📝 PREVIEW This post is not yet public. It will go live on Fri 10 Jul 2026, 09:11 IST. Public URL: /blog/ai-first-soc-legacy-siem-running-out-of-runway-2026

The AI-first SOC is here — why legacy SIEM is running out of runway

Pawan Sharma Published 10 Jul 2026  ·  By Pawan Sharma  ·  Security Operations  ·  38 min read

Every SOC I've walked into in the last twelve months has the same posture: they know their SIEM is under strain, they don't know what to do about it, and the vendor account team is quietly recommending "add-on modules" that don't fix the underlying architecture. What's actually happening is bigger than "SIEM needs an upgrade." It's a generational shift in how detection, triage, and response get done — and the platforms that were built for the 2010-2020 era of security operations were built on architectural assumptions that don't hold anymore. This piece is what I'd want a CISO to read before the next Splunk renewal, the next QRadar refresh, the next FortiSIEM upgrade, the next SOC-as-a-Service RFP.

The gap that keeps growing

~3-8×

Detection latency delta between AI-first SOC operations and rules-first SIEM pipelines, on identical data volumes.

Analyst hours displaced

60-80%

Tier-1 / Tier-2 workload now automatable with well-scoped LLM agents. Not "in five years" — right now.

Legacy SIEM cost curve

Linear

Per-GB pricing means your bill scales with your data. AI-first architecture flips this to sub-linear.

Time to first meaningful ROI

60-90 days

In an AI-first SOC operating model. Legacy SIEM programmes typically show ROI in 12-18 months.

The frameLegacy SIEM was engineered for a world that no longer exists

SIEM as a category was born in the mid-2000s. Splunk 3.0 shipped in 2006. Q1 Labs (which became QRadar under IBM) went GA around the same period. ArcSight was already several years old by then. LogRhythm, McAfee ESM, RSA enVision, all landed in a five-year window. Every one of these platforms was engineered around the same operational assumptions: logs are structured, threats have signatures, correlation rules are the product, analysts sit in tiers, and everything gets faster if you throw more storage and more people at it.

Every one of those assumptions is now either partially or wholly wrong. The consequence is not that SIEM is dead — it's that the SIEM you own was optimised for a problem that the industry no longer has. And the vendor selling it to you is structurally incapable of catching up, because their entire business model, sales motion, and product architecture are locked into the old assumptions.

The frame that makes the whole shift make sense. Legacy SIEM treats detection as a rules problem. AI-first SOC operations treat detection as a reasoning problem. That single change of framing — from "have I written a correlation rule that matches this pattern?" to "does this stream of events, taken together, look like something a knowledgeable analyst would care about?" — invalidates most of the architectural choices that legacy platforms are built on.

The four assumptionsWhat's changed at the architectural level

1. Structured logs are no longer the primary telemetry surface

Traditional SIEM's ingestion tier is optimised around parsing. Every log source gets a parser (Splunk "sourcetype," FortiSIEM "parser," QRadar "DSM"), and the parser's job is to extract structured fields that rules can then reference. This works beautifully when your telemetry is 90% firewall syslog, Windows Event Log, and IIS access logs — which is roughly what the world looked like in 2010.

The world in 2026 has fundamentally different telemetry. Cloud audit logs (CloudTrail, Azure Activity, GCP Cloud Audit) are JSON-native but so deeply nested that traditional parsers can extract maybe 30% of the meaningful fields. Container and Kubernetes telemetry is high-volume and low-signal per event — the meaning lives in the sequence, not the individual line. SaaS-application audit trails (M365, Salesforce, Workday, ServiceNow) come in dozens of different formats that mutate every quarter. Endpoint EDR events are already pre-correlated by the EDR product, arriving as behavioural narratives rather than raw events.

The AI-first response is semantic ingestion: use an LLM (or an embedding model fine-tuned for security telemetry) to understand what an event means, without requiring a hand-crafted parser for every source type. This is not theoretical — it's shipping today in Microsoft Sentinel's Auxiliary Logs tier, in Palo Alto Cortex XSIAM's ML-based normalisation, in the newer FortiSIEM release-train's AI-Assist normaliser, and in several open-source projects. But it requires a fundamentally different ingestion architecture than what the legacy SIEM stack is designed around. You cannot "add semantic ingestion" as a feature to a parser-centric platform. The parser tier is the platform.

2. Rules-based correlation was never how experienced analysts actually detect

Ask any experienced Tier-2 SOC analyst how they decide whether a stream of events is worth escalating. You will get an answer that has almost nothing to do with correlation rules. It will be about context: this host normally talks to those five destinations, why is it suddenly hitting a sixth; this user account has never logged in from that country before; this service ran a command it doesn't usually run; the sequence of these three events looks like the middle of a Cobalt Strike playbook.

Legacy SIEM's response to this reality was UEBA — user and entity behaviour analytics — layered on top of the rules engine as a bolt-on. The bolt-on has never worked as well as the marketing suggested, for two structural reasons. First, the UEBA tier and the correlation tier don't share a data model, so alerts from one never enrich alerts from the other in the way an analyst would. Second, UEBA models are trained on your organisation's specific baseline, which means every new deployment starts from a cold-start baseline and takes 60-90 days of noise before it becomes useful.

The AI-first response is reasoning-based triage: give an LLM the same context an analyst would have (recent behaviour of the entity, threat intel, historical incidents, current org context) and let it reason about whether the current event stream is meaningful. This is the operational model behind Microsoft Security Copilot, CrowdStrike Charlotte AI, FortiAI-Assist inside FortiSIEM Cloud, and the internal AI agent Ogma runs at Tier-1/Tier-2 for its own SOC customers. It doesn't replace correlation rules — it wraps around them, catching the incidents the rules missed and dismissing the false positives the rules generate.

3. Tiered analyst structure is the wrong response to the volume problem

Every SOC I've seen in India that scaled beyond 15 analysts hit the same wall around year two. The tiered model — L1 triage, L2 investigation, L3 hunting and IR — was designed to make throughput scale linearly with headcount. It does that. But it also creates a specific set of failure modes: L1 analysts become overwhelmed and start closing alerts to make the queue shorter; L2 analysts spend more time re-doing L1's investigation than doing their own; L3 senior architects become the bottleneck on every Sev-1; and the whole system's efficacy is limited by the median L1 skill, not the peak L3 skill.

The AI-first response is not "get rid of tiers" — it's invert the leverage. AI handles the L1 workload (triage, initial context assembly, rule-out of known-good patterns) with near-infinite scalability. The senior architect layer that was previously a bottleneck now spends its time reviewing AI decisions and handling the Sev-1s. L2 as a distinct role starts to disappear — the "investigation" work that L2 used to do is now either automated (by the AI at L1) or elevated (to the L3 architect who has time to do it because they're not drowning in Sev-1s).

The economic consequence is significant. An AI-first SOC serving 25 mid-market customers doesn't need 8-10 human analysts on payroll. It needs one senior architect, a compliance/audit lead, maybe a customer-success generalist, and a modest fixed AI-agent infrastructure spend. Total operational cost lands roughly 60-70% below the equivalent team-based operating model at the same customer count. That maths is what allows an AI-first SOC to price 30-50% below legacy MSSPs while maintaining healthy margins.

4. Storage and retention are no longer where the innovation is

A striking amount of legacy SIEM product roadmap over the last decade went into storage optimisation: hot/warm/cold tiers, archive-to-S3, index compression, distributed indexers, big-data backends. This was rational engineering at the time. Storage was expensive, retention obligations were growing, and every SIEM vendor was trying to solve the same problem of "how do we let customers keep more logs for less money."

The problem shifted before the vendors fully solved it. Object storage got cheap enough (S3 Glacier, Azure Archive) that raw retention is now a rounding error on a modern SOC's total spend. What matters now is not "how much you can store" but "how usefully you can search and reason over what you've stored." AI-first architectures optimise for the query and reasoning tier, not the storage tier — treating cold data as embedding-searchable rather than SQL-queryable, and using vector similarity to surface historical parallels to current incidents.

Splunk, QRadar, and the on-prem tier of every legacy platform sunk hundreds of engineering-years into a problem the market has largely moved past. Their pricing model — per-GB ingested, sometimes with per-GB-stored — actively fights the shift to AI-first, because the AI-first operating model wants to reason over more data more cheaply, and the vendor's revenue model punishes that.

The visible shiftWhere legacy and AI-first diverge, operationally

Legacy SIEM operating model

Rules-centric, tier-scaled, storage-optimised

  • Detection: Correlation rules authored in vendor-specific query language (SPL / AQL / KQL for on-prem Sentinel). New rule for every new threat pattern.
  • Triage: L1 analyst reviews queue, decides escalate or close. Median MTTA measured in hours.
  • Investigation: L2 analyst tab-hops across SIEM, EDR, firewall, DNS, threat-intel. Repro of what L1 already did.
  • Response: Playbook in SOAR (or manual). Playbook maintenance is a full-time job.
  • Compliance reporting: Quarterly-cycle document generation, largely manual, always behind reality.
  • Cost curve: Linear with log volume. Every new source raises the bill.
  • Time to first meaningful ROI: 12-18 months.
AI-first SOC operating model

Reasoning-centric, leverage-inverted, query-optimised

  • Detection: Rules where they're precise; behavioural anomaly models for the long tail; LLM reasoning over event streams for novel patterns.
  • Triage: AI agent triages with same context as senior analyst. Human reviews at Sev-1 only. Median MTTA measured in minutes.
  • Investigation: Multi-agent AI orchestrates the SIEM / EDR / firewall / DNS / TI lookups in parallel. Human sees the synthesis, not the raw queries.
  • Response: Natural-language playbook definition. AI runs the playbook within pre-approved scope. Human authorises anything above scope.
  • Compliance reporting: Monthly auditor-ready output generated automatically. Human senior architect signs the document.
  • Cost curve: Sub-linear with log volume. Marginal AI cost per additional GB is close to zero.
  • Time to first meaningful ROI: 60-90 days.

The five tiersWhat "AI at every layer of the SOC" actually looks like

When vendors say "AI SOC" they mean many different things — often just a chatbot layered on top of the existing platform. Real AI-first architecture puts AI at each tier of SOC operations. Here's the map:

Tier 1

Ingestion & normalisation

Semantic parsing of arbitrary log formats without hand-crafted parsers. LLM-assisted field extraction. Automatic detection of novel log-source shapes.

What breaks in legacy: The parser tier is the product. Adding LLM-based semantic parsing requires re-architecting ingestion.

Tier 2

Detection & correlation

Rules where they're precise (known bad IOCs, specific TTPs). Embedding-based similarity search for "does this look like something we've seen before." LLM reasoning for novel event-sequence interpretation.

What breaks in legacy: Correlation engine tightly coupled to structured field schema. New detection primitives require rewriting the engine, not adding to it.

Tier 3

Triage & investigation

AI agent assembles context, decides severity, dismisses false-positives, escalates. Multi-tool orchestration: SIEM + EDR + firewall + DNS + TI + prior incidents. Reasoning trace preserved for audit.

What breaks in legacy: The tiered analyst model IS the operational architecture. Removing L1/L2 doesn't just save cost — it changes what the whole platform is for.

Tier 4

Response & remediation

Natural-language playbook authoring. AI executes within pre-approved scope. Human authorises anything above scope. Post-action verification automated.

What breaks in legacy: SOAR platforms sold as separate products with separate licences. AI-first architecture treats response as part of the same reasoning loop as triage.

Tier 5

Reporting & governance

Auditor-ready output generated from raw operational data on a monthly cycle. LLM-drafted, senior-architect-signed. Compliance mapping (DPDP / RBI / SEBI / ISO) built into the same reasoning layer that runs detection.

What breaks in legacy: Reporting is a separate module, often outsourced to consulting. Fundamentally reactive, quarterly-cycle, retrospective.

The key distinction: AI at each tier is not the same as an AI chatbot layered on top of the platform. Microsoft Security Copilot, in its 2024 launch shape, was largely the latter — a natural-language interface over Sentinel queries. The 2026 iteration is genuinely different (semantic ingest, agentic triage), but it's the exception, not the rule. Most "AI SIEM" branding today is still Tier 3 chatbot-only. Ask specifically at each tier of the architecture.

Why incumbents can't just retrofitThe structural constraints on legacy vendors

The interesting question isn't "why is AI-first better." It's "why can't Splunk, QRadar, LogRhythm, ArcSight just bolt AI onto their existing stack and match the AI-first players?" Some are trying. Splunk shipped Splunk AI Assistant and the Cisco-owned Splunk Attack Analyzer. IBM shipped watsonx integrations into QRadar. LogRhythm and Exabeam merged and are pushing an AI-centric roadmap. Fortinet has FortiAI-Assist across FortiSIEM Cloud, FortiAnalyzer, FortiManager. Palo Alto's Cortex XSIAM was purpose-built as AI-native.

The pattern that emerges when you look at these efforts as a category: the deeper into the architecture AI needs to go, the more structural resistance the vendor's own business creates. Four specific forces:

Structural constraintWhy it blocks AI-first at this vendor
Ingestion-tier lock-in The parser/normaliser tier is the product's crown jewel — a decade of accumulated parsers is what customers pay for. Introducing LLM-based semantic parsing invalidates the customer's investment in custom parsers and threatens the vendor's "we support every log source" pitch.
Per-GB revenue model Vendor revenue scales with ingested data volume. AI-first operating model wants to reason over more data more cheaply. Every ROI conversation ends with "so you'd charge us less?" Sales team resists.
Enterprise sales cycle Legacy SIEM sold via 9-18 month cycles, large multi-year deals, three-year commits. AI-first players enter mid-market with self-serve trials and monthly pricing. Legacy sales team can't compete for the mid-market customer bracket profitably.
Analyst workforce economics MSSPs built on legacy SIEM have 200-500 analyst headcount as a fixed cost. AI-first competitors reach the same output with 20-30 seniors. MSSP can't fire fast enough to compete on price without restructuring pain. The workforce becomes stranded.
Partner-channel dependency SIEM vendors reach most enterprises through SI partners (Wipro, TCS, Infosys). SI partners' cyber revenue is built on headcount-at-customer-site. AI-first architecture eliminates that revenue. SI partner has no incentive to push the change.

The vendors most exposed to these constraints simultaneously are the pure-play SIEM vendors from the pre-cloud era: Splunk (still), QRadar under IBM, LogRhythm / Exabeam (post-merger), ArcSight under OpenText, older FortiSIEM tiers before the Cloud variant, McAfee ESM. The vendors least exposed are those without the legacy per-GB revenue model or the accumulated parser IP: Microsoft (Sentinel + Copilot for Security, self-cannibalising), Palo Alto (XSIAM, no SIEM legacy to protect), CrowdStrike (Falcon LogScale + Charlotte, EDR-first therefore not defending a SIEM business), and a small set of AI-native startups (Panther, RunReveal, Tines).

The vendor landscape in three categoriesWhere each vendor sits, honestly

This is my read as of mid-2026. It will change. It's directional, not definitive.

CategoryVendors in itWhy they're there
Leading the shift Microsoft (Sentinel + Security Copilot) · Palo Alto Networks (Cortex XSIAM) · CrowdStrike (Falcon LogScale + Charlotte) All three built AI-first from a position of no legacy SIEM revenue to protect. Microsoft is self-cannibalising legacy Sentinel gracefully. Palo Alto skipped SIEM entirely and went straight to AI-native XDR. CrowdStrike's EDR-first origin let it treat SIEM as a data-plane feature.
Trying seriously to catch up Fortinet (FortiSIEM Cloud + FortiAI-Assist) · Splunk (post-Cisco acquisition, with SOAR + Attack Analyzer + AI Assistant) · IBM (QRadar + watsonx) · Google (Chronicle + Duet AI) All four have the engineering resources and are moving. Fortinet's Cloud tier is the most credible AI-first migration path in the traditional-SIEM cohort. Splunk under Cisco has resources but is fighting the ingestion-tier lock-in constraint hardest. IBM is uncharacteristically pragmatic about QRadar's limits. Google's Chronicle was built AI-forward from the outset.
Structurally exposed LogRhythm/Exabeam (post-merger) · ArcSight (OpenText) · Rapid7 InsightIDR · McAfee ESM · Sumo Logic · older on-prem tiers of every vendor above Not that these products are bad — they're built well for the problem they were built for. But their business model, sales motion, and architecture all point in the wrong direction for the shift now underway. Expected outcomes: acquisition, roll-up, or gradual customer attrition to AI-first alternatives.
AI-native new entrants Panther · RunReveal · Tines (adjacent) · Anvilogic · Query.AI · Ogma One (India, pre-launch — disclosure: this is us) · other stealth-stage Indian and Israeli startups Cloud-native, code-first, treat AI as a foundation not a feature. Small footprint today; may consolidate quickly. High-quality engineering, small go-to-market, most likely to be acquired by category leaders once they prove they can operate at scale.

What this doesn't tell you. Which vendor is the best fit for your environment. That's a function of your existing stack, your integration commitments, your compliance overlay, your team's operational maturity, and your budget cycle. What this does tell you is which vendor is likely to still be the right answer in 36 months, and which is likely to have been rolled up into a larger stack or lost customer share to an AI-first competitor.

The economic disruptionHow unit costs flip, and what that means for pricing

The most under-appreciated part of the AI-first shift is that it doesn't just change what the SOC does — it changes the shape of the cost curve. This has real consequences for how customers should price-negotiate and how vendors should re-model their offerings.

Legacy SIEM cost is linear in data volume. Every additional GB ingested adds a licence-cost delta, a storage-cost delta, and (indirectly) an analyst-workload delta. This is why every mature SOC eventually starts fighting its own log sources — turning off high-volume, low-signal telemetry to keep the bill manageable. The optimisation is rational and simultaneously wrong: the telemetry you turn off is often where the next incident is going to originate.

AI-first SOC cost is sub-linear in data volume. Storage cost drops to near-zero (S3 Glacier, Azure Archive). LLM reasoning cost per event is genuinely small at commercial API rates for current-generation models, and dropping rapidly. The fixed cost is the AI infrastructure itself: model access, embedding storage, vector-search infrastructure. That's a bounded monthly bill that doesn't grow with your log volume the way a per-GB SIEM licence does.

The consequence for customer pricing: traditional MSSPs pricing per-GB-day or per-EPS are describing a cost model that doesn't hold in an AI-first operating world. When you see a per-GB quote from a vendor whose backend is AI-first, you're being priced against your data volume even though it's not their cost driver. This is arbitrage in the vendor's favour, and it will shrink over time as pricing models catch up.

How Ogma One is priced (disclosure: our own build, pre-launch): per-GB-of-storage-per-month, split into live tier (queryable in real time) and archive tier (queryable with rehydrate latency). Archive tier prices at roughly two-thirds of the live tier — the split matches the actual cost driver on our side. Margins stay clean because our AI-agent infrastructure cost is a bounded fixed spend, regardless of how many customers or how much data. It gives customers a bill that scales with what they actually store, and drops when they retire old data. Simple to explain, simple to defend at audit.

The honest limitsWhere AI-first SOC actually falls short today

Any piece that claims a new paradigm is the answer without naming its limits is a marketing document. Here's where AI-first SOC operations are still shy of the pitch:

1. LLM hallucination in the reasoning loop is a real risk

An AI agent triaging alerts will occasionally produce confident-sounding wrong answers. In a SOC context this could mean dismissing a real incident because the model "reasoned" that it's benign. Mitigation is architectural: (a) constrain the model to reasoning over structured facts drawn from the underlying data, not over its own trained knowledge; (b) require human-in-loop for Sev-1 and above; (c) preserve full reasoning traces so decisions are auditable after the fact; (d) periodic offline evaluation of AI decisions against known-outcome incidents. This works, but it requires operational discipline that a first-year AI-first SOC may not have yet.

2. Regulatory acceptance is uneven

RBI Master Direction, SEBI CSCRF, and the DPDP guidance under Sec 8 don't yet explicitly acknowledge AI-driven SOC operations. In practice, auditors have been pragmatic — an AI-first SOC with human sign-off on Sev-1 and a named senior architect on the monthly compliance report tends to pass audit. But there are BFSI CISOs who read the regulation strictly and want a fully-human SOC on the record. That's their right; it's a real cost to the AI-first model in that segment.

3. The Sev-1 trust gap

Even in mature AI-first SOCs, the human oversight burden at Sev-1 is real. If your AI agent handles 95% of L1/L2 workload but you still need a senior human to authorise anything critical, the workforce economics of your senior tier don't collapse the way marketing sometimes suggests. Well-run AI-first SOCs still have senior architects on call 24×7 with hard rota discipline. The gain is huge — but it's a workload restructuring, not a workload elimination.

4. Custom detection-rule libraries don't port cleanly

If your organisation has spent five years building a custom Splunk detection library optimised for your environment, that library represents real IP and doesn't move to an AI-first platform for free. The good news is that most AI-first platforms have decent SPL/KQL translators (Uncoder.io is the open-source workhorse) and the reasoning layer often makes about a third of your custom rules redundant. The bad news is you still spend 3-6 months of senior-analyst time on the migration, and some of your longer-tail detections stop matching cleanly.

5. Data-residency for LLM reasoning

If the reasoning layer of your AI-first SOC calls out to OpenAI or Anthropic's US-hosted APIs, and your DPDP or sectoral regulator has a data-residency constraint, you have a compliance issue. Solutions exist: Azure OpenAI in Central India for regulated workloads; on-premises open-source models (Llama 4, DeepSeek, Mistral) for the strictest cases. But it adds architectural complexity and constrains model choice. Verify your SOC vendor's reasoning-layer hosting explicitly, not just their data-storage residency.

What to do in the next 12 monthsPractical steps for CISOs, not a marketing sequence

Audit your current SIEM against the four assumption-shifts

Not "is our SIEM good" — "is our SIEM's architecture compatible with an AI-first future." Specifically: does the ingestion tier require hand-crafted parsers for every source? Is the detection engine rules-first, with UEBA as a bolt-on? Are your analyst tiers structured as L1/L2/L3, and is the L3 bottleneck getting worse? Is the vendor's pricing model per-GB-ingested? If yes to three of four, you have a strategic problem regardless of whether the SIEM is technically functional today.

Don't rip and replace — build the AI-first tier alongside

Nobody's SIEM programme survives a big-bang migration. The realistic path is: keep the existing SIEM for known-value detections and compliance reporting, layer an AI-first triage-and-response tier on top of it (drawing from the same log sources), and let the two coexist for 12-18 months while you migrate high-value detection logic and phase down the old SIEM's usage. This is how every mature customer we've seen actually does it.

Before your next SIEM renewal, do a paid PoC with an AI-first alternative

Not a demo. A 90-day paid pilot with a defined success criterion (measurable MTTA improvement, measurable false-positive reduction, measurable analyst-hour saving). If the vendor won't engage on those terms, take that as data. The AI-first vendors that will engage on those terms right now: Microsoft (Sentinel + Copilot in Central India), Palo Alto (Cortex XSIAM), and one or two of the AI-native new entrants if you're comfortable with startup-stage vendor risk. Ogma One (India-resident, our own build — pre-launch, engaging design partners now) belongs in that second category if a small-vendor bet is acceptable for the pilot.

Rebuild your operating model, not just your platform

The single most common mistake we see is customers who buy an AI-first platform and then keep their L1/L2/L3 tiered analyst team unchanged. The platform delivers 60% of its ROI when the operating model catches up — when the L1 tier becomes "AI + human oversight" instead of "junior humans triaging queue depth." This is a HR change, an org-chart change, an OKR change. Plan for it.

Re-negotiate compliance reporting cadence

Legacy SIEM's quarterly compliance-report cycle was a compromise with what the platform could produce. AI-first architecture makes monthly (or continuous) auditor-ready reporting genuinely cheap. Push your auditor / regulator on the cadence you can offer, not the cadence they used to accept. The evidence discipline improves compliance posture even before the auditor asks.

Insist on data-residency clarity in every reasoning-layer conversation

If your DPDP position requires data-in-India, that's the reasoning layer, not just the storage layer. Ask specifically where LLM inference happens for every AI-first vendor you evaluate. Azure OpenAI in Central India is available. AWS Bedrock in Mumbai is available. On-prem open-source models (Llama 4, DeepSeek) are viable for the strictest cases. Vendors who can't answer this question clearly are not ready for BFSI or public-sector engagements.

Where Ogma sitsHonest, brief, not the whole point of the article

We're building Ogma One as our own answer to what an AI-first SOC operating model should look like for Indian mid-market and enterprise buyers. It's pre-launch as of this writing — we're engaging design partners now, wide-launch is imminent. The design: priced per-GB-of-storage-per-month, with AI agents at Tier-1 and Tier-2 and a named senior architect at Tier-3 who signs every monthly compliance report. It replaces the traditional bundle of SIEM licence + MSSP retainer + separate VA + separate BAS + separate TI + separate compliance consulting with a single subscription. The pitch is not "we're cheaper" — the pitch is "we've rebuilt the operating model around AI, which is why we can deliver more capability at a lower TCO than the legacy stack even permits." If any of this sounds interesting to design-partner alongside us, get in touch.

You don't need to buy from us to internalise the argument. The shift is real, the architectural constraints on legacy vendors are real, and CISOs who work through the six steps above will end up in the right place regardless of which AI-first vendor they choose. What you should not do is renew a per-GB-priced legacy SIEM without at least paid-piloting one AI-first alternative first. That single discipline will save many organisations from a five-year sunk cost they don't need to pay.

Want a 30-minute AI-first SOC architecture review?

We'll audit your current SIEM against the four architectural assumptions, map your existing stack, and give you a written go/no-go on whether an AI-first migration is worth starting this quarter. No obligation, no obligation to pick Ogma.

Book a review +91 80 0979 0979 · [email protected]

Common questionsFAQ

Is legacy SIEM actually dying, or is this just marketing narrative?

Neither, honestly. Legacy SIEM is not dying in the near term — mature Splunk / QRadar / FortiSIEM deployments are running fine and will continue to for years. What's happening is that new SIEM buyer decisions are increasingly going to AI-first alternatives, and the aggregate revenue curve for legacy pure-play SIEM has flattened or begun declining depending on the vendor. Splunk under Cisco has been the most-watched case — the acquisition price and Cisco's roadmap suggest they see it as a data platform play, not a stand-alone SIEM future. Draw your own conclusions from the M&A pattern.

Can I bolt an AI layer onto my existing Splunk / QRadar / FortiSIEM and get the benefits?

Partially. You'll get Tier-3 (chatbot-style investigation aid) and some of Tier-4 (SOAR-adjacent playbook drafting) benefit. What you won't get is Tier-1 (semantic ingest) or Tier-2 (reasoning-based detection) benefit, because those live in the platform architecture, not on top of it. The realistic ROI ceiling of "AI on top of legacy SIEM" is maybe 20-30% of the ROI ceiling of AI-first architecture. It's still worth pursuing — just don't confuse it with the full transition.

What does AI-first SOC pricing actually look like for a mid-market Indian enterprise?

Depends on log volume and retention. Our Ogma One rate card (disclosure: our own build, pre-launch) is priced per-GB-of-storage-per-month, with an archive tier at roughly two-thirds of the live tier. Most mid-market Standard-tier scenarios model at 30-60% below the total cost of an equivalent legacy MSSP + SIEM licence bundle for the same scope. AI-first vendors in general are pricing in that same range while including more capability.

What's the biggest risk of moving to AI-first SOC operations too early?

Analyst-team disruption without operating-model catch-up. If you replace your L1 team with AI agents but keep your L2 and L3 org charts unchanged, you get about 30% of the ROI and a lot of disgruntled senior analysts wondering what their careers look like. AI-first SOC only works if the operating model, career paths, and OKR structure change alongside the platform. That's a 6-12 month change-management programme, not a platform switch.

Does AI-first SOC pass regulatory audit for BFSI in India?

In our experience — yes, with the caveat that you need to structure the human-in-loop model right. RBI Master Direction and SEBI CSCRF don't yet explicitly acknowledge AI-driven SOC. Auditors have been pragmatic: if you have a named senior architect who reviews and signs every Sev-1 escalation and every monthly compliance report, and a documented trail of AI-agent decisions, that clears audit at every BFSI customer we've worked with. Some strict-interpretation CISOs will still want a fully-human SOC on record; that's a legitimate choice, but it comes at a real cost delta.

Where does data residency actually get complicated for AI-first SOC?

The reasoning layer, not the storage layer. If your LLM inference is happening in a US-hosted OpenAI or Anthropic API, and your DPDP or sectoral regulator has data-in-India requirements, you have a compliance issue. Solutions: Azure OpenAI in Central India, AWS Bedrock in Mumbai, on-prem open-source models (Llama 4, DeepSeek) for the strictest cases. Ask every AI-first SOC vendor exactly where their inference layer runs — not just their storage layer.

What's the timeline for legacy SIEM vendors to catch up?

Microsoft is already there for Sentinel Copilot users in Central India. Fortinet's FortiSIEM Cloud + FortiAI-Assist is closest among traditional vendors — I'd expect within 12-18 months to be genuinely competitive at Tiers 3 and 4, still constrained at Tiers 1 and 2. Splunk under Cisco has resources but is fighting the most structural constraint — realistic timeline 24-36 months. IBM's QRadar path is unclear. LogRhythm/Exabeam merger is a rescue play; watch for further consolidation. My directional bet: 24 months from now, half the vendors in the "structurally exposed" category above will have been rolled up or absorbed.

If I'm renewing my SIEM this quarter, what should I do differently?

Three things. (1) Ask the incumbent vendor what their AI-first architecture roadmap looks like — specifically at each of the five SOC tiers, not just "we're investing in AI." (2) Do a 90-day paid pilot with at least one AI-first alternative — Microsoft Sentinel + Copilot, Palo Alto Cortex XSIAM, or Ogma One. (3) Insist on a one-year renewal, not three-year, until you've completed the pilot. The renewal-cycle bet is the single most consequential decision most CISOs will make in the next 12 months in this space.

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.


Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution