2025 Observations + 2026 Predictions

A belated Happy New Year, and welcome to some crystal ball gazing for 2026. No… just joking. That’s a fool’s errand. However, there are a few observations we’d like to share based on customer behaviour, vendor activity, and broader market commentary. 

Firstly, it’s worth defining what we’re actually talking about. Apto sits in the data analytics space, with two main lenses powering that domain: cybersecurity, typically termed Security Information and Event Management (SIEM), and observability, or its close relation, IT operations. Most of the data sources powering these platforms come from networks, endpoints such as servers and PCs, and cloud environments. We are also seeing increasing evolution into Operational Technology (more on that later think mechanical systems, pumps, valves, etc.). 

This would be far too long a blog if we went into deep detail on every domain, and we may do so in separate posts later. 

 

What we’ve seen in 2025 

This is always a good place to start. While the past doesn’t predict the future, it does offer useful signals. The first, and most obvious, is data. 

Customers, both new and existing, are struggling with the sheer volume, velocity, and variability of data. At the same time, SIEM and observability platforms typically charge by ingest. This creates three immediate problems: 

• Do I actually need this data? 

• Why is this costing so much? 

• And how do I manage the platform itself? 

 

Data pipelines 

Data pipelines have become commonplace over the last 18 months. Observability generally wins on volume, and trimming data volume has been, and still is to some degree, a major focus often achieving up to 50% like-for-like reduction. 

The problem, however, is that data volumes continue to grow at around a 20% CAGR. As a result, customers are increasingly asking “why?”. Exploring who is using the platform, which stakeholders are involved, and what data they actually need has become the first port of call. 

A common discovery is that the original sponsor of the platform (often security) is unknowingly subsidising a much larger user base, such as observability or another stakeholder group. This explains many “it’s costing too much” conversations, where the bill doesn’t reflect the sponsor’s actual usage. Only well-scoped data and user discovery can surface this, along with realistic options to move forward. 

Beyond quick-win data reduction, the data pipeline itself is far more powerful, but only if the discovery work is done first. Choosing the right product in an increasingly crowded market is also interesting, particularly when you look at recent acquisitions by CrowdStrike, SentinelOne, and Palo Alto Networks. Control the data, control the customer. 

 

Other data engineering considerations 

If we take cybersecurity as an example of the downstream impact of the above, many customer conversations quickly move beyond ingest cost to the storage tax charged by analytics platforms. 

As a result, we consistently see trends across customer discussions, vendor behaviour, and analyst commentary in the following areas: 

• The role of the SIEM
  An over simplification, but, most organisations have Endpoint Detection and Response (EDR) tooling, so the traditional model of ingest-to-decision always happening in the SIEM is shifting (I’m ignoring for the example, all the other SPM tools etc). Given that shift, why not normalise, enrich, and filter data upstream so the SIEM is better suited for hunting, root cause analysis, and advanced investigations? This also helps explain why SIEM vendors are acquiring data pipeline technologies. 

• Data gravity
  Not all data is making a beeline to the SIEM anymore. We’re already working with customers on the overlap between security and IT telemetry. Gartner has referenced up to 80% commonality in data between observability and security use cases. Clients want a more holistic view, and we increasingly see the same data being ingested into multiple platforms. Convergence is happening, driven by analytics capability rather than labels. 

• Data persistence
  With more focus on pre-processing, compliance, and full-fidelity data, storing everything inside analytics platforms has become expensive and inflexible. Data lakes are gaining renewed focus, particularly around how analytics platforms interact with them and how customers can better leverage existing cloud commit spend. 

 

Platform ownership and management 

We’ve written about this previously in the Articles section of our website, including what Apto Operate is and why it isn’t tied to a single analytics or data pipeline platform. It’s still worth revisiting why this type of service exists and how to explain it in non-technical terms. 

Modern SIEM and observability platforms, including data pipelines (Splunk, Datadog, Elastic, etc.), are not simple tools. They are complex, distributed data platforms. 

Their biggest weakness is that they fail silently. A broken pipeline, a misconfigured parser, or a new unmonitored service can leave you flying blind without realising it. You continue paying for a platform that isn’t receiving the right data, rendering it useless when an incident actually occurs. This often stems from organic platform adoption across multiple stakeholder groups – SREs, SOC analysts, cloud engineers, network teams without central operational ownership. 

In any successful platform deployment, there are three distinct roles. The gap is that the third is almost always missing: 

1. Data consumers (the users)
   Who they are: Security analysts, DevOps teams, developers
   Their job: Use the data to detect threats, fix issues, and monitor service-level objectives. They are the drivers of the car. 
2. Platform engineers (the builders)
   Who they are: Platform teams, SREs, cybersecurity engineers
   Their job: Build content on the platform; detection rules, dashboards, and application instrumentation. They are the engineers improving the car. 
3. Platform operators (the mechanics)
   Who they are: This is the gap
   Their job: Keep the platform healthy. They monitor the monitors, manage ingestion pipelines, optimise license and cloud costs, and ensure data availability. They are the pit crew. Without them, the platform eventually breaks down, regardless of how good the drivers or builders are. 

It may not be the perfect analogy, but it reflects the gap we see repeatedly. This is a difficult skill set to train, retain, and scale; and one that benefits from broad, multi-platform experience. 

 

2026 outlook 

Beyond the continuation of the themes above, we see the following trends emerging with our customers, both new and existing: 

• Data engineering as a must-have
  Incremental progression in data engineering is no longer optional. Customers will no longer accept blindly ingesting everything into analytics platforms. 

• Critical National Infrastructure (CNI) focus
  CNI clients remain heavily compliance-driven, particularly around NCSC CAF requirements and operational technology estates. Ensuring secure, one-way data movement from OT into analytics platforms with no blind spots is a priority. 

• Data security and AI risk
  Customers are increasingly concerned about AI, particularly agentic workflows and LLMs, and how prompt injection could be exploited. Data loss prevention is also rising on the agenda, though definitions vary. We haven’t yet seen widespread appetite for fully automated AI-led threat investigations, but semi-automation is gaining interest. 

• Tool and point-solution consolidation
  CISOs are beginning to move away from large stacks of point solutions. Vendors such as CrowdStrike, alongside the ever-present Microsoft, are pushing integrated platforms across telemetry and security. Datadog is following a similar path. That said, point solutions in emerging categories, such as AI detection, remain relevant. 

• Data and “lens” convergence
  Observability and cybersecurity are rapidly collapsing into a single platform conversation. Underneath the labels, both rely on the same raw material: high-volume telemetry enriched with context and queried in near real time. As organisations push for fewer tools and less duplication, the two-pipeline model is giving way to a shared data layer that supports both reliability and threat detection, often with different lenses, but the same underlying records. This naturally aligns with lake-based architectures. This is where open standards begin to matter. OpenTelemetry (OTel) is becoming the default for generating and moving telemetry consistently, while security-focused schema efforts aim to normalise event meaning across vendors. The end goal is vendor independence: collect once, model the data so it remains portable, and retain the flexibility to change storage or analytics platforms without re-instrumenting or losing historical context.

• Platform management
  As outlined earlier, this is the fastest-growing part of our business. Our clients already have highly skilled engineers and analysts and want them focused on what they do best. Managing licensing, ingestion mechanics, and platform health is increasingly something they choose to outsource.