COMMENTARY: MSSPs don’t need “better” SIEMs, they need ones that actually work in real environments. The focus on identity, automation, data costs, and onboarding reflects the day-to-day pressure providers are under to scale without burning out teams or margins. What matters here isn’t flashy capability, but whether a SIEM fits real customer risk, adapts as environments change, and supports services that are repeatable and profitable. These questions cut through the noise and push vendors to prove they can support how MSSPs actually operate, not how they market themselves.
Managed security service providers (MSSPs) are under enormous pressure to provide best-in-class security services amid an acronym-heavy and crowded vendor landscape. SIEM (Security Information and Event Management) remains central to threat detection and response, but “next-gen SIEM” adds layers like UEBA (User and Entity Behavior Analytics), DPM (Data Protection Management), AI and automation, and analytics.With all the noise in an increasingly crowded market, determining who really has the substance and who is just marketing fluff is an increasingly daunting task. However, focusing on a set of key questions for providers can help MSSPs evaluate the options and ensure they are selecting a solution that truly delivers the promised security, scalability, and profitability.MSSPs need providers that help balance customer protection, retention, and recurring revenue growth.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
Out with the old SIEM, in with the new
The traditional SIEM market has undergone significant disruption in the past few years. The big legacy players have more or less exited the market. IBM sold off QRadar to Palo Alto Networks, Exabeam and LogRhythm merged, and Splunk was acquired by Cisco. Innovation has slowed. These disruptions are market tailwinds for the next generation of SIEM, as MSSPs retire legacy solutions and adopt the next evolution of the heart of the Security Operations Center (SOC).The next generation of SIEM must be:- Open and flexible (avoiding vendor lock-in)
- Able to ingest diverse log sources quickly
- Future-proof and adaptable to emerging technologies and threat detection use cases
Eight key questions to ask SIEM providers
To help determine whether a SIEM is the right fit, ask vendors these questions:- How well does your SIEM align with my business use cases? Identify the “crown jewels” and top threats (IP, customer data, compliance requirements). Look for pre-built content, tuned use cases, and adaptability.
- Does the platform include UEBA and insider threat detection? The majority of breaches stem from compromised insider accounts, not just external threats. Combining UEBA and SIEM creates a true next-generation solution. This is where identity-driven security becomes essential. A robust platform uses identity data to reduce identity-based threats, administer Zero Trust policies, shrink the identity attack surface, and develop Identity Threat Detection and Response (ITDR) capabilities. ITDR aims to defend user identities and systems against cyber threats. It blends processes, tools, and best practices to identify and address identity-based threats like password leaks and compromised accounts, focusing on identification, response to, and prevention of attacks on identity infrastructure.
- What is your approach to log ingestion and parser support? Many providers overpromise on log source compatibility. It is important to ask for a vendor’s current parser list and the speed of new parser development (e.g., 24-hour turnaround versus “next release”). This directly impacts MSSPs with diverse customer environments.
- How do you manage data volume and cost? Traditional SIEMs (Splunk, etc.) charge by data ingested, driving up costs. Ask about data optimization tools and their ability to filter data, route it to low-cost storage, store cold data, and still support federated search.
- What automation and SOAR capabilities are included? Roughly 80% of alerts are routine (e.g., password lockouts). Automating Level 1 tasks frees analysts for higher-level response. Look for built-in automation and integrations with SOAR platforms. AI is particularly well suited here. An AI-based SOAR solution can help security teams prioritize and respond more accurately to real threats by automating detection, triage, and response workflows, improving SOC efficiency.
- How future-proof is your platform? Can the SIEM integrate with new tools, swap data lakes, and support multi-cloud environments? Consider vendor lock-in carefully. You do not want to be stuck with a stack that limits your ability to scale, grow, or adapt.
- What customer support and SLAs do you provide? 24x7 support is critical for MSSPs. Validate vendor claims through peer reviews and references, not just vendor-provided case studies.
- How do you reduce onboarding and migration risk? Ask about free training, proof-of-value support, and migration assistance.
