All Articles

Decoupled SIEM: Where I Think We Are Now? | Anton Chuvakin

Posted by Biswajit Banerjee on October 15, 2025 at 11:02pm in Blog
Decoupled SIEM: Where I Think We Are Now? | Anton Chuvakin

Actionable Insights for CISOs

1. Evaluate the Viability of Decoupled SIEM Architectures

While decoupled SIEMs offer flexibility by separating data collection, storage, and threat detection, they may introduce complexity and integration challenges. Assess whether your organization has the engineering resources and expertise to manage such a modular approach effectively.

2. Consider the Benefits of Integrated SIEM Solutions

Integrated SIEM platforms, which bundle data collection, storage, and detection capabilities, can simplify management and reduce integration overhead. For organizations with limited resources or those seeking streamlined operations, this approach may be more practical.

3. Leverage AI to Enhance SIEM Capabilities

Incorporating AI agents into your SIEM strategy can automate threat detection and response, improving efficiency and reducing manual workload. However, ensure that your AI tools are compatible with your chosen SIEM architecture and can handle the complexities of federated log searches if applicable.

4. Assess Compliance and Data Sovereignty Requirements

Decoupled SIEM architectures, especially those utilizing federated log searches, may pose challenges in meeting compliance standards and data sovereignty laws. Evaluate your organization's regulatory obligations to determine if a decentralized approach aligns with legal requirements.

5. Plan for Future Scalability

As your organization's security needs grow, ensure that your SIEM solution can scale accordingly. Integrated SIEM platforms often offer more straightforward scalability, while decoupled systems may require additional engineering effort to expand effectively.

 

About Author:

Dr. Anton Chuvakin is a leading voice in cybersecurity, currently driving security solution strategy at Google Cloud following its acquisition of Chronicle Security. Widely recognized for his pioneering work in SIEM, log management, and threat detection, he is credited with coining the term “EDR” (Endpoint Detection and Response).

Before joining Google, Anton served as Research VP and Distinguished Analyst at Gartner, where he guided enterprise security leaders on detection, response, and operational strategy. He has co-authored several influential books, including Security Warrior, PCI Compliance, and Logging and Log Management, and his early blog, securitywarrior.org, was among the most-read in the industry.

 

Now, let’s hear directly from Dr. Anton Chuvakin on this subject:

In the world of security operations, there is a growing fascination with the concept of a “decoupled SIEM,” where detection, reporting, workflows, data storage, parsing (sometimes) and collection are separated into distinct components, some sold by different vendors.

Closely related to this is the idea of federated log search, which allows data to be queried on demand from various locations without first centralizing it in a single system.

When you combine these two trends with the emergence of AI agents and the “AI SOC,” a compelling vision appears — one where many of security operations’ biggest troubles are solved in an elegant and highly automated fashion. Magic!

 

Magical decoupled SIEM + magical federated log search + magical AI agents 90X the magic

(Is my math mathing? Cheap + good + fast + AI powered … pick any …ehh… I digress!)

However, a look at the market reveals a conflicting — dare I saw opposite — trend. Many organizations are actively choosing the very opposite approach: tightly integrated platforms where search, dashboards, detection, data collection, and AI capabilities are bundled together — and additional things are added on top (such as EDR).

Let’s call this “EDR-ized SIEM” or “SIEM with XDR-inspired elements” (for those who think they can define XDR) or “supercoupled SIEM” (but this last one is a bit of a mouthful..)

While some suggest this is a split between large enterprises choosing disaggregated stacks and smaller companies opting for closer integration, this doesn’t fully capture the success rates of these different models (one is successful and another is, well, also successful but at a very small number of extra-large, engineering-heavy organizations)

If one were to take a contrarian view (as I will in this post!), it might be that the decoupled and federated approach, with or without AI agents, is destined to be a secondary, auxiliary path in the evolution of SIEM. 

This isn’t a nostalgic vote for outdated, 1990s-era ideas (“gimme a 1U SIEM appliance with MySQL embedded!”), but rather a realistic assessment based on past lessons, such as the niche fascination with security data science.

Many years ago (2012), while at Gartner, I wrote a notorious “Big Analytics for Security: A Harbinger or An Outlier?” (archiverepost), and it is now very clear that late 2000s-early 2010s security data science “successes” remained a tiny, micro minority examples. A trend can be emergent, growing tenfold from a tiny base of 0.01% of companies, yet still only reach 0.1% of the market — making it an outlier, not a harbinger of the mainstream future.

Ultimately, the evidence suggests that a decoupled, federated architecture will not form the basis of the typical SIEM of 2027. Instead, the centralized platform model, enhanced and supercharged by AI, will reign supreme (and, yes, it will also include some auxiliary decentralized elements as needed, think of it as “90% centralized / 10% federated SIEM” — a better model for the future).

My conclusion:

  1. SIEM has a future! If you hate SIEM so much that you … rename it, then, well, SIEM still has a future (hi XDR!)
  2. Decoupled SIEM and federated log search belong in the future of SIEM.
  3. However, decoupled SIEM and federated log search (In My NSHOare not THE future of SIEM.
  4. I think this because both are just too damn messy for many clients to make them work well. They also fail many compliance tests (well, the federated part, not the decoupled)
  5. AI and AI agents are a very big part of the SIEM future. However, AI agents do not make decoupled SIEM and federated log search less messy enough (“I didn’t save any logs from X, hey AI agent .. get me logs from X” does not work IRL)

 

Put another way:

The Romantic Ideal: The theory is that scalable data platforms and specialized threat analysis are dramatically different, so they should be handled by specialists, and modern APIs should make connecting them “easy.” Magic!

The Real Reality: A natively designed, single-vendor, integrated SIEM is inherently simpler and easier to manage and support than a multi-component stack you have to assemble “at home.” It is also faster! AI integrated inside it just works better. With decoupling, also lose the benefit of having a “single face to scream at” when things break. Reality!

 

By Anton Chuvakin (Office of the CISO, Google Cloud)

Original Link to the Blog: Click Here

 

Join CISO Platform and become part of a global network of 40,000+ security leaders.

Sign up now: CISO Platform

Views: 24
Tags: siem, soc, ciso, infosec, anton chuvakin
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab