State of the TDIR Survey 2024

Gorka Sadowski
4 min readFeb 1, 2024

Organizations overconfident in their TDIR ability despite huge blind spots

The why and the how of this report

More reports? Do we need yet another vendor-sponsored “State of” survey? Yes, we do. But we already have many excellent reports, such as:

- Verizon DBIR —

- IBM Cost of data breach —

- Crowdstrike Global threat report —

- Google cloud cybersecurity forecast —

What’s different with Exabeam’s report? These other reports are “generalist” reports and sometimes lack the focus required to grasp a topic completely. Exabeam’s survey, made in collaboration with IDC, shines a light specifically on threat detection, investigation and response (TDIR) across a wide array of worldwide customers.

A word on the report’s methodology. From my Gartner days, I know how important a sound methodology — including solid sample size and wide representability — are to the credibility of the insights obtained. This survey included 1,155 senior and mid-level security and IT professionals across different industries, organization sizes, cybersec maturity levels and revenue numbers, in eight countries. Distribution looks statistically sound and results reliable.

As I read through the report, I found many interesting and relevant insights. A couple jumped at me and I wanted to discuss these. They are both concerning for different reasons, but can somehow be fixed or mitigated with some efforts.

  1. Organizations’ overconfidence in their ability to do TDIR efficiently
  2. Organizations’ acknowledgement of limited TDIR scope

Insight 1. Organizations’ overconfidence in their TDIR ability

A concerning stat. A staggering 90% of organizations believe they have good or excellent ability to detect cyberthreats. An equally surprising 78% of organizations believe they have a very effective process to investigate and mitigate threats.

These results are strange considering how few organizations have really effective detection tooling that include UEBA or anomaly-based alerting mechanisms, and how difficult it is to thoroughly investigate and perform forensics after true positive alerts get generated. And these results are totally at odds with the shocking stat that it takes an average 200–300 days (fluctuates year-over-year and across surveys) for organizations to realize that they have been hacked.

Organizations’ optimistic perception is either due to a state of wishful thinking, or more probably to a misunderstanding of the complexity of doing TDIR in today’s threat landscape. Maybe their optimism is fueled by year-to-year improvement on some of the SOC metrics that they track — 70% of respondents reported improvements in their mean time to detect, investigate, respond and remediate KPIs from 2022 to 2023.

Discrepancy in the answers. It is further interesting to observe that CISOs are more optimistic than Directors of Security. Specifically, 67% of CISOs surveyed had high confidence in their threat detection capabilities versus only 58% of Directors of Security. This misalignment is also a bit concerning and likely points to a lack of honest communication. Come on, we have to tell the CISO the real truth about the organization’s TDIR posture. No sugar coating please.

Insight 2. Organizations’ acknowledgement of limited TDIR scope

Another area of concern. Organizations acknowledge that they can only “see” or monitor 66% of their IT environments. This means that about a third of the attack surface is outside the scope of TDIR. That’s a huge blind spot, and further complicates the above point of overconfidence in TDIR abilities.

From what I’ve seen in my career, there are two main reasons for this situation.

Assets genuinely out of purview of the IT and the security team. This is the proverbial “Shadow IT”, and includes for example SaaS applications acquired by business units, cloud assets procured by development teams, or other BYOD devices brought online by some employees — all outside the knowledge of the IT and security teams.

To mitigate this, organizations need strong methodologies to not only figure out the current attack surface, but also to help manage this attack surface that constantly evolves based on changes in the organization. To help this process, there are new breeds of attack surface management (ASM) tools being introduced to the market. These include external attack surface management (EASM), or cyber asset attack surface management (CAASM).

Assets purposely not brought in scope of TDIR. Worse is the case where organizations do know about their assets but somehow decide to not bring them in scope for their TDIR. This usually happens because organizations don’t have a methodology to understand what data points are important. And then key assets such as identity tools can be left out of the TDIR scope.

This situation is really sad. Best practices have existed for many years now. First, organizations should start by defining the prioritized list of use cases that are important to them. These use cases can include ransomware, insider threat, or data exfiltration. Then, once that list is defined, it is trivial to understand what data sources need to be monitored, what analytics need to be switched on, and how to respond to typical alerts.

Next-gen tools such as modern SIEMs can help organizations understand what data points are relevant for what use cases. And organizations should consider tools that provide these advanced capabilities while offering cost-effective scalability and cost structure — usually cloud-native tools — so as to bring all required assets in scope within a reasonable budget.

What else does the report uncover?

There are other nuggets in this report, and I encourage the reader to spend a few minutes perusing the different insights. For example, good data on the maturity and the level of TDIR automation across geographies, the list of challenges that security teams face in TDIR, or organizations’ considerations when considering their TDIR platforms.

Good stuff, Exabeam. Thanks for driving this research in collaboration with IDC to shed some light on the state of TDIR in the industry.



Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.