by 2027, increasing both alert volume and investigative complexity for SOC teams.
AI-assisted detection, investigation and response require access to large volumes of structured query data. AI agents can analyze past behavior, correlate signals over time and explain why an alert matters or doesn’t. When that data lives inside closed systems, teams lose control over investigating how AI reached conclusions and adapting its reasoning to their environment.
The stakes are high. Research shows the
average cost of a data breach continues to rise year-over-year, turning gaps in detection and investigation into direct financial exposure.
When security teams talk about open data, they are not talking about public access or ideology. They are talking about control.
A data-centric security platform separates data from the tools that analyze it, giving the team deep control over how it's stored, queried, and leveraged across the organization’s entire security program.
Detections are written in languages security engineers already know, rather than proprietary rule syntax that only works in one system. Teams can adopt new tools, integrate analytics and evolve their SOC without being locked into a single vendor's ecosystem. Analysts consistently observe that
rising SIEM data volumes and costs are pushing enterprises to decouple storage from analytics.
This does not eliminate the need for platforms. It changes their role.
Closed systems affect people as much as technology. Security teams experience constant turnover, and knowledge lives in detections, scripts, and investigations rather than documentation. When that logic exists only in proprietary formats, it becomes harder to review, share and maintain over time. Industry research shows that
alert overload remains a persistent problem for most SOC teams, consuming analyst time and increasing burnout.
Using standard languages like Python and SQL improves alert quality and makes security knowledge portable. New hires can understand existing logic faster. Teams can apply established testing and review practices. AI can help create, deploy, and maintain detection logic at a scale that manual approaches cannot match.
Ready or not, AI has arrived
Moving forward, AI will become part of our security operations whether teams are ready or not. We need to adopt it without sacrificing transparency and control.
Closed data architectures make that harder. Open data foundations make it possible.
The future of security operations will not depend on who adopts AI first. It will depend on who builds systems that can evolve without locking themselves in.
William Lowe, chief executive officer, PantherSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
