News

Microsoft Is Sole Cloud Giant 'Leader' in AI-Heavy Security Analytics Report

• By David Ramel
• 06/24/2025

The cloud is seen as a natural fit for compute-intensive analytics of all kinds -- including security -- but a new analyst report on that space sees Microsoft as the sole cloud giant mentioned among the leaders.

The term "Leaders" is an official categorization of research firm Forrester's "Wave" series of reports, which places vendors on a chart with axes for the strength of their offerings and strategies.

In the new Forrester Wave: Security Analytics Platforms, Q2 2025 report, Microsoft leads the pack on the latter axis, strength of strategy.

As far as the hyperscalers go, Google only ranked a "Strong Performer" while AWS's Amazon Security Lake, generally available in 2023, was deemed not yet mature enough to be included in this year's report.

It was advanced AI, though, not the platform on which it's delivered, that marked this year's report, with Forrester calling out AI as a transformative force reshaping how security operations function. While nearly every vendor touted AI in their vision, the analyst firm found clear distinctions in execution -- highlighting that only some platforms moved beyond chatbots and incident summaries to deliver true innovation like AI agents, automated parsing, and advanced detection engineering. The report emphasized that choosing the right AI-driven platform now could fundamentally improve how security teams operate going forward.

Forrester framed this moment as a critical inflection point, noting that "AI will change the way security operations functions, and betting on the right horse now will enable your team to change with it." While many vendors included AI in their strategies, the report highlighted stark contrasts in implementation maturity. "Many vendors had some of the functionality we have come to expect: incident summaries, chatbots, and query language translation," the report explained. "However, those that differentiated delivered AI agents, automated parsing, and other leading features." Forrester's analysis makes clear that successful platforms are not merely layering AI onto legacy workflows but are instead transforming how teams detect, investigate, and respond -- marking a shift from incremental enhancement to fundamental operational change.

Other Key Considerations for Buyers:

The tradeoff between flexibility and specialization: Longtime SIEM vendors tend to offer deep capabilities around data -- ingestion, manipulation, and searchability -- making them well-suited for complex and customizable use cases. The tradeoff, however, is that these platforms may require more manual effort and technical expertise. On the other side of the spectrum, newer XDR-focused vendors simplify operations with limited collectors and more guided workflows, but may fall short in areas like compliance reporting or advanced query customization. "Both approaches are valuable," Forrester noted, "which is better depends on what you want to get out of the tool."

The value-add of platformization: Security analytics platforms, by nature, act as centralized hubs for ingesting data and executing response actions. Vendors that offer tight integration with their own product suites -- especially those that waive ingestion costs for native data -- can provide substantial operational and financial advantages. While interoperability with third-party tools remains an industry goal, Forrester cautioned that "nothing integrates or bundles quite like native tools."

Vendors Not Included
Forrester noted that its Wave evaluation focuses on the top vendors in the market and does not represent the full vendor landscape. The following providers were mentioned as notable but not included in this year's report:

• Amazon Web Services: While frequently mentioned by clients, AWS's Amazon Security Lake "is not yet mature enough in analytics, threat management, automation, dashboards, and reporting to include in this evaluation."
• Devo Technology: Previously included, but "no longer has the market share to meet the inclusion criteria."
• Gurucul: Also previously included, but similarly dropped due to insufficient market share.
• Logpoint: Excluded because its market share is primarily European, which does not meet Forrester's geographic inclusion requirements.
• OpenText (Micro Focus): Removed due to diminished mindshare among Forrester's enterprise clients.
• Trellix: Excluded for the same reason -- lack of mindshare -- despite its strategic focus on XDR after the FireEye and McAfee Enterprise merger.

Methodology and Evaluation Scope
The firm reviewed participating vendors using a combination of product demos, detailed questionnaires, and customer interviews. Placement in the Wave chart reflects how each vendor scored relative to others, and Forrester emphasized that the report is intended as a starting point -- encouraging buyers to adapt findings to their own use cases using its interactive comparison tool. The firm evaluated the vendors using materials they provided by March 20, 2025, and did not allow additional information after that point.