“SIEM: Six vendors dominate a market that is growing denser.”
Thus we titled, in spring 2024, our synthesis of what was then the latest Magic Quadrant devoted to this market. Gartner indeed classified 22 vendors, surpassing the 20‑vendor threshold it generally adheres to.
Six entered at that time. One directly among the “visionaries” (Google). The others joined the “niche players” (Logz.io, NetWitness, Odyssey, QAX, Venustech).
4 entrants for 9 exits: a Magic Quadrant with a clearly reduced scope
In the 2025 version of the SIEM Magic Quadrant, Logz.io, NetWitness, Odyssey, and Venustech are no longer present. They are not the only ones to disappear. Devo Technology, IBM, LogRhythm, Logpoint, and OpenText follow suit.
For LogRhythm, the driver is its merger with Exabeam (completed in July 2024). IBM, on the other hand, no longer meets Gartner’s technical criteria since it sold QRadar SaaS to Palo Alto Networks.
For the others, the reasons are mixed. Logpoint did not satisfy all functional criteria. Devo Technology, Odyssey, and Venustech fell short on business criteria. Logz.io, NetWitness, and OpenText failed on a mixture of both functional and business criteria.
Technically, the criteria moved little compared with last year. But a few thresholds were raised, such as the minimum number of connectors for capture and for streaming of data in addition to log collection.
From year to year, the same functionalities remained “a la carte.” Vendors had to provide, on one hand, at least 2 of the following 4 capabilities:
- Federated search on a distributed SIEM environment
- Search outside the SIEM’s repositories
- Integration of third‑party data lakes
- Long‑term storage capable of recalling “hot” data for 365 days
On the other hand, provide at least 2 of the following 3:
- SOAR (automation and orchestration of common tasks)
- Threat intelligence
- Capabilities based on behavioral analysis or data science / machine learning
In terms of business criteria too, thresholds were raised. On the one hand, between March 2024 and March 2025, vendors had to generate at least $85 million in license + maintenance revenue from cloud*/SaaS products or have 500 production customers with direct contracts for these products (the previous thresholds were $75 million and 200 customers). On the other hand, at least 25% of this revenue had to come from customers located outside the region where the vendor’s headquarters sits; or at least 25% of customers had to meet the same geographic criterion (the previous thresholds were 15% of revenue and 30 customers).
Platform or not platform ? Divergences that structure the market
The uptick in business thresholds, Gartner explains, also reflects the presence of large vendors among the four entrants this year (CrowdStrike, Datadog, Graylog, and Palo Alto Networks).
CrowdStrike and Palo Alto Networks are among the providers that, like Microsoft among others, have integrated their SIEM into broader offerings with a licensing model tailored to a platform. Some vendors emphasize ingestion at scale rather than building a platform, while others push for a strategic approach to increasing workflows (AI, automation) to reduce complexity.
These divergences are reshaping the competitive landscape. Gartner therefore prioritized, in its evaluation, how vendors articulate their SIEM vision and, crucially, their ability to drive market adoption of that vision.
17 vendors, still 6 “leaders”
The positioning within the Magic Quadrant results from combining assessments on two axes. One is forward‑looking (“vision”), focused on strategies (vertical, geographic, go‑to‑market, product). The other is the ability to actually meet demand (“execution”: customer experience, pre‑sales performance, product/service quality, etc.).
On the axis of “execution,” the picture is as follows:
| Rank | Vendor | Year‑over‑year change |
| 1 | Splunk | = |
| 2 | Microsoft | = |
| 3 | + 8 | |
| 4 | Rapid7 | + 3 |
| 5 | Palo Alto Networks | new entrant |
| 6 | Securonix | – 2 |
| 7 | Exabeam | – 1 |
| 8 | Fortinet | = |
| 9 | Gurucul | = |
| 10 | Elastic | + 4 |
| 11 | CrowdStrike | new entrant |
| 12 | Sumo Logic | – 7 |
| 13 | Huawei | + 2 |
| 14 | Datadog | new entrant |
| 15 | QAX | + 6 |
| 16 | ManageEngine | + 1 |
| 17 | Graylog | new entrant |
On the axis “vision” :
| Rank | Vendor | Year‑over‑year change |
| 1 | + 4 | |
| 2 | Securonix | + 4 |
| 3 | Microsoft | – 1 |
| 4 | Gurucul | – 3 |
| 5 | Exabeam | – 1 |
| 6 | Splunk | – 3 |
| 7 | Elastic | + 2 |
| 8 | CrowdStrike | new entrant |
| 9 | Datadog | new entrant |
| 10 | Huawei | + 6 |
| 11 | Palo Alto Networks | new entrant |
| 12 (tied) | QAX | + 6 |
| 12 (tied) | Fortinet | + 2 |
| 12 (tied) | Rapid7 | + 1 |
| 15 | Sumo Logic | – 3 |
| 16 | Graylog | new entrant |
| 17 | ManageEngine | + 5 |
Six vendors sit in the “leaders” square: Exabeam, Google, Gurucul, Microsoft, Securonix and Splunk.
Exabeam remains more expensive than the average
Last year, Gartner lauded Exabeam’s UI, “very much in tune with security analysts’ needs.” It also appreciated the dynamic scoring and the ability to process third‑party streams through federated search. The firm also noted a steeper learning curve than for other SIEMs, and highlighted pricing that exceeded the average, in addition to a tendency to focus on large enterprises.
This year, the UI continues to impress. So do the scoring and federated search. Added to that are the Exabeam Copilot assistant (which streamlines triage and case prioritization) and a well‑stocked marketplace, particularly for insider threats, correlation rules, and extensible dashboards. Pricing remains above average, as does the learning curve—and this time for a specific component: Advanced Analytics (the legacy behavioral detection engine). There is also watchfulness for the potential latent effects of the merger with LogRhythm (announced in May 2024) on resource allocation for product development.
Google can advance on UEBA
With Chronicle, Google Cloud entered the SIEM Magic Quadrant last year. It was categorized among the “visionaries” (insufficient execution to be a leader).
Since then, Chronicle evolved into SecOps. Gartner notes the platform’s strength in advanced and complex queries. Federation and multi‑tenancy make it attractive for MSSPs as well as large organizations needing multiple SIEM instances. Another plus: AI injection across a broad spectrum of workflows, in addition to well‑integrated automation capabilities.
It should be noted that there is no on‑premises version of SecOps. The UI is also complex in the sense that Google favors a CLI‑driven approach (for building queries, for example), which requires skill to implement and operate. UEBA remains an area with room for improvement, lacking embedded use cases that are commonly found among the other “leaders.”
Gurucul: a price potentially hard to justify
Last year, Gurucul was also among the “visionaries.”
Gurucul earns praise for its marketing program, whose expansion correlates with a higher renewal rate than the average. Gartner also appreciates its roadmaps and its ability to deliver features consistently. The data management component is another strong point, offering flexibility.
Price is significantly higher than that of main competitors, which can make it difficult to prove the value of certain “advanced” features. Overall, the solution seems best suited to buyers with complex use cases. Caution is warranted on the “augmentation” of workflows (automation, orchestration): functionally Gurucul lags behind the other leaders.
Microsoft, dependencies on Azure persist
Last year, Gartner highlighted the bridges between the SIEM Sentinel and the rest of Microsoft’s ecosystem (SOAR, CASB, identity and endpoint protection). It also valued MITRE ATT&CK coverage and the customization capabilities, both for threat‑detection models and for the threat intelligence UI.
This year, Microsoft maintains its strength in MITRE ATT&CK coverage and its integrations within its ecosystem. Gartner adds the extension to support third‑party tools, the use of AI particularly in the correlation area, and the customization capabilities of the threat‑intelligence dashboard.
Microsoft can also be pricier than rivals, especially when ingesting data from external sources. Azure dependencies remain, including for integrating third‑party telemetry sources and for hosting (SaaS only).
Securonix, lagging on workflows augmentation
Last year, Securonix stood out for its handling of third‑party data sources and threat intelligence streams. Gartner also praised assistance for improving the SIEM configuration (identifying missing data sources, relevant analytical models, etc.). It criticized the EPS (events per second)‑based business model and the onboarding effort, which, it argued, required “more professional services than average,” particularly for cloud deployments.
This year, a strength is its handling of third‑party data lakes and the flexibility this affords. Securonix also distinguishes itself in UEBA (advanced use‑case management), combined with “exhaustive” testing and tuning capabilities. It has a product‑development team that is “larger than average” among SIEM quadrant vendors. If there is a growing capability to augment workflows, it is behind the other leaders in both features and integrations. Gartner notes a dependency on risk scoring that could hinder manual query creation, and observes that customer base growth is slower than among other leaders.
Splunk translates its vision more slowly than the competition
Last year, Splunk stood out for its UI, particularly its customization capabilities. It also boasted an exhaustive library of integrations, with SOAR leading the way. Gartner praised its observability component, coupled with federated search and analytics across third‑party data stores. While the platform was flexible, pricing appeared above average, and the solution, though powerful, was complex to implement. Gartner also pointed out that most employees were based in North America, which could impact customer support.
This year, one strong point is Splunk’s content marketplace and the richness of resources provided by the community. Gartner also underscores the breadth of security product integrations, including Cisco’s offerings. The report highlights customization options for developing workflows and dashboards.
However, augmenting workflows is not Splunk’s strong suit, and the company also lags its main competitors in its roadmap, reflecting a strategy still centered on integration in order to build a unified platform for TDIR (threat detection, incident response) orchestration. As for customization, it requires a degree of complexity that could deter less mature organizations.
* Understanding “cloud‑native” means designed to take advantage of cloud characteristics.
