We’ve all been there: you buy the SIEM, check the box, and wonder six months later why nothing’s actually working. In this episode, Adam White, Zoe Hawkins, and David Girvin dig into what it really takes to get a SIEM running properly, from threat modeling your business objectives first to the iterative tuning work that never quite ends. We also get into the AI hype cycle in security, why probabilistic tools have real limits in regulated environments, and the vendor lock-in math that makes switching harder than it looks. Worth a listen for any security practitioner or team lead who’s staring at a half-configured deployment and wondering whether the problem is the tool or the implementation.
0:00:00 – Introduction
0:00:26 – The SIEM setup problem: why so many go unused
0:02:35 – Checkbox compliance and the auditor gap
0:04:35 – What “properly configured” actually means
0:05:33 – Threat modeling as the foundation for SIEM setup
0:09:40 – Using AI for gap analysis and tuning (not just threat hunting)
0:12:13 – How to tell if your SIEM is actually working
0:15:12 – Signal vs. noise: the stages of SOC maturity
0:19:42 – Vendor lock-in vs. best-of-breed in a consolidating market
0:24:14 – Startup acquisition risk and staying power
0:28:18 – The real lesson: configuration beats chasing the next tool
0:30:31 – Wrap-up