Critical Capabilities for Security Information and Event Management

13 October 2025 - ID G00822920 - 47 min read
By Eric Ahlm, Andrew Davies,  and 2 more
SIEM technology provides a configurable capability to achieve TDIR outcomes, a system of record and support compliance and governance mandates. Cybersecurity leaders with identified requirements and use cases for SIEM implementation can evaluate critical capabilities that best align to use case requirements.

Overview

Key Findings

  • Despite rumors of its demise, the security information and event management (SIEM) market continues to support requirements for TDIR initiatives, support SaaS and cloud environments and improve security outcomes.
  • The SIEM market itself has experienced major shifts in the last year, including vendors exiting the market, mergers and acquisitions and new vendor first appearances into the SIEM market.
  • The pace of innovation among SIEM vendors has been high and has diversified as the field of vendors experiment with new areas of differentiation. SIEM vendors have innovated on capabilities for converged TDIR capabilities that include SIEM and extended detection and response (XDR) functionality, inclusion of more exposure management integrations and expanded use of AI for augmentation.
  • Larger and more mature organizations require a data management functionality to aid in cost control for large-scale data ingestion and federated architectures.

Recommendations

Cybersecurity leaders responsible for security operations must:
  • Identify the key features and capabilities for a vendor that best suits their organizational needs as a one-size SIEM does not fit the needs of every client. Many of the SIEM vendors are diverging toward best supporting the specialized needs of organizations with different sizes and levels of maturity.
  • Evaluate a vendor’s ability to reduce the complexity of ongoing TDIR operations. Vendors offer varying ways to reduce complexity such as workflow augmentation powered by automation and AI techniques, as well as SIEM solutions that are part of a larger security ecosystem provided by the same vendor.
  • Evaluate your SIEM vendor’s ability to reduce data ingest volume without impacting capability. Many SIEM vendors offer a variety of methods to help better manage security telemetry ingestion such as use of embedded or optional telemetry management solutions, different storage tiers based on data usage or use of federated or distributed search options.
  • Choose an SIEM platform that best suits your cloud adoption strategy, which often is provided by the cloud vendors themselves as an integrated part of the overall cloud environment.

What You Need to Know

At its heart, the definition of an SIEM hasn’t changed, but the rapid evolution of adjacent and integrated capabilities that enhance SIEM utilization and make it operate as a central security operations platform are in a constant state of flux, challenging what an SIEM might become. Buyers need to focus more on desired outcomes to evaluate which criteria are most important to them while considering market options.
The core purpose of an SIEM remains stable: to provide TDIR functionality by ingesting security signals and analyzing data to produce detections, as well as supporting the workflow of all the functions therein to obtain the outcomes necessary for response, as well as compliance and reporting requirements. The market evolution is more apparent for supporting factors around obtaining TDIR outcomes. This is specifically the case when it comes to how to reduce the complexity of operations, how to better manage data ingestion and cost and how to best interoperate with cloud environments.
Despite vendor claims, security operations continue to be complex. However, there are vendor innovations that promise to reduce some burden of operations. There are two competing schools of thought on how to best reduce complexity. Some vendors produce an SIEM that is part of a larger ecosystem of TDIR products also offered by the same vendor. The vendor provided integrations, dependency management and focus on outcomes can provide some results in complexity reduction. Other vendors are investing more in the incorporation of AI and automation to augment workflows performed by human operators, thereby reducing complexity.
Security buyers managing large-scale data ingestion to support security use cases are often more concerned with better data management options that promise to offload data ingestion from the SIEM to more cost-effective storage and analytic options. Some SIEM vendors offer flexible options for data ingestion that allow the buyer to decide what data goes to the SIEM for the outcomes they desire and utilize lower-cost options for less strategic functions without the need for an external telemetry pipeline solution.
Organizations that are supporting their senior management’s decision to embrace a cloud-first strategy or other strategic investments with a cloud provider often prioritize criteria for an SIEM that best supports their cloud strategy. Vendors here are often both cloud providers and SIEM providers, often promising tight integrations with their cloud environments for simplified operations, as well as financial incentives to choose their SIEM as part of their bundled licensing agreements.
Buyers should consider vendor evaluations that not only compare the feature and TDIR performance, but also the vendor’s ability to meet their promise on the delivery of the overall outcome, such as complexity reduction, better cost management or tighter cloud integration.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1: Vendors’ Product Scores for Out-of-the-Box SIEM Use Case
17 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Out-of-the-Box SIEM Use Case in Security Information and Event Management, as of 31 December 2024. This allows comparison across a set of critical differentiators.
Figure 2: Vendors’ Product Scores for Customizable SIEM Use Case
17 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Customizable SIEM Use Case in Security Information and Event Management, as of 31 December 2024. This allows comparison across a set of critical differentiators.
Figure 3: Vendors’ Product Scores for Threat Detection, Investigation and Response Use Case
17 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Threat Detection, Investigation and Response Use Case in Security Information and Event Management, as of 31 December 2024. This allows comparison across a set of critical differentiators.

Vendors

CrowdStrike
CrowdStrike’s SIEM product, known as Falcon Next-Gen SIEM, is offered as a SaaS solution, as well as an on-premises or SaaS log management solution, known as Falcon LogScale. CrowdStrike is new to the SIEM market, and its product offers flexible data retention models ranging from 30 days to 60 months. Falcon Next-Gen SIEM also includes automation and orchestration capabilities and can be managed by CrowdStrike’s Falcon services.
Notable features include:
  • CrowdStrike’s UI offers a simplified experience and focuses on complexity reduction of common tasks associated with TDIR activities.
  • CrowdStrike’s use of its Charlotte AI and automation shows demonstrable gains in workflow augmentation with features like AI-powered alert enrichment and attack timeline generation.
  • For existing CrowdStrike customers already using their other TDIR solutions, CrowdStrike’s SIEM can provide a unified view into threats out of the box.
CrowdStrike performed best in the out-of-the-box use case due to its application of Charlotte AI, automation and integrations into other CrowdStrike TDIR products. Organizations that plan to use Falcon Next-Gen SIEM as a stand-alone SIEM replacement should carefully evaluate the depth of integrations with non-CrowdStrike solutions, such as endpoint detection and response (EDR) and identity protection, to ensure coverage.
Datadog
Datadog Cloud SIEM is Datadog’s SIEM offering. It is part of its Threat Management suite of tools and is available as a SaaS solution, with some components, such as its Observability Pipelines, being enabled for on-premises deployments. Clients using this solution can expect streamlined playbook testing, as well as new correlation or rule creation, with added customization being available for alert tuning.
Notable enhancements include:
  • Datadog’s flexible data collection methods and pricing support converged monitoring of both security and observability on its platform.
  • Datadog’s integrations into external data sources, such as third-party data lakes and cloud environments, allow users to extend their investigations within their platform without having to incur data ingestion on the SIEM.
  • Datadog’s query and investigation features allow for robust functions such as lookbacks, advanced analytics and investigation case support.
Datadog cloud SIEM’s strongest use case is its ability to support a customized SIEM. Its flexible architecture for both security and observability monitoring and its support of third-party data lakes and cloud environments were key contributors. Datadog’s scores were lower for their ability to support more complex behavioral detection use cases and tune false positives.
Elastic
Elastic’s SIEM, known as Elastic SIEM, is part of their Elastic Security suite and is available for on-premises, cloud-native deployments and as a SaaS offering on Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. Elastic SIEM is known for providing a positive user experience (UX) functionality and has also introduced a new AI migration tool, which facilitates smooth onboarding for new customers coming from other SIEM platforms. Elastic’s product primarily caters to larger enterprises looking to take full advantage of its advanced querying capabilities and analytics.
Notable enhancements include:
  • Elastic continues to enhance its query ability based on its ES|QL language. It allows for simplified queries, detailed investigations, alert enrichment and threat hunting capabilities.
  • Elastic’s UI is designed to meet the needs of enterprise security teams. It provides high degrees of customization for role-based dashboards as well as visualization for security outcomes or other custom monitoring objectives.
  • Elastic add-on components are enhanced this year with their partnership with Tines for automation, as well as some AI-powered use cases, such as parsing and alert enhancement.
Elastic’s strongest use case is its ability to support TDIR due to the platform’s support for flexible architectures and data collection. Elastic’s mature UI simplifies tasks such as building advanced queries and supporting investigation handling. Its data collection method can make good use of external data sources for extending investigations, and their architecture supports a wide range of deployment options, including a federated data mesh, on-premises and SaaS. Elastic’s automation has improved with its Tines partnership. Elastic still scored weaker on support such as out-of-the-box reporting content.
Exabeam
After completing their merger with LogRhythm in July 2024, Exabeam’s portfolio is composed of two platforms: New-Scale SIEM, featuring cloud-native SIEM products, and LogRhythm SIEM (which was not evaluated as part of this research), a self-hosted SIEM that can be deployed on-premises. Exabeam New-Scale SIEM offers powerful behavioral and correlation rule creation capabilities, enabling security teams to tailor detection logic to their needs. In addition, its comprehensive workflow for testing new playbooks — now enhanced with recently added multiorganizational support — ensures organizations can efficiently adapt and scale their security operations across complex environments.
Notable enhancements include:
  • Exabeam continues to enhance features like risk-based scoring, UEBA and machine learning capabilities for the tuning and creation of correlation rules to help simplify operations, as well as Exabeam Copilot (now named Exabeam Nova), which uses Generative AI to support natural language search/dashboards and helps analysts with automated Exabeam Security Explainers.
  • Exabeam’s marketplace has been expanded to offer a wide range of content, including role-based dashboards, insider threat profiles and timely correlation rules for common attack types.
  • Exabeam offers support for third-party data analysis, which helps provide more detailed insights without ingesting data into the SIEM.
The Exabeam New-Scale Platform is well rounded with capabilities that support all three of our weighted use cases. Exabeam’s content on their marketplace helps enterprises quickly get to value, especially for the use of advanced analytics. Extending threat detection through integrations into third-party data sources helps enterprises customize detections by utilizing extended content without having to ingest data directly into the SIEM. Although Exabeam has directly integrated AI functionality into areas such as threat scoring and report summarization on its SIEM, its scores were lower for add-on components due to the limited application of AI into broader use cases.
Fortinet
Fortinet’s SIEM solution is FortiSIEM, which is available as an on-premises, cloud or SaaS solution. FortiSIEM, as part of its core package, includes a built-in configuration management database (CMDB) that provides a centralized repository for asset, application and user information. The platform also features decentralized searching capabilities and a flexible playbook interface, enabling organizations to efficiently manage investigations and automate response workflows.
Notable enhancements include:
  • FortiSIEM has improved its UX with enhancements such as expanded case management, which allows for improved collaborative workflow of investigations.
  • FortiSIEM supports querying and displaying live data from third-party systems such as data lakes, AWS and ODBC connections, allowing for expanded distributed data integration.
  • Fortinet has extended its TDIR platform capabilities by integrating other solutions in its suite, such as FortiDLP, FortiMail Workspace Security and FortiGuard Labs. These solutions allow for more sources of context that enhance detections.
FortiSIEM’s strongest use case was for a customizable SIEM. FortiSIEM’s tight integrations with other Fortinet products contributed to its scoring as a customizable SIEM, as did its wide range of third-party integrations. Although FortiAI does add some noticeable improvements, FortiSIEM scored lower in add-on components due to its lack of broad use case support for AI augmentation.
Google
Google Security Operations, with its integrated SIEM, SOAR and Threat Intelligence offered as a SaaS platform, is part of its security ecosystem. Google has expanded its broader suite of security tools through acquisition, adding more support for threat intelligence and cloud visibility. Google has also incorporated Gemini AI into its SIEM, enhancing the UX and add-on capabilities to help augment SIEM operations.
Notable enhancements include:
  • Google has expanded its unified data model, which extends its ability to perform advanced and complex queries using the YARA-L language, allowing users to gain insights from security data.
  • Google has extended its architectural capabilities, supporting both federated and multitenant deployment models, allowing for complex distributed deployment models.
  • Google’s Security Operations platform offers best-in-class embedded AI functionality powered by Gemini AI for many of the common activities and functions associated with SOC activities at the appropriate licensing tiers.
While Google scored well in all three use cases, it scored highest on its capabilities to support a customizable SIEM. The ability to support third-party data ingestion, federated deployments and multitenancy management gives Google Security Operations appeal to larger or highly complex organizations. The platform’s practical use of both automation and Gemini AI offers enterprises native workflow augmentation capabilities. Although Google provides analytic capabilities, it scored lower due to missing support for advanced use cases and false positive tunability.
Graylog
Graylog’s SIEM offering is Graylog Security and is available as SaaS or as a self-hosted solution, with the majority of clients opting for the latter, either as an on-premises setup or in their own private cloud environment. Users of the tooling can expect easy-to-use dashboards with customization and filters being able to be applied to a selection of available widgets. Risk-based reporting and enhanced UEBA functionality driven by machine learning are also part of their enhancements.
Notable enhancements include:
  • Graylog has enhanced its usability by adding a wizard functionality for creating queries, building active monitoring or developing correlation rules.
  • Graylog’s risk-based alerting helps analysts better prioritize alerts and enhances anomaly detection.
  • Graylog has simplified its licensing for features and data ingestion, which helps organizations more easily understand the product’s value and cost.
Graylog scored higher for its TDIR experience for SIEM users. Its integration abilities help reduce the time required to ingest data sources, and its content marketplace helps speed up the time required to produce meaningful signals from the data. Also notable is its guided analyst experience through query building, investigation, case creation and development of active monitoring and correlation rules that improves the OOTB experience for users. Graylog scored lower for compatibility, with features such as automation and AI showing current limitations for augmenting a wider range of workflows.
Gurucul
Gurucul’s SIEM, called the Gurucul Next-Gen SIEM, is available in the form of SaaS, cloud-hosted or on-premises packages. Gurucul Next-Gen SIEM offers custom parser/pipeline building that is further enhanced by leveraging AI capabilities, as well as a streamlined approach to the tuning of false positives.
Notable enhancements include:
  • Gurucul has enhanced its UEBA to support more advanced use cases for insider threat objectives and incorporated AI to help build custom behavior-based detections.
  • Gurucul’s native data pipeline management, Gurucul Data Optimizer, brings advanced data management capabilities to its offering. It allows users to do granular filtering, routing and integration with external and lower-cost data repositories for various use cases, which can help control SIEM costing.
  • Gurucul has improved its add-on components, offering enhanced automation with its SOAR capabilities and using AI to improve operations on many common SIEM activities.
Gurucul ranked best in its out-of-the-box capabilities. Their OOTB score can be attributed to its rich content libraries, native threat intelligence and use of AI to simplify some onboarding tasks and investigations. Gurucul scored lower on its UI capabilities due to features like case management and custom dashboard creation lacking advanced functionalities.
Huawei
Huawei’s SIEM is called SecMaster and HiSec Insight and is available in SaaS, cloud and on-premises options. Huawei also offers monthly billing for these services, which is rare in the SIEM space. SecMaster includes native threat intelligence, enriching incidents through threat modeling and kill chain mapping. The SecMaster dashboard allows for detailed customization options, which map to relevant user roles, and it has improved its third-party integrations.
Notable enhancements include:
  • Huawei’s SIEM has shown improvement in customization capabilities, such as customizable dashboards, use of native threat intelligence for enrichment and improved third-party support.
  • Huawei has improved add-on components. Notable add-ons include the use of AI for use cases such as natural language query, suggestive automation, alert enrichment and attack path analysis.
  • Huawei’s automation capabilities have improved with enhancements to its SOAR capabilities, which allow for simplified playbook creation, debugging capabilities and integrations into investigation and case management.
Huawei scores highest as for its out-of-the-box experience. Huawei has enhanced its third-party compatibility and integration support, which in combination with its expanded content marketplace aids in its customization abilities. Huawei’s incorporation of AI into its SIEM covers a wide range of common tasks, improving its out-of-the-box experience for users. Huawei’s scores for its UX, as well as for its query creation and investigation, were lower.
ManageEngine
ManageEngine’s SIEM offering is Log360, which is available for SaaS, cloud and on-premises deployments. Log360 includes traditional SIEM log management and monitoring capabilities as part of the standard package. Log360 has a strong focus on false positive reduction primarily through a unified security platform approach and customizable and tailored analytics.
Besides the SIEM tool, Log360 includes security products such as EventLog Analyzer, ADAudit Plus, Cloud Security Plus, DataSecurity Plus and FileAnalysis. Add-on functionality, such as advanced threat analytics, UEBA and active directory reporting are available at an extra cost.
Notable enhancements include:
  • ManageEngine’s compatibility is enhanced, allowing for more third-party support and integrations with a number of complementary products from ManageEngine that can extend its monitoring capabilities.
  • ManageEngine’s architecture offers a wide range of deployment options that support on-premises environments, as well as cloud and SaaS solutions that can address various types of distributed monitoring requirements.
  • ManageEngine’s integrated compliance reporting capability is enhanced with AD change auditing, cloud security monitoring, threat detection and incident management modules and support for multiple compliance standards.
ManageEngine scores higher on its architecture and deployment options. ManageEngine lags in bidirectional API integration with third-party tools, as well as a variety of add-on components. ManageEngine’s SIEM depends on third-party connectors for EDR/network detection and response (NDR) functions and is unable to affect responses in these platforms from the Log360 interface.
Microsoft
Microsoft Sentinel is Microsoft’s cloud-native SIEM, offered through Azure cloud services. Access to Microsoft Sentinel can be purchased directly in Microsoft Azure or through many of Microsoft’s licensing programs. Microsoft Sentinel comes with 90 days’ worth of interactive data retention, with the option to extend to two years and include archived state storage for as long as seven years.
Notable enhancements include:
  • Microsoft continues to expand its ecosystem, offering out-of-the-box integrations with its own offerings such as CASB, SOAR and UEBA. Onboarding these is straightforward with the use of Microsoft’s codeless connectors and data normalization capabilities.
  • Microsoft has improved its available content for reports and detection models, allowing users to easily customize them for their own needs. Its improvements in available dashboards and other enterprise content aid in simplifying operations.
  • Native threat intelligence has improved. The Microsoft Sentinel threat intelligence dashboard provides a fully customizable canvas for reporting on the health and performance of TI.
Microsoft Sentinel scores higher for its OOTB user experience. Its flexible content for reports and detection models intuitively supports requirements from users who are already using other supporting Microsoft security products. The extended integrations of other Microsoft security products into Microsoft Sentinel provide excellent cross-product collaboration toward security outcomes. Microsoft’s UI has limited support for creating advanced reporting and dashboards and tuning false positives without the use of Kusto Query Language (KQL) and/or the use of Microsoft Copilot to create the KQL from natural language.
Palo Alto Networks
Palo Alto Networks’ (PAN’s) SIEM is Cortex XSIAM, and it is offered exclusively as a SaaS solution built on Google Cloud Platform. Cortex XSIAM comes with a comprehensive playbook that includes creation and testing, offering its clients varied options for automation in incident response, with a marketplace that helps map playbooks to certain objectives. Cortex XSIAM also recently integrated attack surface management (ASM) and large-scale analytics into the platform.
Notable enhancements include:
  • PAN’s built-in automation for SIEM workflows provides rich development and debugging tools and offers tight integration into common workflows associated with SIEM management.
  • PAN offers an in-depth case and incident management functionality. Investigators can measure response times, assign tasks and collaborate with a broader team working on incidents within the platform leveraging their war room capability.
  • PAN has created integrations between Cortex XSIAM and other tools within the Cortex security operations suite, in addition to its network and cloud product suites. This offers organizations already invested in PAN’s technologies a simplified onboarding and operational experience.
XSIAM OOTB experience is notable with their extensive content for a wide range of third-party technologies. For organizations using other PAN technologies, XSIAM’s OOTB experience is further enhanced with cross product integrations designed to improve TDIR functionality. PAN scores lower on data collection components because its capabilities to integrate with custom log sources require the use of regular expressions and manual mapping without any support from the interface or AI.
QAX
QAX’s NGSOC SIEM solution is part of its SOC offering and includes Threat Detection, Analysis Center, Response Center, Asset Center, Statistic Report, Dashboard, System Management and Situation Awareness as part of the core subscription. The platform is available as on-premises, SaaS or cloud delivery models and has optional paid UEBA and SOAR add-ons. QAX’s SIEM has a proprietary streaming analysis engine, SABRE, which streamlines searching hot data through the use of different query languages. Additionally security incidents can be mapped to both the Lockheed-Martin Cyber Kill Chain and MITRE ATT&CK frameworks.
Notable enhancements include:
  • TDIR functionality is improved on NGSOC through product features, such as attack path mapping, as well as its directly offered managed detection and response services.
  • QAX SIEM has continued to improve a robust platform for logging and analytics and integrates UEBA, AI assistance and workflow/case management all under the same UI.
  • QAX SIEM dashboards improved their user friendliness for customizations. Logging, correlation and automation use low- to no-code solutions that are much easier for analysts to view and understand.

QAX’s strongest use case is for its broad range of add-on components and additional services offerings, including a managed detection and response service delivered using the platform. QAX also has a good use case for its customizable SIEM user experience. QAX scored low on external decentralized search capabilities.
Rapid7
Rapid7’s offering is called InsightIDR. It runs on the Rapid7 Command Platform and is offered in three different tiers: Essentials, Advanced and Ultimate. The Essentials tier offers traditional SIEM functionality. Advanced adds UEBA, EDR and automation capabilities. Ultimate provides enhanced telemetry and analysis, as well as unlimited SOAR usage. Searchable data for 13 months is included in all tiers. Rapid7’s other integrated products are also available for SOC, such as vulnerability management (InsightVM), cloud security (InsightCloudSec), automation (InsightConnect) and application security (InsightAppSec).
Notable enhancements include:
  • Rapid7 has extended its customization capabilities, focusing on better supporting workflows for specific roles, such as security engineers and SOC analysts.
  • Rapid7 has expanded its integration capabilities within its own suite of products. Integrations include InsightVM, which provides vulnerability management and InsightIDR, which has EDR, UEBA and network detection and response (NDR) capabilities.
  • Rapid7 UX helps provide a simplified experience with enhancements in query and detection rule creation.
InsightIDR’s strongest use case is for its customizable capabilities. Much of InsightIDR’s capabilities can be attributed to its architecture, which allows for easily extending functionality to include more advanced analytics, automation, cloud or EDR datasets. Rapid7’s flexible service offerings tied to InsightIDR also contribute to its focus on providing TDIR outcomes through technology and service alignment. InsightIDR scored lower on compatibility; automation features are limited, and its incorporation of AI onto InsightIDR only supports a limited number of use cases.
Securonix
Securonix’s SIEM offering is Unified Defense SIEM. The platform is available as cloud-native, hosted and on-premises. It includes an embedded Snowflake instance, compliance reporting, UEBA, basic SOAR functionality, new GenAI agents and 365 days of hot searchable storage as part of the core product. Customers with existing data lake storage can bring in their own via a plug-in. In addition to Unified Defense SIEM, Securonix offers Investigate, a data enrichment module that supports connections from both internal and external data sources for deduplication of alerts and prioritization of threats. Securonix now also offers Spotter, a search engine that allows a natural-language-based search using Spotter Agent. Organizations can purchase these add-on modules at an additional cost.
Notable enhancements include:
  • Securonix continues to expand its data management with Data Pipeline Manager (DPM), which gives organizations the flexibility to choose the best independent storage options for different uses, such as real-time analytics detections, long-term storage for compliance or threat hunting.
  • Securonix’s user behavioral use cases are enhanced with more out-of-the-box profiles, human psychology analysis to assist in advanced behavior detections, role-based workflows that support the needs of insider threat management teams and extensive testing and tuning capabilities.
  • Securonix has expanded its add-on capabilities with agentic AI to support many common use cases such as alert tuning, enrichment and investigation guidance.
Securonix has strong flexible data management and in-depth analysis capabilities. Larger enterprises looking to use larger volumes of data to gain security insights value the diversity of data architecture options provided by Securonix that allow them to balance SIEM costing, while still increasing the volume of addressable data for analysis. Although Securonix has mature onboard automation, its overall compatibility scores were lower because they are still developing AI capabilities.
Splunk
After acquisition in March 2024, Cisco now owns the Splunk Enterprise Security SIEM platform. Splunk licensing is available across all deployment types: on-premises, in private and hybrid clouds or via SaaS, through Splunk Enterprise and Splunk Cloud variations. Splunk has an increased emphasis on overall TDIR efforts by complementing their core SIEM subscription with optional capabilities, such as Asset & Risk Intelligence, Attack Analyzer, SOAR and UEBA. It is a feature-rich, mature product that appeals to very large enterprises or customers that need highly extensible and customizable security platforms and have the resources to operate them.
Notable enhancements include:
  • Splunk continues to improve its customization capabilities with extensive dashboards, role-based workflows and extensibility options for third-party integration and applications that help large enterprises that require customization.
  • Splunk’s marketplace for their SIEM is one of the largest sources of content available to assist in creating detections, automation playbooks, dashboards and reporting options.
  • Since its acquisition by Cisco, Splunk has added integrations with other Cisco solutions, such as Talos (which is Cisco’s threat intelligence research organization), enabling users to better enhance alerts with native threat intelligence.
Splunk scored well on its overall content, which greatly improves the out-of-the-box experience. Its community of plug-in applications, dashboards and reports on its marketplace also helps extend customization for usage. Splunk scored lower on out-of-the-box experience due to its lack of innovations such as a tightly integrated use of AI.
Sumo Logic
Sumo Logic’s SIEM offering is Cloud SIEM Enterprise, which is an additional component of its cloud-native Log Analytics Platform. The SIEM technology can only be delivered as a cloud offering and includes native UEBA, TIP, NDR capabilities and data lake for long-term storage as part of the standard package. Sumo Logic SIEM can be used for both security and IT operations, which aids organizations seeking to consolidate both monitoring objectives on a consolidated platform.
Notable enhancements include:
  • Sumo Logic continues to enhance its integrations between observability and security workflows. This allows combined teams to have a shared view and security teams to gain greater insights into application signals relevant to security issues.
  • Sumo Logic has improved its alert mapping to the MITRE ATT&CK frameworks, which aid analysts in better understanding how security signals are related to attack tactics and techniques.
  • Sumo Logic’s content library under their marketplace has been expanded to offer more detection profiles, automation playbooks and customization features like dashboards and reports.
Sumo Logic scored high in integration due to ease of case management integrations and low-code workflow editor. The solution scored lower in compatibility due to limited AI and automation use case support. Sumo Logic has substantial support from managed detection and response providers as well as managed security service providers, giving it a large pool of providers to help clients with their SIEM management.

Context

For security operations teams, an SIEM is a central tool that supports different core outcomes. Most commonly, an SIEM is used to:
  • Perform TDIR operations.
  • Offer a system of record for investigation, reporting and forensics.
  • Be a single source of truth for bigger picture insights.
The evolution of the SIEM market reflects these varying buyer needs, as vendors specialize in meeting various customer objectives based on their organization types. Buyers should carefully assess their needs and select criteria that best support those outcomes most favorable to their organization. In other words, even a market-leading SIEM may not be right for every size and type of organization.
Use the common customer type scenarios below to select certain capabilities that most reflect your organizational needs and weight them accordingly.
Large Organization or Those With High Security Maturity
Typically, this sort of customer type will need many different outcomes that may service security, compliance and governance teams. They also need to integrate with many different data sources and support the workflow of larger SOC teams. Lastly, they are often concerned about the costs associated with large-scale data ingestion.
To support these needs, clients of this type often weigh these criteria higher:
  • Integrations to support various data sources and support the dependency management of their broader TDIR stack and other supporting technologies.
  • Customizations that allow for specialized reporting and role-based workflow.
  • Data management options that allow for more options to manage ingestion into the SIEM and control cost.
  • Federated and/or multitennant deployment models that support the need for distributed monitoring, often needed for global organizations.
  • Workflow augmentation that drives team efficacy and performance.
Cloud-First Organizations
Security buyers in these organizations have usually been given a mandate by senior management to support the company’s direction to be cloud-first or support the organization’s chosen cloud provider. They need to perform the TDIR function best aligned to their chosen environment and also need to maximize their investment in their cloud platform.
To support those needs, buyers of this type often weigh these criteria higher:
  • Natively support TDIR functions within their chosen cloud environment.
  • Offer extended integrations into other security and cloud components that increase visibility and simplify operations within the cloud platform.
  • Support other cloud integrations into SaaS applications, multicloud support or federated architectures.
Midsize or Small In-House SOC Organizations
This group represents the bulk of everyday enterprise buyers looking to use SIEM to support their TDIR objectives. Although this group desires many security outcomes, they often have smaller security teams and limited overall resources to operate an SIEM. They seek an overall reduction in complexity and simplified operations as a driving factor.
Organizations of this type often weigh these criteria higher:
  • Simplification of basic functions such as query, detection creation, investigation and built-in response.
  • Workflow augmentation through both AI and automation that can simplify operations, provide guidance and overall scale their team’s abilities.
  • Converged TDIR platforms that help reduce complexity through vendors that can better integrate supporting TDIR technologies into the SIEM, assist in managing dependencies and provide more detailed security insights.
  • Rich content libraries that offer detection content, automation playbooks and other such features that help streamline operations.
  • Native or readily available support for ongoing operations assistance.

Market Definition

Security information and event management (SIEM) is a configurable system of record that collects, aggregates and analyzes security event data from on-premises and cloud environments. SIEM processes security event data for the purposes of threat detection, investigation and response. It natively supports data normalization and offers user-configurable detection content and reporting to orchestrate threat mitigation and satisfy compliance requirements. These solutions are delivered via a SaaS platform or client-hosted on-premises or private cloud.
The security information and event management (SIEM) system must assist with:
  • Aggregating and normalizing data from various IT and operational technology (OT) environments.
  • Designing and executing near real-time monitoring and alerting content.
  • Enriching and investigating security events of interest.
  • Supporting manual and automated response actions.
  • Maintaining and reporting on current and historical event data.

Mandatory Features

  • Collection of infrastructure details and security-relevant data from a wide range of assets located on-premises and/or in cloud infrastructure.
  • Flexible data retention options for storing essential event data long term and/or making it available for long-term searching.
  • Ability for end-users to self-develop, modify and maintain threat detection use cases utilizing correlation-, analytic- and signature-based methods.
  • Vendor-provided content for security detection and response (analytics, data normalization, collection correlation, and enrichment and reporting) for both native and non-native solutions.
  • Capability to create and customize detection and response content.
  • Report generation to support business, compliance and audit needs as required.
  • Client-created workflow augmentation capability to support incident response activities and reporting.
  • Ability to investigate, evidence and report on discovered security alerts generated by active detection content.

Common Features

  • Allow for mixed methods of data collection that includes both streaming event data and static telemetry such as file processing, API retrieved or system configuration data.
  • Multiple deployment options to include on-premises, cloud-hosted, cloud-native or SaaS.
  • Normalization, enrichment and risk-score data ingestion from third-party systems, such as threat intel sources or configuration management databases (CMDB).
  • Provision of case management process and support of incident response actions.
  • Workflow augmentation features, such as automation, orchestration of common tasks and use of AI.
  • The ability to use various data science techniques to generate detections on a wide range of behaviors, such as user, network, applications or objects, that indicate attack activities.
  • Threat intelligence platform (TIP) capabilities to manage intelligence feeds and supply contextual information about threats that may include native threat intelligence.
  • A marketplace that allows clients to subscribe to threat content and facilitate integration with third-party technologies.
  • Federated search into diverse vendor SIEM environments that allows for analysis and function using a centralizing interface.
  • Decentralized search functionality to query events from outside the vendor data repository and pull in additional enriching information where appropriate.
  • Extended detection and response (XDR) interoperability that includes the use of endpoint (EDR), network (NDR) or other extended telemetry and response capabilities.
  • Third-party data lake platform integrations for storage and search.

Product/Service Class Definition

The SIEM market was formally defined in 2005, growing incrementally in features and market presence. SIEM had experienced a long plateau in the delivery of new features and innovation. However, this is no longer the case, with SIEM vendors acquiring technology features and updating to a modern solution architecture that delivers a holistic threat detection investigation and response capability. SIEM products are consumed using a variety of deployment models.
Gartner has observed the following shifts in the market:
  • SIEM tools delivered “as a service” (i.e., cloud-based or cloud-native SIEM) are a key buyer demand. Clients often acquire or have access to an SIEM as part of a package of other cloud-based infrastructure capabilities. Using existing investments effectively is a cost driver.
  • A focus on complexity reduction in overall SIEM operations. Vendors have mixed approaches for reducing operational burdens. Some vendors promise to reduce complexity by offering an extended TDIR stack that includes tighter integrations with their own ecosystem of other security solutions. Other vendors seek to reduce complexity by using AI to reduce some operational burdens and/or reduce the skills required to perform some tasks.
  • Organizational demands for a more flexible means to help SIEM cost bloat have increased data management options that give SIEM buyers more control and flexibility on data ingestion. This helps organizations better manage SIEM cost bloat by using the right storage container for various outcomes such as analytics, querying and long-term storage.
  • Workflow augmentation powered by AI has become an area of great hype for SIEM vendors. The incorporation of AI to facilitate SIEM operations and reduce skill barriers is a heated area of differentiation among vendors.
  • The use of AI for SIEM workflow augmentation is still very experimental and exploratory by many vendors. Most vendors had limited use cases, with roadmaps showing more development in years to come.
  • Adding context of exposure management into an SIEM can drive fidelity and prioritization of alerts. Some SIEM vendors have shifted to adding more exposure management context as part of their extended offerings.

Critical Capabilities Definition

Architecture and Deployment
This capability addresses the SIEM architecture requirements for buyers, in addition to the effort required to deploy and integrate a solution and capabilities that support and ease that deployment experience.
SIEM solution architectures must support a variety of buyer environments, including on-premises, cloud-hosted and cloud-native, ranging from midsize enterprises and less complex environments that may want a simple solution to global enterprises and managed security service providers with complex environments that require distributed, n-tier architectures and deployments or data residency in specific regions. SIEM buyers need to assess how best to integrate with the solution and constituent components. Increasingly, SIEM buyers must account for requirements to monitor and collect data on demand from third-party cloud services via API with their SIEM solution.
Ease of deployment and time to value are also important to buyers as they look to quickly and efficiently implement and operationalize SIEM solutions.
Data Collection
This capability addresses an SIEM solution’s ability to properly and easily manage logs, API calls and other data of increasing volumes and velocity, from a variety of sources, using a variety of methods across on-premises and/or in cloud infrastructure.
Data collection and management must address different forms of data (structured or unstructured) and remote access or collection mechanisms (syslog, batch collection, API). In addition to collecting the data, the SIEM solution needs corresponding parsers in order to process data for a variety of functions (analysis, reporting and search). Once collected, the data can be stored in a raw form; a normalized, enriched or contextualized form; or a combination thereof. Management of the data to ensure the appropriate confidentiality, integrity and availability in transport, use and storage is also important (via encryption, masking or tokenization, for example). The adoption of big data type solutions to handle the increasing volume, velocity and variety of data is becoming more common with SIEM solutions.
Decentralized/federated searching to query events outside the SIEM data repository is also becoming commonplace. The ability to manage how data is stored and retained is covered in this capability. Data storage for the various activities performed with the SIEM can range from local storage, the use of SAN and NAS systems and cloud storage solutions.
Add-On Components
This capability addresses the solutions available from an SIEM solution vendor that are highly complementary and integrated with the SIEM solution and integration with complementary third-party solutions.
A segment of SIEM buyers, such as those with lower security operations maturity, those replacing legacy solutions or those building a new SOC, may prefer to purchase technologies and tools that are complementary and tightly integrated to the SIEM from a single vendor.
These could include, but not limited to:
  • Network detection and response (NDR) and network packet capture
  • Endpoint detection and response (EDR)
  • Extended detection and response (XDR)
  • Cloud security solutions, including cloud-native application protection platforms (CNAPPs)
  • Security orchestration automation and response (SOAR)
  • Tools specifically oriented around the security of operational technology (OT)/industrial control systems (ICS) environments
  • User and entity behavior analytics (UEBA)
  • Threat intelligence platform (TIP)
  • Others like exposure and vulnerability assessment (VA)
How these solutions are integrated by the SIEM vendor with their solution as well as how they are packaged for consumption by buyers are also considerations.
Content
This capability addresses the mechanisms available through the SIEM to detect, prioritize and report on activities that represent a threat to the business or are otherwise of interest to various types of consumers.
Once data is collected, it needs to be analyzed, easily organized and made available to users for the purposes of identifying nefarious behavior, compliance and general reporting as well as the enrichment of, and response to, those issues identified. Real-time analytics have long been the core of SIEM solutions, but increasingly these are being augmented with batch analytics to identify and correlate weak signals in data that have not been detected in real time. The adoption of machine learning is most visible in the application of user and entity behavior analytics (UEBA) whether native to the SIEM solution or via a well-integrated add-on solution sold by the SIEM solution vendor.
The mapping of data, techniques and incidents to the MITRE ATT&CK framework is now commonplace. Emerging functions include: the creation and maintenance of investigation and response playbooks, senior executive level risk-based dashboards, support for threat hunting processes and capabilities to ensure customers are gathering from the right event sources based on their use cases.
Compatibility
This capability addresses the SIEM solution’s out-of-the-box detection content, connectors and the features that support the management of that content.
Content is required for the SIEM tool to provide value, and leveraging an extensive and well-organized set of content provided natively by the vendor is important for buyers, small and large. This content includes data collectors and parsers, rules and models for analytics, use cases, compliance packages, as well as response workflows, actions and plays. SIEM vendors tend to have technology alliances with complementary security and nonsecurity vendors to offer a rich and robust set of integrations, connectors, parsers and even additional content such as analytics and/or response capabilities.
In addition to out-of-the-box content, the SIEM tool should offer a management framework for accessing, updating and managing this content and enabling its functionality. Users should also have the ability to create their own content as well. Particularly important for first-time SIEM buyers (and those with limited resources), predefined functions and ease of deployment and support are valued over advanced functionality and extensive customization. The use of an app-store-type approach to provide a centralized location for locating and installing new, and updated, content, integrations and other features is beneficial for all organizations and use cases.
Integration
This capability addresses the platform’s ability to work bidirectionally with third-party toolsets, both security and nonsecurity-focused.
SIEM platforms are part of a much wider ecosystem of corporate IT functions such as IT service management (ITSM) platforms and big data repositories. The ability to integrate, and both send and retrieve information from such systems, as well as track and manage the status of workflows in such systems is important for buyers who wish to integrate their security operations more widely with their organizational resources. SIEM vendors are also more commonly affecting responses on third-party systems, such as firewalls and endpoint technologies for the purposes of mitigating a threat on a temporary basis.
For buyers with an existing set of technologies, tighter integrations between the SIEM solution and third-party technologies may be advantageous and desired.
Roadmap
This capability recognizes the importance of the development of the SIEM product and how a fast-moving set of corporate technology changes can affect security visibility and ability to respond.
SIEM vendors must be constantly evolving and adapting their product set to meet the needs of both the modern and the traditional corporate environment. The shift is in direct relation to the expanding attack surface, such as in the areas of social media, digital supply chain and SaaS applications, which may provide weaknesses for attackers to exploit. Reduction in visibility, increase in data volume and complexity, sophistication of attacks and an increased attack surface are all major factors and should be reflected in SIEM vendor roadmaps. Furthermore, changes in the way consumers purchase and pay for software have developed over recent years. SIEM vendors should be cognizant of this and should be aligning subscription models to other infrastructure cost models.
What the SIEM vendor states it will enhance and evolve in the product is important to customers, but so is the timely execution of said enhancements/evolutions.
User Interface
This capability addresses the user interface (UI) and experience of an SIEM solution.
It encompasses how unified the UX and UI across the SIEM platform is and how it accommodates various user personas. An integrated management UI and user experience (UX) that enables efficient administration of the SIEM solution is important. This includes maintaining and reporting on current and historical security events. Some SIEM tools provide a UX that assumes a high level of security monitoring maturity, with workflows and operational models that are efficient, but require deep expertise.
Other SIEM tools seek to support users with less experience and organizations with lower maturity in security operations. Additionally, other SIEM tools offer more guidance to the user, usually at the cost of the detail and granularity that a more experienced operator may require. The capability also includes roles and access control; dashboard and reporting features; and functionality and flexibility to add and customize these features as required by the users and administrators.

Use Cases

Out-of-the-Box SIEM
This use case supports less-mature SIEM buyers and users who are focused on prepackaged content.
This use case is appropriate for first-time SIEM solution buyers and buyers focused on standard security monitoring, detection and response use cases. These buyers may be more likely to focus on compliance-based requirements or standards-driven detection needs. The focus is on solutions that come complete with packaged content that solves discrete use cases for:
  • Threat-monitoring (including ransomware and business email compromise)
  • Compliance (e.g., PCI DSS, HIPAA, SOX and GDPR)
  • Particular best practices or frameworks (including NIST Cybersecurity Framework and ISO 27001)
Customizable SIEM
This use case focuses on mature SIEM buyers with a dynamic set of threat detection, data manipulation and reporting requirements and more diverse and complex IT architecture.
This use case is appropriate for those who need to customize threat detection content and analytics and are driven by a solid understanding of cyber risk, their business requirements, as well as their enterprise environment (e.g., IT and OT).
Such users are often required to support environments with challenges such as distributed geographies and multiple/hybrid environments for data collection from custom-made sources, high volumes and API integration requirements. The focus is on configuring the platform to meet detailed requirements from a solid understanding of the business risks and exposure and to provide easily customizable analytics, reports and dashboards in order to identify and communicate issues with the wider business.
Threat Detection, Investigation and Response
This use case is applicable to mature security organizations that want to support the functions of threat detection, investigation and response on an SIEM platform.
Organizations require an SIEM platform that can act as a workbench to create a custom detection or workflow that supports their security operations needs. These capabilities can include the design and implementation of new detection capabilities (analytical or rule based) and provide investigational tools for managing threat hunting, red team versus blue team exercises and integrated response capabilities to enable immediate threat mitigation from the security operations team.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Critical Capabilities as markets change. As a result of these adjustments, the mix of vendors in any Critical Capability may change over time. A vendor’s appearance in a Critical Capability one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed inclusion criteria, or of a change of focus by that vendor.

Inclusion and Exclusion Criteria

To qualify for inclusion, a vendor needed to fulfill the following criteria:
  • A product that provides an SIM and SEM capability consumable by end-user customers as cloud-native1 software and/or SaaS, excluding those that are available only as part of a managed security services relationship. SIM and SEM must-have capabilities are:
    • Collect infrastructure details and security relevant data from a wide range of assets located on-premises and/or in cloud infrastructure.
    • Ability for end users to self-develop, modify and maintain threat detection use cases utilizing correlation, analytic and signature-based methods.
    • Correlate and apply both SIEM vendor- and client-created analytics to collect, normalize and contextualize event data from disparate sources, using multiple mechanisms (e.g., log stream, API, file processing), for the purposes of threat detection, use-case implementation and incident investigation.
    • Provide case management and support incident response activities.2
    • Generate reports to support business, compliance and audit needs.
    • Store essential security event data over the long term and make it available for investigation.
  • At least 50 vendor-provided collectors for data capture and streaming from heterogeneous third-party data sources via API in addition to data streaming or log collection. This must include formally recognized partnerships with at least 10 major technology vendors.
  • A product that supports behavioral analysis and/or correlation of data from sources other than directly from the vendor’s product ecosystem, which should include market-leading network technologies, endpoints/servers, cloud (IaaS or SaaS) and business applications.
  • Features, functionality and at least two of the below-named additional capabilities that were generally available, vendor-owned (wholly acquired or organically built) and included in the SIEM as of 31 December 2024:
    • Federated search into distributed environments and able to search across SIEM data repositories (e.g., geographic regions or cloud provider’s regions)
    • Search functionality to query events outside the SIEM data repository and to pull in additional enriching information where appropriate
    • Third-party data lake platform integration storage
    • Availability of long-term data storage and reporting (with “hot” recall capability of 365 days)
  • Add-on solutions, including at least two of the below-named additional capabilities that were generally available, vendor-owned (wholly acquired or organically built) and included in the SIEM product or sold as separate add-ons as of 31 December 2024:
    • Workflow augmentation, supporting features such as automation, orchestration of common tasks
    • Threat intelligence platform (TIP)
    • Advanced analytic capabilities using user entity behavior analytics (UEBA), data sciences (e.g., supervised and unsupervised machine learning, deep learning/recurrent neural networks)
  • Cloud-native/SaaS license and maintenance (excluding managed services) revenue exceeding $85 million for the 12 months prior to 31 December 2024 or have 500 distinct production3 customers with direct contracts on cloud-native or SaaS platforms as of the end of that same period.
  • In the 12 months prior to 31 December 2024, vendors need to have received 25% of SIEM cloud-native/SaaS revenue from buyers with headquarters outside the geographic region4 of the vendor’s headquarters location. Otherwise, the vendor needs to have at least 25% of production customers, each with headquarters outside the geographic region of the vendor’s headquarters location.
  • Evidence of online marketing campaigns, events or promotions from third-party media sources targeting countries in at least two geographic regions, distributed prior to 31 December 2024.
  • Cloud-native/SaaS SIEM platform hosted in more than three major geographic regions.
  • New customer acquisition or competitive replacement above 5%.
Excluded from consideration were:
  • Capabilities available only through a managed services relationship — that is, SIEM functionality available to customers only when they sign up for a vendor’s managed security; managed detection and response; managed SIEM; or other managed services offering.5

Weighting for Critical Capabilities in Use Cases

Critical CapabilitiesOut-of-the-Box SIEMCustomizable SIEMThreat Detection, Investigation and Response
Architecture and Deployment
15%
10%
15%
Data Collection
0%
25%
30%
Add-On Components
0%
10%
10%
Content
35%
0%
0%
Compatibility
25%
10%
5%
Integration
0%
25%
15%
Roadmap
5%
5%
5%
User Interface
20%
15%
20%
As of 31 December 2024
Source: Gartner (October 2025)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Product/Service Rating on Critical Capabilities

Critical CapabilitiesCrowdStrikeDatadogElasticExabeamFortinetGoogleGraylogGuruculHuaweiManageEngineMicrosoftPalo Alto NetworksQAXRapid7SecuronixSplunkSumo Logic
Architecture and Deployment
3.5
4.3
4.1
3.9
3.8
3.7
3.6
4.1
3.4
3.6
4.4
3.3
3.0
4.3
3.6
3.4
3.6
Data Collection
3.0
3.0
3.5
3.5
3.1
4.1
2.3
3.5
2.6
2.1
4.1
2.7
2.9
3.4
3.8
4.1
3.8
Add-On Components
4.2
4.0
4.2
3.7
3.8
4.1
3.2
4.0
3.4
2.9
3.7
3.7
3.5
3.3
4.2
3.9
4.2
Content
3.5
2.9
3.2
3.3
3.0
3.7
2.7
3.6
3.2
2.1
3.6
3.5
3.2
3.4
3.6
4.0
3.6
Compatibility
3.3
2.6
3.1
3.4
3.1
4.0
2.0
3.8
3.2
2.0
3.6
2.9
2.8
2.3
3.3
3.5
3.3
Integration
4.0
3.8
3.7
3.8
4.0
4.1
3.0
4.3
4.3
2.5
4.0
3.8
4.0
3.9
4.2
4.4
4.2
Roadmap
3.8
3.9
4.1
4.0
3.6
3.5
3.8
3.9
3.9
3.0
3.5
3.2
3.4
4.1
3.5
4.0
3.5
User Interface
3.3
2.7
3.2
3.3
2.8
3.4
2.5
3.3
2.9
2.1
2.7
2.9
3.0
3.3
3.9
3.7
3.9
As of 31 December 2024
Source: Gartner (October 2025)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use CasesCrowdStrikeDatadogElasticExabeamFortinetGoogleGraylogGuruculHuaweiManageEngineMicrosoftPalo Alto NetworksQAXRapid7SecuronixSplunkSumo Logic
Out-of-the-Box SIEM
3.44
3.05
3.36
3.45
3.13
3.68
2.65
3.67
3.21
2.35
3.53
3.20
3.04
3.26
3.61
3.72
3.61
Customizable SIEM
3.55
3.39
3.61
3.61
3.44
3.92
2.75
3.84
3.35
2.46
3.78
3.22
3.28
3.50
3.89
3.97
3.89
Threat Detection, Investigation and Response
3.48
3.38
3.63
3.60
3.37
3.87
2.77
3.76
3.20
2.51
3.77
3.14
3.19
3.55
3.87
3.91
3.87
As of 31 December 2024
Source: Gartner (October 2025)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.