Group Purchasing
Group Purchasing

SANS 2024 Detection and Response Survey

SANS 2024 Detection and Response Survey (PDF, 2.05MB)Published: 19 Nov, 2024
Created by:
Josh Lemon
Josh Lemon

The SANS 2024 Detection and Response Survey, published by SANS Institute in November 2024, measured how organizations detect and respond to cyber threats in their first year running this survey. The survey drew on responses from nearly 400 security professionals worldwide, covering threat detection tooling, automation, cloud security, staffing, budget, and metrics.

Key findings:

  • Only 16% of organizations have fully automated their response processes
  • 91% of respondents are still relying on manual or semi-automated response systems
  • Despite widespread automation efforts, 66% of organizations still use manual monitoring for threat detection
  • 59% cite a lack of skilled personnel as their top obstacle to implementing automation
  • Only 22% rate AI/ML-based detection tools as extremely effective, while 21% find them ineffective
  • 47% of organizations rank budget constraints as their top obstacle in detection and response
  • 42% describe their detection and response budget as adequate but limited, and 22% call it insufficient
  • Organizations are evenly split on team structure: 48% use separate specialized teams, 48% use a single integrated team
  • 64% of respondents identify false positives as a major detection challenge
  • 41% can respond to confirmed threats within minutes, but 12% take a day or longer
  • Only 23% of organizations regularly benchmark their detection performance against industry standards
  • 67% plan to expand their use of AI and machine learning for threat detection and response

The findings point to a persistent gap between automation ambition and operational reality: organizations are investing heavily in tools and planning to expand AI and ML use, yet nearly all still depend on human intervention somewhere in the response chain. Budget constraints and a shortage of skilled personnel are the two forces most often cited as slowing that transition, and the near-even split on team structure suggests the industry has not converged on a single best model for organizing detection and response work. Respondents came primarily from the cybersecurity, banking and finance, government, and education sectors, spanning organizations from fewer than 1,000 employees to more than 50,000, with roles ranging from incident responders and SOC analysts to security managers and directors.

FAQ

Meet the expert

Josh Lemon
Josh Lemon

Josh Lemon

Principal Instructor

Josh leads global MDR at Uptycs, defending major international brands, while also serving as an independent DFIR expert advising legal, government, and commercial clients in Australia.

Read more about Josh Lemon