{"id":1594,"date":"2026-02-11T15:03:18","date_gmt":"2026-02-11T21:03:18","guid":{"rendered":"https:\/\/raffy.ch\/blog\/?p=1594"},"modified":"2026-02-23T10:53:27","modified_gmt":"2026-02-23T16:53:27","slug":"the-siem-maturity-framework-workbook-v1-0-a-practical-scoring-tool-for-security-analytics-platforms","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2026\/02\/11\/the-siem-maturity-framework-workbook-v1-0-a-practical-scoring-tool-for-security-analytics-platforms\/","title":{"rendered":"The SIEM Maturity Framework: A Practical Scoring Tool for Security Analytics Platforms"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM-1024x683.png\" alt=\"\" class=\"wp-image-1600\" srcset=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM-1024x683.png 1024w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM-300x200.png 300w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM-768x512.png 768w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/ChatGPT-Image-Feb-11-2026-02_58_23-PM.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Update: Instead of an Excel spreadsheet, here is an <a href=\"https:\/\/raffy.ch\/SIEM\" title=\"\">online app<\/a> that you can use. I&#8217;d love for you to submit your own ratings so we can crowd-source some of these answers!<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Over the last few weeks I published a post on the <a href=\"https:\/\/raffy.ch\/blog\/2026\/02\/03\/the-gaps-that-created-the-new-wave-of-siem-and-ai-soc-vendors\/\">architectural and operational gaps that created the new wave of SIEM and AI SOC<\/a> vendors. A bunch of people asked the same follow-up question:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cOk, but how do I evaluate vendors consistently without falling back into feature checklists and marketing claims?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So I turned the framework into a practical scoring workbook (and now a small <a href=\"https:\/\/raffy.ch\/SIEM\" title=\"\">Web application<\/a>) you can use to rate a platform across the dimensions I described in the post. The workbook allows you to rate each category from 1 to 5 and I spent some time defining what a 1 versus a 5 means in each of the categories. I give you an example for the &#8220;<strong>Data Pipeline Optimization<\/strong>&#8221; category. Here are the 5 maturity steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1 | Static ingestion pipelines that forward all data to a central store.<\/li>\n\n\n\n<li>2 | Basic filtering or routing based on source or log type.<\/li>\n\n\n\n<li>3 | Conditional enrichment and routing based on use case or predefined alerts\/rules.<\/li>\n\n\n\n<li>4 | Dynamic pipelines that adapt sampling, enrichment, and routing based on downstream value.<\/li>\n\n\n\n<li>5 | Continuously optimized pipelines driven by feedback loops from detections, cost, and analyst outcomes.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">I hope the breakdown into these 5 values helps going through a more &#8216;objective&#8217; assessment of these platforms and also shows what excellent looks like in each of these categories.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What this is<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong>Security Analytics Platforms \u2013 Maturity Framework<\/strong> is an architecture-first tool to evaluate security platforms across <strong>architectural, detection, and operational<\/strong> dimensions. It is designed to help you compare systems based on <strong>their advanced capabilities <\/strong>that are desperately needed to deliver a SIEM experience that is adequate for 2026..<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What this is not<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is not a vendor ranking, a feature checklist, or a replacement for hands-on testing. It&#8217;s also NOT an RFP template. As I indicated in my previous blog where I outlined all the different categories, the table stakes are not mentioned or evaluated. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to use it in 10 minutes<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Add one vendor per row in the rating sheet.<\/li>\n\n\n\n<li>Score each topic based on current behavior, not roadmap promises. <\/li>\n\n\n\n<li>Review category roll-ups and the heatmap to spot structural gaps.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">A key insight: <strong>large gaps between category scores often matter more than the overall score.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use the Web App<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Click on the image to launch the app&#8230;<\/p>\n\n\n<p><a href=\"https:\/\/raffy.ch\/SIEM\/\"><img decoding=\"async\" class=\"wp-image-1618\" src=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/image-2.png\" width=\"500\" alt=\"Application Launch\" srcset=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/image-2.png 696w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/image-2-300x244.png 300w\" sizes=\"(max-width: 696px) 100vw, 696px\" \/><\/a><\/p>\n\n\n<h3 class=\"wp-block-heading\">Download<\/h3>\n\n\n\n<div class=\"wp-block-file\"><strong>Workbook (v1.0)<\/strong> &#8211; <a id=\"wp-block-file--media-f0b67057-0e04-4c0a-9970-693ee493a144\" href=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2026\/02\/SIEM_Ratings_Framework.xlsm\">SIEM_Ratings_Framework<\/a> &#8211; Last updated: 2026-02-11\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Why I\u2019m releasing this<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Security analytics is in the middle of a reset. Incumbent SIEMs are being re-architected, new SIEM startups are emerging, and AI SOC vendors are rewriting parts of the operating model. End users and investors need a way to evaluate these platforms objectively, beyond feature checklists and marketing claims. This workbook is my attempt to make that evaluation repeatable, comparable, and anchored in the areas that I see missing or deficient in the incumbent SIEM space.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">If you use it, I\u2019d love your feedback<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you score a platform with it, use the <a href=\"https:\/\/raffy.ch\/SIEM\" title=\"\">Web app<\/a> and submit your rating. You need to log in via Github or Google so I don&#8217;t get flooded with fake entries. I&#8217;d love to crowdsource an assessment of all the SIEM and AI SOC vendors out there. Can we do it?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update: Instead of an Excel spreadsheet, here is an online app that you can use. I&#8217;d love for you to submit your own ratings so we can crowd-source some of these answers! Over the last few weeks I published a post on the architectural and operational gaps that created the new wave of SIEM and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,8,35,30],"tags":[],"class_list":["post-1594","post","type-post","status-publish","format-standard","hentry","category-log-analysis","category-security-information-management","category-security-intelligence","category-security-market"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=1594"}],"version-history":[{"count":19,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1594\/revisions"}],"predecessor-version":[{"id":1626,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1594\/revisions\/1626"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=1594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=1594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=1594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}