2025 SANS Detection & Response Survey: 5 Trends You Can’t Ignore

Security teams are under tremendous pressure. Cloud complexity, alert fatigue, staffing shortages, and increasingly fast-moving threats are straining even the most mature SOCs. The newly released 2025 SANS Detection & Response Survey, sponsored in part by Stamus Networks, offers a clear and data-backed look at what defenders are experiencing right now.

The findings reinforce something we see every day: security teams aren’t struggling because of a lack of tools. They’re struggling because of lack of clarity. And - according to the survey - that gap is widening.

Here are five of the most important insights from the survey and how security teams can use them to strengthen their detection and response programs.

According to the survey, 73% of organizations cite false positives as their top challenge in detection, and more than 60% encounter them frequently or very frequently. This trend has accelerated sharply from last year. This means that SOC teams are drowning in excessive false positives, which slow investigations, hide real threats, and increase burnout.

Cloud detection continues to trouble security teams, with limited cloud expertise (58%) and multicloud complexity (53%) ranking among the biggest barriers. Security teams need context-rich visibility across hybrid environments, without relying on brittle integrations or deep cloud specialization.

Despite advances in tooling, teams still cite staffing and skills gaps as major barriers. Training remains the primary strategy for closing these gaps, but many organizations struggle to scale expertise fast enough, and security teams need to adopt detection methods that reduce manual effort, not increase it.

28% of teams say their budgets are “insufficient” for detection and response activities, while most expect only modest increases in 2025. Teams are required to do more with less, but without sacrificing visibility or response speed. This dynamic puts added pressure on defenders.

Plans to expand the use of AI/ML and automation jumped significantly, with 76% planning stronger adoption. Meanwhile, response speed has slowed overall, emphasizing the need for more efficient workflows. The key takeaway? Automation is no longer experimental, it’s essential.

What This Means for 2025 and Beyond

The 2025 SANS Detection & Response Survey makes one theme unmistakably clear: today’s environments are too complex, distributed, and fast-moving for traditional detection methods to keep pace. Even with capable tools in place, security teams continue to struggle with rising false positives, growing cloud blind spots, shrinking resources, and increasingly sophisticated attacker behaviors.

These challenges persist not because existing technologies are ineffective. In fact, they remain critical components of a modern security stack, but because no single layer of detection can provide the complete visibility defenders require. Traditional approaches are typically optimized for specific domains or data sources, which leaves organizations with a fragmented understanding of what is happening across their networks, cloud workloads, and unmanaged systems.

Why Does NDR Matter?

This is where Network Detection and Response (NDR) becomes essential. NDR introduces an independent, behavior-focused layer of visibility that complements other security controls by revealing activity that often goes unseen. It provides context across the entire environment, correlates signals that individual tools cannot, and highlights threats that would otherwise blend into the noise.

The SANS findings reinforce a critical truth: without NDR, security teams are missing a significant part of the picture. Modern threats routinely move through areas where traditional tools have limited reach, and relying on a single detection lens leaves gaps that adversaries can exploit.

As organizations continue to evolve their detection and response strategies, the message is clear—comprehensive security requires more than individual tools operating in isolation. It requires a holistic approach, where multiple perspectives work together to expose hidden risks and accelerate response. NDR is the layer that completes that picture, turning fragmented signals into actionable insight and helping defenders regain the clarity they need to stay ahead.

If you're interested in reading the full 2025 SANS Detection and Response Survey, you can download it here. For more information on our Clear NDR solution, visit our product page or click the demo listed, listed below.