Poor Data + Lack of Automation = SOC Burnout

Our Reflections on Splunk's State of Security 2025

The 2025 Splunk State of Security report is a wake-up call: modern security operations centers (SOCs) are drowning—not in threats, but in the inefficiencies that cripple their ability to respond effectively. The root cause? Messy data leading to overwhelming alert noise, being understaffed and underskilled, and manual processes that leave teams overstretched.

"Our data uncovers that SOCs are burning too much effort on the wrong things — babysitting tools, chasing the same false alarms over and over, and wrestling with messy data.” — David Dalling GVP, Global Cyber Strategist, Splunk

In this post, we’ll break down some of the report’s most urgent findings around data quality and automation, and explore how Axoflow’s approach to security data pipeline management offers a way out.

The Cost of Messy Data: A Broken Foundation

A staggering 62% of security teams admit to having poor data quality, and it’s doing real damage:

  • 57% have lost valuable investigation time due to data management gaps.
  • Faulty data leads to faulty detections, weakening cyber defenses.
  • 28% say they spend too much time normalizing data.

Detections are only as strong as the data they rely on.

“Security teams aren’t just dealing with raw syslogs anymore, but massive blobs of data in a multitude of formats that need to be parsed, ingested, and analyzed properly.” — Marcus LaFerrera, Director of SURGe, Splunk

These problems are compounded when teams lack control over how data is collected and transformed. As we discuss in our How High-Quality Data Saves You $$$$ blog post, messy or unstructured data doesn’t just increase mean time to detect—it actively prevents threat visibility.

Axoflow helps fix this by managing ingestion, parsing, normalization, and enrichment upstream—so by the time logs reach your SIEM, they're clean, consistent, and enriched with contextual information that helps detection (46% reports that deciphering alerts that lack context is a major issue slowing down SOCs).

Manual Maintenance is Killing Efficiency

Nearly half of SOC teams (46%) spend more time maintaining tools than defending threats. That number rises to 59% when asked if they're spending too much time maintaining tools and workflows. This clearly shows that the burden of upkeep is pulling teams away from actual defense work. It’s also draining morale.

“Busywork stifles progress and passion... No one gets jazzed about tool maintenance.”

At Axoflow, we advocate for automation at every possible stage of the data pipeline. Let Go of the Loop: Why Real Telemetry Automation Leaves Manual Oversight Behind lays out why SOCs must move away from the “babysitting” model—particularly when it comes to managing telemetry and security data pipelines. Collecting, parsing, and normalizing data should just work, and it shouldn’t be your teams’ job to keep those pipelines up-to-date.

Alert Overload: Too Many, Too Noisy, Not Enough Context

SOC teams face relentless alert storms:

  • 47% identify alerting issues as the top inefficiency
  • 59% face too many alerts
  • 55% deal with too many false positives
  • 46% struggle with alerts that lack context

Without high-quality, structured data, even the most advanced detection systems generate noise. And that’s assuming the alerts make sense, or even fire in the first place (many never do, on the account of missing or incomplete data). For your team members who’re trying to triage and evaluate alerts, reliable and meaningful context is a must.

In our breakdown of SIEM data classification automation, we explain how automating data classification upstream in the pipeline can significantly reduce false positives and improve alert context, improving SOC signal-to-noise ratios dramatically.

Why It Starts with the Pipeline

SOC inefficiencies are symptoms of a deeper infrastructure problem: poor security data pipeline hygiene.

The Splunk report shows that 59% of teams say maintaining tools is their #1 inefficiency. If you’re fighting with a fragmented, inconsistent data pipeline every day, how can you possibly get ahead?

That’s where Axoflow comes in. We believe every SOC should treat their data pipeline as critical infrastructure. In Security Data Pipeline Management, we cover how centralized management of log collection, enrichment, and transport ensures data is trustworthy and usable before it hits Splunk (or any SIEM).

For example, here’s how Axoflow helps manage firewall logs into Splunk efficiently—avoiding the slowdowns and inconsistencies that plague many SOCs.

Automation and Detection-as-Code Are the Future

The Splunk report urges SOCs to adopt detection-as-code, AI, and automation as survival strategies.

“The SOC of the future will run much more efficiently... They also lean on automation and AI to resolve lower-level alerts.”

Yet, many teams are behind:

  • Only 35% currently use detection-as-code, but 63% want to
  • However, 41% lack detection engineering skills
  • 33% plan to address skills gaps through automation and AI

To make those leaps, organizations must invest in the foundation first—high-quality, structured, real-time data flowing into SIEM and detection tools.

Automation without trustworthy data is automation of bad decisions. Pipelines like Axoflow ensure that when AI or detection-as-code is applied, it’s using data it can rely on. Because, as we’ve quoted before: “Faulty data leads to faulty detections, weakening cyber defenses.”

Final Thoughts: You Can’t Automate Chaos

The Splunk State of Security 2025 report makes one thing clear: the SOCs of the future are leaner, smarter, and faster—but only if they stop doing grunt work and fix their data pipelines.

“Nearly half of them admit they spend more time maintaining their tech stack than actually defending their organization.” — David Dalling GVP, Global Cyber Strategist, Splunk, Splunk State of Security 2025

Automation is the answer—but it needs a solid data foundation.

Want to stop wasting time normalizing logs, managing broken pipelines, or deciphering alerts that lack context? It starts with structured, enriched, and orchestrated data—and that’s what Axoflow delivers.

If you’re attending Splunk .conf2025, don’t miss our hands-on interactive workshop Timezones, Tags, and Terrors: How Data Ingestion Problems Kill Threat Detection with Axoflow co-founders Balázs Scheidler, Sándor Guba, and SC4S co-creator Mark Bonsack. ‍Add the workshop to your .conf25 schedule!

Follow Our Progress!

We are excited to be realizing our vision above with a full Axoflow product suite.

Sign me up
This button is added to each code block on the live site, then its parent is removed from here.

Fighting data Loss?

Balázs Scheidler

Book a free 30-min consultation with syslog-ng creator Balázs Scheidler

Recent posts

Getting firewall logs into Splunk with Axoflow
How to collect AxoSyslog metrics into Prometheus
Why Choose AxoSyslog over syslog-ng