Independent reference. Not affiliated with Splunk, Microsoft, IBM, Elastic, Sumo Logic, LogRhythm, or any SIEM vendor.
Vendor / Elastic Security

Elastic Security SIEM pricing in 2026: self-managed vs cloud, and the true cost

Independent Elastic Security pricing reference. Open-source Basic tier vs paid subscriptions, Elastic Cloud resource-based pricing, self-managed infrastructure and engineering costs, and where Elastic genuinely wins or loses against Splunk and Sentinel.

Pricing model
Resource + per-user
Cloud or self-managed
Basic tier
Free
Open-source SIEM core
Platinum
$125/user/mo
ML, cross-cluster search
Engineer premium
$120K-$180K
Elastic experience scarce

Subscription tier comparison

Basic

Free (open-source)
Includes

Core SIEM rules, basic detections, ELK stack

Missing

Machine learning, advanced analytics, premium support

Gold

$95/user/mo
Includes

Basic + Kibana spaces, alerting, JDBC

Missing

ML, advanced security, cross-cluster

Platinum

$125/user/mo
Includes

Gold + ML jobs, advanced security, cross-cluster

Missing

Endpoint integrations, advanced UEBA

Enterprise

$175/user/mo
Includes

Platinum + Endpoint Security, SOAR, advanced UEBA

Missing

Bespoke MSSP features only

The "free software, expensive people" reality

The Elastic Basic tier is genuinely free, but operating an Elasticsearch cluster at security-grade reliability is a specialised skill. Engineers who can tune shards, manage rollover policies, and debug cross-cluster replication command a 30-50 percent premium over generic SREs. Budget honestly.

Infrastructure

$15K-$50K per year for 50-200 GB/day clusters. Hot, warm, and cold tiers required for cost-effective retention.

Engineering FTE

$120K-$180K per year for an engineer who can run Elasticsearch competently. 20-30 percent of their time goes to cluster ops alone.

Detection content

Open-source rule sets exist but lag commercial vendors. Plan for a detection engineering function, not just a SIEM operator.

Real-world Elastic cost scenarios

ScenarioProfileLicenceTotal TCONotes
Startup5 GB/day, Basic + self-hosted$0 licence$45K-$70KSingle engineer maintains, infra ~$8K-$15K
Mid-market cloud50 GB/day, Elastic Cloud Platinum, 25 users$85K-$110K/yr$240K-$320KResource-based + per-user mix
Mid-market self-managed50 GB/day, Platinum subscription, on-prem cluster$70K-$95K/yr$310K-$420KEngineer salary premium dominates
Enterprise200 GB/day, Elastic Cloud Enterprise, 75 users$280K-$400K/yr$760K-$1.1MFull Endpoint Security included
Open-source heavy200 GB/day, Basic only, 2 dedicated engineers$0 licence$520K-$680KEngineering, infra, opportunity cost
FAQ

Common questions

Is Elastic SIEM free?

Elastic Security ships in three tiers. The Basic (open-source) tier is free and includes core SIEM detection rules, the Elastic Common Schema, basic Kibana, and the underlying Elasticsearch and Logstash. Gold ($95/user/month) adds Kibana spaces and alerting. Platinum ($125/user/month) adds machine learning jobs and cross-cluster search. Enterprise ($175/user/month) adds Endpoint Security and SOAR. The free tier is genuinely usable for SIEM but lacks ML-driven detections and the integrated endpoint agent.

How does Elastic Cloud pricing actually work?

Elastic Cloud uses resource-based pricing: you pay for compute (CPU and memory) and storage rather than ingest. A typical mid-market security deployment provisions 4-8 hot data nodes plus warm and cold tiers. Pricing is consumption-based and varies by region; expect roughly $0.50 to $1.10 per GB ingested as an effective rate, including compute and storage, before the per-user subscription. Resource-based pricing penalises spiky workloads less than per-GB models but rewards careful capacity planning.

What is the true cost of self-managed Elastic Security?

Self-managed Elastic appears cheap on the licence line and expensive everywhere else. Expect $15,000 to $50,000 per year in infrastructure for a mid-market deployment, plus a dedicated Elastic engineer at $120,000 to $180,000 per year (Elastic experience commands a premium). Add 20-30 percent of that engineer's time on cluster maintenance, version upgrades, and capacity planning. Real total is typically $200,000 to $300,000 annually for a 50 GB-per-day deployment, comparable to Sentinel or Sumo Logic.

Elastic Cloud vs self-managed: which is cheaper?

For most organisations under 200 GB per day, Elastic Cloud wins on TCO because the infrastructure operations burden vanishes. Self-managed wins where you already have an Elasticsearch practice (data engineering, observability, search), where data residency requirements demand on-prem, or above 500 GB per day where amortised hardware beats consumption pricing. The break-even is rarely about the licence line; it is about whether you have or want to build operational capability around the cluster.

How does Elastic Security compare to Splunk on cost?

At 50 GB per day with equivalent capability (Elastic Platinum vs Splunk Cloud with Enterprise Security), Elastic typically lands 30-50 percent below Splunk on total cost. The trade-off is detection content and search ergonomics: Splunk's premium app ecosystem (ES, ITSI, premium content packs) is mature, while Elastic relies more heavily on community detection rules and your team's ability to write KQL or Lucene queries. For organisations that value Splunk's analyst experience, the premium is justified; for cost-conscious teams with engineering capacity, Elastic wins.
Continue reading

Related cost references

Open-source SIEM analysis
Wazuh, ELK, OpenSearch true cost
Splunk pricing
Premium analytics alternative
Microsoft Sentinel pricing
Cloud SIEM alternative
Pricing models explained
Per-user vs alternatives
Hidden SIEM costs
Engineering tax detail
SIEM cost calculator
Multi-vendor comparison

Updated 2 May 2026