The NextGen SOC Promise: The End of SIEMs?
For several years, the industry has been selling us an attractive vision: the NextGen SOC. Out with heavy and complex SIEMs, in with modern data pipelines, unified platforms, AI that does everything automatically, reduced teams piloting entire ecosystems.
Is this a real structural program or marketing hype to sell the umpteenth technological revolution?
The answer is nuanced: it's both a real necessary evolution AND a risk of falling into the buzzword trap if we don't adopt the right approach.
What's Really Changing
- End of traditional SIEM era: too expensive, too complex, too slow
- Modern data pipelines: object storage, on-demand queries, optimized costs
- Unified platforms: EDR + XDR + SIEM + SOAR in one ecosystem
- AI and hyperautomation: fewer people, more efficiency
- Cloud-native model: rapid deployment, automatic scalability
But for this vision to become reality and not just another budget black hole, it must be anchored in a solid hygiene program and designed for those who really need it: SMEs.
2025: The Year of Budget Reduction
Economic Reality
Let's talk money. We're approaching the end of 2025, and cyber budgets are under pressure. CFOs are demanding accountability. The massive investments of previous years must show tangible results.
CISOs face a dilemma:
- Threats aren't decreasing, quite the opposite
- Regulatory requirements are increasing (NIS2, DORA...)
- But budgets are stagnating or decreasing
- And qualified human resources are scarce and expensive
In this context, the NextGen SOC approach becomes an economic necessity, not a technological luxury.
The Painful Calculation
Traditional model (SME/mid-market):
- SIEM: €150-300K/year (licenses + infrastructure)
- EDR: €50-100K/year
- SOAR: €80-150K/year
- Threat Intel: €30-50K/year
- SOC team: 3-5 people (€300-500K/year)
- Total: €600K - €1M/year minimum
Result: Inaccessible for 90% of French companies.
The Micro-Platform Model: Doing More with Less
What is a Micro-Platform?
A micro-platform is a radically different approach:
- Tool unification: single platform integrates EDR, XDR, network detection, vulnerabilities, identities
- Cloud-native: no infrastructure to manage, deployment in days
- Hyperautomation: AI handles 80% of alerts, humans only handle critical ones
- Modern data pipeline: low-cost object storage, on-demand queries, no bloated SIEM
- Reduced team: 1-2 people instead of 5-10, thanks to automation
- Controlled cost: predictable OpEx model, no surprises
The Economic Equation Changes
Micro-platform model (SME/mid-market):
- Unified platform (EDR+XDR+Data lake+Auto): €150-250K/year
- Integrated ASM/EASM: included
- Integrated threat intel: included
- Orchestration and automation: included
- Reduced team: 1-2 people (€100-200K/year)
- Total: €250-450K/year
Savings: 40-60% compared to traditional model
But beware: these savings are only real if you've done the hygiene work beforehand. Otherwise, you'll just automate chaos.
Hygiene: The Essential Foundation
Why Hygiene Must Precede the Platform
Deploying a NextGen micro-platform without prior hygiene is like installing an autopilot system in a car whose brake condition you don't know.
Hyperautomation and AI work by relying on:
- Reliable inventory: AI must know what's normal to detect the abnormal
- Behavioral baselines: impossible without knowledge of business usage
- Clean identity management: AI can't guess which accounts are legitimate
- Clear network mapping: to detect abnormal lateral movements
- Controlled vulnerabilities: to prioritize alerts that really matter
The Classic Mistake
Disaster scenario:
- Buy a brand new NextGen SOC platform
- Activate it without prior hygiene work
- Receive 10,000 alerts per day
- AI generates 1,000 automatic false positives
- The (reduced) team is overwhelmed
- Lose confidence in the platform
- Return to manual management = complete failure
The Right Sequence
To successfully transition to NextGen SOC, follow this sequence:
- Hygiene phase (3-6 months):
- Complete asset inventory
- Identity and privilege management
- Network and flow mapping
- Scan and remediation of critical vulnerabilities
- EDR deployment (1-2 months):
- Complete endpoint coverage
- Creating behavioral baselines
- Initial tuning (false positive reduction)
- Unified platform activation (2-3 months):
- Integration EDR + network + cloud + identities
- Data pipeline configuration
- Level 1 automation implementation
- Progressive hyperautomation (6-12 months):
- Machine learning on historical data
- Automation of standard incident responses
- Progressive team reduction (by natural attrition)
Total duration: 12-24 months for a fully operational NextGen SOC
Fewer People, More AI: The New Equation
Hyperautomation is Not a Fantasy
CISOs have long dreamed of reducing dependence on scarce and expensive SOC analysts. With generative AI and machine learning progress, this is no longer a dream but an operational reality.
What AI Already Does Very Well
- Alert triage: automatic distinction between true positive and false positive
- Contextual enrichment: automatic aggregation of all relevant information
- Temporal correlation: detection of attack sequences over several days
- Automated response: endpoint isolation, account blocking, quarantine
- Report generation: automatic incident synthesis for executive committee
- Remediation suggestions: action proposals based on past similar incidents
The Human Role Evolves
Hyperautomation doesn't eliminate humans, it refocuses them on their real added value:
- Complex case analysis: APT, sophisticated attacks, 0-days
- Proactive threat hunting: looking for what AI hasn't learned to see yet
- Continuous improvement: AI tuning, creating new rules
- Strategic communication: dialogue with executive committee, business units
- Monitoring and innovation: integration of new detection techniques
Result: 1-2 senior analysts piloting a hyperautomated platform are more effective than 5-10 junior analysts drowning in manual alerts.
The Reality of Numbers
Traditional SOC (medium size):
- 5 L1 analysts (simple alert processing)
- 2 L2 analysts (incident investigation)
- 1 L3 analyst (threat hunting, complex cases)
- 1 SOC manager
- Total: 9 people, cost €700K-€1M/year
- Average processing time per alert: 20 minutes
- False positive rate: 60-70%
Hyperautomated NextGen SOC:
- 1 senior analyst (AI piloting, threat hunting, complex cases)
- 1 platform engineer (tuning, continuous improvement)
- Total: 2 people, cost €150-250K/year
- Average automatic processing time: 2 minutes
- False positive rate (after tuning): 20-30%
- Savings: 70% on HR
The Real Market: SMEs, Not CAC40
The Industry's Perspective Error
Vendors and analysts always talk about large enterprises. Latest attacks on CAC40, 50-person SOC at Total, €100M cyber budget at BNP Paribas...
But that's not the real market.
The French (and European) economic fabric is:
- 98% SMEs and mid-market (less than 5000 employees)
- Generating 60% of GDP
- Employing 70% of workers
- Who are just as targeted by ransomware and APT
- But who have neither the budgets nor the resources for a traditional SOC
SME/Mid-Market Reality
Typical profile: mid-market of 1000 people, €200M revenue
- Total cyber budget: €500K - €1M/year (0.3-0.5% of revenue)
- IT team: 15 people
- Dedicated security team: 1-2 people (often a part-time CISO)
- Cyber maturity: low to medium
- Requirements: NIS2, ISO 27001, cyber-insurance
- Threats: ransomware, phishing, supply chain
Real need:
- Fast incident detection and response
- Effective vulnerability management
- Regulatory compliance
- Controlled and predictable budget
- No resources to manage 10 different tools
For this company, the traditional model is inaccessible. The NextGen SOC micro-platform model is the only viable option.
The Unified Platform: Concretely, What Does it Look Like?
Technical Architecture
A true unified NextGen SOC platform integrates:
Essential Technical Building Blocks
1. Collection and Normalization
- EDR/XDR agents on endpoints (Windows, Mac, Linux, mobile)
- Network collectors (NetFlow, selective packet capture)
- Cloud-native integrations (AWS, Azure, GCP)
- API connectors to SaaS (M365, Google Workspace, Salesforce...)
- IAM/PAM integration (Active Directory, Okta, CyberArk...)
2. Modern Data Pipeline
- Real-time ingestion (streaming)
- Automatic normalization (parsing, enrichment)
- Low-cost object storage (S3, Azure Blob, GCP Storage)
- Data lake with long retention (1-3 years)
- On-demand queries (without prior indexing = massive savings)
3. Detection and Correlation
- Native detection rules (MITRE ATT&CK)
- Behavioral machine learning (automatic baselines)
- Anomaly detection (UEBA for users and entities)
- Integrated threat intelligence (IoC, TTPs, active campaigns)
- Cross-source correlation (endpoint + network + cloud + identities)
4. Hyperautomation and Response
- Automatic alert triage (AI)
- Automatic contextual enrichment
- Automated responses (isolation, blocking, quarantine)
- Native SOAR playbooks
- Automatic ticket and report generation
5. Integrated Vulnerability Management
- Continuous scanning via agents
- Automatic prioritization (CVSS + context + exploitation)
- Correlation with alerts (exploited vulnerability = max priority)
- Remediation tracking
6. Integrated ASM/EASM
- Automatic external attack surface discovery
- Continuous scanning of exposed assets
- Shadow IT detection
- External/internal correlation
Interface and Management
A single interface for:
- Real-time dashboard (alerts, incidents, metrics)
- Investigation (timeline, correlation graphs)
- Threat hunting (ad-hoc queries on data lake)
- Vulnerability management
- Executive reporting (risk, compliance, trends)
Objective: one browser tab open, instead of 10 different consoles.
Real Program or Marketing Hype?
Signs of a Real Program
A vendor selling a real NextGen SOC program must be able to answer YES to these questions:
Anti-Bullshit Checklist
- ✅ Cloud-native architecture: no VMs to manage, auto scalability
- ✅ Modern data lake: object storage, on-demand queries, no bloated SIEM
- ✅ Native integrations: not optional connectors billed extra
- ✅ AI/ML in production: not just a roadmap, but active features
- ✅ Native SOAR automation: not a separate product to buy
- ✅ Transparent pricing: per endpoint or per GB ingested, predictable
- ✅ Rapid deployment: POC in 1 week, production in 1 month
- ✅ SME/mid-market references: not just CAC40 logos
Signs of Marketing Hype
Be wary if you hear:
- ❌ "Our platform unifies everything" → but you need to buy 5 different SKUs
- ❌ "Revolutionary AI" → but it's just basic pattern matching
- ❌ "Cloud-native" → but you still need on-prem appliances
- ❌ "80% team reduction" → but only after 3 years of tuning
- ❌ "Infinite data lake" → but pricing explodes beyond 100GB/day
- ❌ "Complete automation" → but you have to develop playbooks yourself
- ❌ "1-day deployment" → but actual production after 6 months
Golden rule: Request a 30-day POC on your real environment, with your real data, and measure results.
The Cyber Workhorse: Hygiene + Micro-Platform
My Deep Conviction
After more than 15 years in cybersecurity, after founding SOC, CTI and CERT, after accompanying dozens of companies of all sizes, here's my conviction:
The future of cybersecurity for 90% of companies is the alliance of rigorous hygiene and hyperautomated micro-platforms.
The Winning Model for SMEs/Mid-Market in 2025-2030
1. Hygiene as Foundation (3-6 months)
- Complete and maintained inventory
- Rigorous identity and privilege management
- Network mapping and segmentation
- Vulnerability management with prioritization
- Continuous awareness and training
2. Unified Micro-Platform (6-12 months)
- EDR/XDR on all endpoints
- Modern data lake for all logs
- AI/ML behavioral detection
- Level 1 response automation
- Integrated vulnerability management
- ASM/EASM for external surface
3. Reduced and Efficient Team
- 1-2 senior internal people
- Reactive vendor support (24/7)
- Optional: MDR for 24/7 monitoring
- Optional: MSSP for periodic threat hunting
4. Controlled and Predictable Budget
- Platform: €150-300K/year depending on size
- Internal HR: €100-200K/year
- External services (optional): €50-100K/year
- Total: €300-600K/year all-in
- That's 50-70% cheaper than traditional model
This model is accessible, operational, and effective. It allows an SME of 500-2000 people to have a cybersecurity level equivalent to a large group, for a fraction of the cost.
Conclusion: The Revolution is Here, But Not for Everyone
NextGen SOC, the end of SIEMs, data pipelines, hyperautomation: all of this is real. It's not marketing.
But this revolution will only benefit those who have done the groundwork:
- Hygiene before technology: impossible to automate chaos
- Program before tool: a platform without processes is useless
- Pragmatism before buzzwords: POC before purchase, metrics before marketing
- SMEs/mid-market before CAC40: that's where the model has the most impact
The Three Mistakes to Absolutely Avoid
- Buying the platform without prior hygiene → drowning in false positives
- Believing AI replaces everything → it amplifies, doesn't replace
- Copying the CAC40 model → unsuited and over budget for SMEs
The cyber workhorse for the next 10 years is accessibility: enabling all companies, not just giants, to have effective cybersecurity.
Unified, hyperautomated micro-platforms with little manpower and controlled budget are the key to this democratization.
As long as we never forget that everything rests on hygiene.
Without hygiene, the most beautiful platform in the world is just another expensive toy that will end up in the closet of unused tools.
With hygiene, it's a revolution that finally makes cybersecurity accessible to all.
