Decouple SIEM data to reshape your AppSec

The math around SOC data stopped adding up a long time ago. Telemetry volumes keep mounting, SIEM ingestion costs climb with them — but analysts remain as beleaguered as ever. While automation and agentic AI hold a lot of promise, that promise can’t be realized until the data problem is solved. 

A growing number of enterprise security teams believe the answer starts with decoupling their data pipelines from their SIEMs entirely. They’re routing telemetry through purpose-built platforms that handle ingestion, normalization, and enrichment before data ever reaches a detection system. 

Cost relief is the immediate driver, but the long-term value of this architectural shift extends well beyond the bottom line. Security data pipelines are fueling SOC capabilities that legacy SIEM-centric workflows could rarely support.

Here’s how decoupling data from your SIEM can deliver application-layer visibility that modern software supply chain security demands.

[ Download: Software Supply Chain Security Report 2026 | See related webinar ]

The SIEM data hangover

The core architecture of SIEMs was not designed for the scale and complexity of modern security operations. These platforms are essentially search engines with alerting capabilities, yet organizations have spent two decades forcing them to serve as the universal intake point for every data stream in the enterprise, said Darwin Salazar, head of growth at Monad, who spent years as a detection engineer witnessing firsthand the architectural mismatches caused by handing SIEMs all control over security data management.

As he wrote in The Cybersecurity Pulse:

“Think about what the SIEM actually does well: indexing logs, running queries, correlating events, creating historical baselines, and firing alerts. Now think about what most SIEMs claim to do: collect data from N sources, normalize it into a consistent schema, route it to themselves, transform it and enrich it. These are fundamentally different disciplines.”
—Darwin Salazar

The economics make the misalignment worse. Most legacy SIEMs charge by data volume ingested, a model that rewards vendors for customer data growth while punishing customers for seeking comprehensive visibility. 

SIEM vendors “have zero incentive to help you route logs to cold storage at a fraction of the cost or send copies to your data lake for ML experiments,” Salazar said.

It’s unsustainable, but many overworked SOC teams still  default to using the SIEM as their main source of truth for security data. According to the SANS 2025 Global SOC Survey, 42% of SOCs dump all incoming data into a SIEM without a retrieval or management plan. Unsurprisingly, Forrester Research has noted that one of the most common inquiry questions it receives from security clients is “How do we reduce our SIEM ingest costs?”

Leo Scott, a managing director at DataTribe, said he has seen a significant uptick in activity from startups trying to solve this problem.

SIEMs, he said, are becoming outdated while remaining “super expensive.” The startups he has been evaluating are trying a variety of approaches, seeking to effectively replace the SIEM or to work around its limitations by adding flexibility in how cybersecurity data is handled. 

“Quite a few companies are working on everything from understanding the data you need in the first place so that you can guide what the pipeline is doing to establishing new ways of managing the data pipeline coming in from all these different sources.”
—Leo Scott

Enter the security data pipeline

All of this has fueled the rise of security data pipeline platforms (SDPPs). These purpose-built systems sit between data sources and destinations, handling ingestion, normalization, enrichment, filtering, and routing. With a pipeline in place, the SIEM becomes one destination among several, receiving clean, enriched data optimized for detection and investigation rather than raw logs racking up charges by the gigabyte.

The shift isn’t simply about moving data from SIEMs to data lakes. After all, security teams have been adopting platforms like Snowflake and Databricks for threat hunting and long-term retention for years. What is new with the pipeline layer is that it addresses what happens before data reaches any destination. 

The pipeline’s core function is as a “security refinery,” wrote Aqsa Taylor of Software Analyst Cyber Research (SACR) and her co-authors in a recent deep dive on the SDPP market. The pipeline converts crude telemetry into structured, context-rich signals. Ultimately, it serves as the control plane of the modern SOC’s data flows, governing how data gets processed, how it’s shaped, where it goes (including a SIEM), and what happens when conditions change.

“Some data may be duplicated across storage types,” an earlier SACR Market Guide explained. “One copy might be retained in the SIEM with short-term retention, while another is archived in a data lake for long-term compliance.” The paper called such storage tiering a significant cost-optimization strategy.

Bob Ackerman, co-founder and managing partner of DataTribe and chairman of the Global Cyber Innovation Summit, sees the data layer as the foundation not only of improved SOC operations, but also of a broader security model he calls the “cyber information center,” a fusion layer that normalizes telemetry, integrates threat intelligence, and monitors control health continuously. The CIC does not represent a niche category, he said.

“It’s only a niche to the extent that your central nervous system is a niche. In a digital economy, data is insight, is power, and is control.”
—Bob Ackerman

Making AI-native SOCs and software telemetry practical

The need for more flexibility in security data flows has become more urgent as AI-powered security tooling has started to move from pilot to production. Every AI SOC initiative, from automated alert triage to LLM-based investigation to agentic response, lives or dies on data quality.

“AI/ML tooling has put a magnifying glass to this problem. Models don’t tolerate messy or incomplete data the way humans do.”
—Darwin Salazar

Anton Chuvakin, a senior staff security consultant in the Office of the CISO at Google Cloud and a widely read expert on security operations, has been driving home the point.

“The path to an AI-ready SOC isn’t paved with new tools; it’s paved with better data, cleaner processes, and a fundamental shift in how we think about human-machine collaboration. If you ignore these pillars, your AI journey will be a series of expensive lessons in why ‘magic’ isn’t a strategy.”
—Anton Chuvakin

More than a decade ago, as a Gartner analyst, Chuvakin devised the SOC visibility triad, whose  three pillars are to monitor logs, endpoint sources, and network sources. Just last year, he added a fourth monitoring need, applications. 

“SaaS, cloud applications, and AI agents require deep application visibility,” he wrote at the time. “This enables deeper insights into the application’s internals, as well as business logic. To have a good 2025 SOC you must have the fourth pillar of application visibility.”

In addition to enabling AI-native security operations, decoupled data pipelines make that fourth pillar a functional possibility. 

Binary intelligence — the deep analysis of files, packages, and software artifacts — has been difficult to integrate into SOC detection workflows because of challenges with volume, latency, and normalization, though direct SIEM integrations have addressed some of these barriers for enrichment- and verdict-driven workflows.

Security data pipelines could extend this further. By normalizing binary analysis output into the same schema as other SOC telemetry, pipelines can potentially transform file intelligence from an enrichment source into a first-class detection data type, queryable and correlatable alongside endpoint, network, and authentication data.

If that output were routed into SOC detection infrastructure, it could help close visibility gaps in software supply chain risk and potentially act as a catalyst to more closely tie together security operations and application security (AppSec) functions.

The path forward

Again, for now, cost is typically behind SDPP projects. SIEM bills can hit millions of dollars annually and often rise faster than security budgets can accommodate. Virtually every practitioner interviewed by SACR analysts in their 2025 market study said their pipeline deployment started as a cost-control measure.

The problem with that is that cost-control measures are rarely seen as strategic opportunities. But much more value will be extracted by the organizations that treat their data pipeline as a first-class asset rather than a backend detail.

The economic gain of spending less on SIEM ingestion will be augmented by the security payoffs of getting fewer false positives, onboarding new data sources faster, migrating between platforms more easily, and getting more reliable output from every AI tool they deploy.