@hackernoon while I don't object to your conclusions, I feel like there's a big question here that hasn't been answered: why are you stipulating "real-time"?

Real-time detection is only advantageous if the situation warrants real-time response AND the organisation is capable of delivering it (namely via automation - even a 24/7 SOC is unlikely to get a response rolling in under 30 minutes if it's human-driven); otherwise you're wasting time and money. In my experience, that combination is very rare.