News

Microsoft Leads Cloud Hyperscalers in AI-Heavy Security Analytics Field

• By David Ramel
• 06/25/2025

With security analytics steadily becoming more AI-driven, Microsoft stands alone as the leading cloud hyperscaler owing to its advanced AI capabilities and long-term roadmap, according to the findings of a recent Forrester paper.

According to the firm's Security Analytics Platforms, Q2 2025 report, Microsoft was the only cloud hyperscaler that could be considered a "leader" in the space, outperforming rivals Google (which landed in the "Strong Performer" tier) and Amazon Web Services (which failed to meet the maturity criteria for inclusion).

The standout factor in this year's evaluation was the depth and functionality of AI, not just its presence. While nearly every vendor made AI a talking point, Forrester highlighted Microsoft's success in going beyond superficial features to deliver innovations like AI-driven threat detection and automated parsing. Forrester's analysis makes clear that successful platforms are not merely layering AI onto legacy workflows; they're also transforming how teams detect, investigate and respond, marking a shift from incremental enhancement to fundamental operational change.

"AI will change the way security operations functions, and betting on the right horse now will enable your team to change with it," the research firm said.

Other Key Considerations for Buyers:
The tradeoff between flexibility and specialization: Longtime SIEM vendors tend to offer deep capabilities around data -- ingestion, manipulation, and searchability -- making them well-suited for complex and customizable use cases. The tradeoff, however, is that these platforms may require more manual effort and technical expertise. On the other side of the spectrum, newer XDR-focused vendors simplify operations with limited collectors and more guided workflows, but may fall short in areas like compliance reporting or advanced query customization. "Both approaches are valuable," Forrester noted, "which is better depends on what you want to get out of the tool."

The value-add of platformization: Security analytics platforms, by nature, act as centralized hubs for ingesting data and executing response actions. Vendors that offer tight integration with their own product suites -- especially those that waive ingestion costs for native data -- can provide substantial operational and financial advantages. While interoperability with third-party tools remains an industry goal, Forrester cautioned that "nothing integrates or bundles quite like native tools."

Vendors Not Included
Forrester noted that its Wave evaluation focuses on the top vendors in the market and does not represent the full vendor landscape. The following providers were mentioned as notable but not included in this year's report:

• Amazon Web Services: While frequently mentioned by clients, AWS's Amazon Security Lake "is not yet mature enough in analytics, threat management, automation, dashboards, and reporting to include in this evaluation."
• Devo Technology: Previously included, but "no longer has the market share to meet the inclusion criteria."
• Gurucul: Also previously included, but similarly dropped due to insufficient market share.
• Logpoint: Excluded because its market share is primarily European, which does not meet Forrester's geographic inclusion requirements.
• OpenText (Micro Focus): Removed due to diminished mindshare among Forrester's enterprise clients.
• Trellix: Excluded for the same reason -- lack of mindshare -- despite its strategic focus on XDR after the FireEye and McAfee Enterprise merger.