Beyond SIEM: Francis Odum Highlights the Shift to Data-Driven Security

The SIEM market is undergoing one of the most significant shifts in its history.

In his latest report, The Convergence of SIEMs and Data Pipelines, Francis Odum at Software Analyst Cyber Research lays out a detailed analysis of how security operations are evolving. SIEMs were never designed to handle today’s scale of telemetry, cloud-native architectures, and AI-driven threats. Costs balloon as data grows, detections lag, and analysts are overwhelmed by noise. That’s why Odum argues convergence isn’t optional; it’s inevitable. SIEMs must meet data where it lives, in scalable cloud platforms, and embed automation at the core to keep pace. 

This isn’t just a prediction. Customers are already making the shift. In the G2 Fall 2025 Grid Report, Panther moved into the Leaders category for SIEM. What makes this significant isn’t the label itself — it’s the data behind it. G2 aggregates verified customer reviews and ratings, and the themes are consistent: practitioners value Panther for scalable data handling, faster detections, and meaningful automation. These are the very capabilities Odum identifies as critical to the next generation of SIEM. 

Analysts are calling out the shift. Customers are validating it. The SIEM revolution is underway.

The Forces Driving Convergence

Odum’s report identifies three primary forces driving this convergence:

• Data gravity: Security data naturally resides in cloud data platforms. Forcing it into proprietary SIEM silos introduces cost, delay, and friction.

• The need for modularity: Teams want pipelines and integrations they can customize — not rigid ingestion gates that lock them in.

• Automation and AI as baseline: Manual investigation doesn’t scale. Teams need automation, correlation, and AI agents to keep pace.

These are daily realities for practitioners managing detection and response. A log spike from a new service, a sudden surge in identity events, a false positive storm triggered by a misconfigured rule — these are the problems practitioners wrestle with every week.

Legacy SIEMs make those problems worse. Converged platforms make them manageable.

What Convergence Looks Like in Practice

From the beginning, Panther was designed with these realities in mind. Our founder, Jack Naglieri, built Panther after years as a Detection Engineer, where he saw firsthand the failure modes of legacy SIEMs: brittle rule engines, spiraling ingestion costs, and workflows that didn’t reflect how analysts actually work.

That’s why Panther combines three core elements:

• SIEM on your data lake → teams own their data and scale without limits.

• Code-driven, real-time detections → no more brittle black boxes, but flexible, testable detection as code.

• AI-powered operations → triage, investigation, and detection tasks accelerated by agents that eliminate analyst toil.

For Panther customers, the outcomes are tangible:

• At Snyk, tuning and correlation reduced alert volume by 70%.
  At Docker, Panther enabled 3× more ingestion while cutting false positives by 85%.

This is convergence in practice: lower noise, faster response, and scale without runaway costs.

The SIEM Revolution

We call this movement the SIEM Revolution.

It started because security teams were exhausted by the trade-offs legacy SIEMs forced on them:

• Cutting coverage to control costs.

• Accepting endless false positives to avoid brittle tuning.

• Making architectural decisions based on vendor lock-in, not security outcomes.

The SIEM Revolution rejects those trade-offs. It’s about building security operations that are:

• AI-ready → automation and triage aren’t bolted on, they’re core.

• Cloud-native → scale comes from the data platform you already run on.

• Practitioner-first → designed by analysts, for analysts.

What Analysts Are Saying About Panther

One of the strongest signals in Odum’s report is how Panther is positioned as a leader in this convergence trend. His write-up highlights Panther’s unique approach and customer outcomes:

Panther takes a modern, security data lake approach to SIEM by separating compute from storage. They’ve also challenged the traditional ingestion-based pricing model by offering one based on the number of data sources. Practitioners have often been vocal about their issues with ingestion-based models, such as compromising visibility for the sake of price and dealing with unpredictable costs, so this model presents an opportunity to make pricing more predictable. Their decoupled architecture also allows for flexible deployment: Panther can be deployed either as a SaaS solution or within a customer’s own AWS environment.

Another interesting deviation Panther makes from traditional SIEM platforms is its detection-as-code approach, which uses Python (in addition to other low-code options) for detection content creation. We were surprised to see the Python approach but we see the value of introducing a widely known scripting language and enabling teams to treat detection logic like code, making it easy to version control, export, and import, bringing SIEM management in line with modern software CI/CD practices. While this may raise concerns for practitioners who are more familiar with traditional approaches, we feel the Python model could serve as a strong foundation for AI-driven detection and response.

Panther addresses practitioners’ concerns with operational burden and alert fatigue through its AI-driven features. With capabilities such as AI-powered alert triage, query generation, and rule building, Panther enables teams to codify runbooks, guide AI agents, and accelerate detection and response.

Cost Effectiveness

The pricing structure combines a platform fee along with the number of data sources, which scales with organization size (“starter,” “growth,” and “enterprise” tiers), with licenses for data sources purchased in bulk for predictable budgeting.

Panther employs a decoupled architecture and single-tenant deployment model, in which compute and storage are separated and managed independently from licensing. Self-hosted customers can apply their existing AWS commitments to cover storage and compute expenses, while SaaS customers are billed at retail rates for the infrastructure consumed, with Panther managing the underlying services.

This model is a significant shift from per-GB pricing, but may require planning in environments with many small, diverse log sources.

Deployment

Panther can be deployed in two ways: customer-hosted in AWS or as a SaaS solution managed by Panther.

Customer-hosted in AWS, giving organizations control over data residency and security while leveraging existing cloud discounts

SaaS deployment managed by Panther, offering a turnkey option for teams seeking simplicity

The platform supports forwarding logs to S3/Blob Storage/GCS or via intermediaries such as Logstash or Vector, with native collectors under development.

Security controls make heavy use of AWS regional isolation, ensuring that data remains within governance boundaries. Access management is handled with role-based controls and SSO integration, providing fine-grained permission management.

Detection

Panther leans into detection as code. Customers can write rules in Python, low-code, or structured query languages, manage them through GitHub or GitLab, and integrate them into CI/CD workflows. This approach enables testing, version control, and rapid deployment. The system normalizes logs into a standard schema, supporting real-time streaming detection, IOC extraction, and correlations. Analysts can also configure “signals,” lightweight indicators of suspicious behavior that do not trigger alerts but enrich investigations.

AI extends these capabilities by automatically generating detection rules, tests, and queries from natural language. Through the Model Context Protocol (MCP), Panther integrates AI agents into detection engineering workflows, dramatically reducing the time needed to build and validate detections from hours to minutes. Out-of-the-box detection content is also provided by Panther’s threat research team, with integrations available for threat intelligence sources.

Investigation

Panther supports investigations with entity pivoting, timeline correlation, and a case management module in development. Analysts can consolidate alerts, detections, and searches into a single artifact.

AI agents play a central role in investigations: they auto-triage alerts, summarize behaviors, highlight key indicators, and recommend next steps. They can also pivot to related behaviors not directly tied to the initial alert, automatically enriching investigations with real-time context. Customers can interact with AI via a Slack bot, making investigations more collaborative and accessible. Over time, Panther’s AI agents are expected to automatically run on every alert, generate risk scores, and support auto-closing or escalating incidents.

Reporting

Reporting features include customizable dashboards, PDF summaries, and scheduled SQL queries. Standard SOC metrics such as alert volumes, rule health, and detection coverage can be tracked.

MSSPs can use APIs for cross-tenant oversight, and dashboards support both standard and custom reporting. Operational monitoring highlights integration errors and failed detections, giving SOC teams visibility into pipeline health.

Market Validation from Customers

Analyst recognition is critical — but customer proof is the ultimate validation.

In the G2 Fall 2025 Grid, Panther entered the Leaders category for SIEM. It came from Panther customers themselves.

As one G2 reviewer put it: “Panther lets us scale detections without worrying about ingestion costs or noise. It feels built for the way security teams actually work.”

When analysts and customers are aligned on the same trend, the shift is undeniable.

What This Means for Practitioners

For practitioners, the implications are immediate:

• Stop pouring resources into legacy SIEMs → free budget and analyst cycles for more meaningful detection and response.

• Build on platforms that give you control of your data → so you’re not locked into cost structures that punish growth.

• Use automation and AI as force multipliers → reduce time wasted on repetitive triage and investigations.

The result: more coverage, faster mean time to detect, less time wasted on noise, and a security team that can focus on real threats.

The convergence of SIEM and data platforms is not a prediction; it is a reality. It’s happening today. Analysts like Francis Odum are calling it out. Customers on G2 are validating it. 

Panther is proud to play a part in this shift, and we’re just getting started. 

Read about the SIEM Revolution we’re leading, or book a demo to see Panther in action.