2025 SANS Detection and Response Survey

Get research-backed insights into the challenges, trends, and innovations shaping modern detection and response.

The 2025 SANS Detection & Response Survey offers a comprehensive look at how security teams are adapting to rising operational demands, increasingly complex hybrid environments, and a rapidly evolving threat landscape. With insights from hundreds of practitioners across banking, finance, technology, government, and healthcare, the report reveals where modern SOCs are succeeding and where critical gaps remain.

This year’s findings uncover several pressing challenges, including escalating alert fatigue, cloud visibility issues, persistent skills shortages, and growing pressure to automate detection and response. As SANS notes in the report, “false positives remain the leading operational burden,” reflecting a dramatic rise in noise that hinders analysts’ ability to respond effectively.

Cloud environments continue to strain security programs as well. According to the survey, “cloud complexity outpaces expertise,” and teams struggle to maintain cohesion across multicloud and SaaS ecosystems. The data also highlights widespread resource limitations: “teams are being asked to deliver more capability with less investment,” underscoring the gap between expectations and available funding.

Inside the report, you’ll find data-driven analysis on:

The rising volume and impact of false positives
Cloud detection challenges across CSP, SaaS, and multicloud environments
The growing importance of automation, AI/ML, and proactive threat hunting
Staffing and skill gaps affecting detection and response readiness
The tools and techniques organizations rely on most, and how effective they truly are
How teams benchmark detection coverage, measure performance, and plan future investments

Whether you lead a SOC, manage detection engineering, or are responsible for evaluating detection and response technologies, this report provides timely insight into the obstacles and opportunities shaping cyber defense.

Need to address the challenges highlighted in the survey?

Many of the issues uncovered in this year’s report—false positives, cloud visibility gaps, limited staffing, and increasing response times—are the exact problems Clear NDR^® was built to solve.

Explore your next steps:

✅ Request a live demo and see how Clear NDR exposes unseen threats

✅ Review flexible, probe-based pricing for Clear NDR

✅ Dive deeper with our blog series on the SANS findings

Use the links below to learn how to apply the report’s insights within your own security operations.

Schedule a demonstration

Get Demo

Request custom pricing

Get Quote

Visit our blog

Visit blog

Additional Resources

Explore these related articles to understand how Clear NDR delivers better visibility, flexibility, and value.

Blog Article

Blog Article

Blog Article

Blog Article

Alert Fatigue/Overload

Excessive alerts and false positives, exacerbated by both legacy IDS and first-generation AI anomaly detection, leads to delayed or entirely missed attack detection.

Insufficient Attack Visibility

Limited visibility across agentless systems, cloud workflows, lateral movement, encrypted communications, and anomalous activity result in missed critical attack signals.

Lack of Context & Evidence

Proprietary “black box” threat detection lacks valuable event context and evidence, resulting in delayed impact assessment and response.

Increased Attack Velocity

Attackers leverage AI and exploit automation to breach defenses and accelerate attack timelines, inflicting serious damage before security teams can respond.

See what Stamus customers are saying about Clear NDR

We use Clear NDR - Enterprise to monitor a multitude of custom applications to ensure they are operating securely.

Cyber Defense Engineering Manager at a major travel technology vendor

We selected the Stamus Networks solution based on our success at my previous employer. We found it to be an indispensable platform for understanding our security posture.

Head of Sector at a multi-national government institution

[Clear NDR] allowed us to reduce costs by simplifying IDS systems configuration and updates management, and by getting a single pane of glass on all IDS events with preconfigured dashboards and filters.

Lead of Information Security Team for a global engineering SaaS company

I have previously worked with six different IDS vendors, and only Stamus provides us with both the signature and anomaly-based data we need which previously required two separate traffic analyzers.

Lead Security Analyst at large DevOps vendor

Using the threat hunting capabilities of Clear NDR we have been able to uncover multiple instances of C2 communications and malware running within our infrastructure.

Head of Cyber Security and Governance at an international European Bank

The ability of Clear NDR - Enterprise to suppress the typically verbose stream of alerts enables us to quickly identify malicious activity from the tremendous noise associated with things like proxies on the network. By selecting the ‘relevant’ alerts, we are able to transition from millions of daily alerts to the 10 or 15 we actually need to review.

CTO at Bulgarian MSSP

After we started using Clear NDR, we were able to drop our MSSP and reduce our costs while strengthening our cyber security posture.

Director of Infrastructure Technology at U.S. public school system

Stamus Networks has provided us with the most effective solution within our security stack. Their dedication to supporting us has been unmatched by any other vendor. We are excited to continue expanding our deployment of Clear NDR - Enterprise.

Head of Cyber Security and Governance at an international European Bank

We are excited to install Clear NDR at a major manufacturing client because the context provided by the solution allows us to identify actual threats in less time than other tools we have used.

Sales Engineer at French MSSP

The detailed network definitions used in Clear NDR allows us to efficiently and intuitively hunt for improper encryption certificates and proxy services. It's incredibly useful.

Head of Cyber Security and Governance at an international European Bank

We managed to increase visibility of suspicious and malicious network activity which highly simplified incident investigation. But I think the biggest advantage we received is the support from Stamus Networks team which always was quick, constructive, and useful.

Lead of Information Security Team for a global software engineering firm

New 2025 SANS Detection & Response Report: Trends Shaping the Future of Cyber Defense

Get research-backed insights into the challenges, trends, and innovations shaping modern detection and response.