Open-source SIEM in 2026: free software, real costs
Independent true-cost analysis. Wazuh, ELK Stack, OpenSearch, Security Onion, and OSSIM compared on infrastructure, engineering tax, detection content, and the honest break-even against commercial SIEM at every common volume.
The "free" reality
Open-source SIEM software is genuinely free. Operating it is not. Infrastructure runs $15K-$50K per year for a credible mid-market cluster. Engineering staff who can run Elasticsearch, Wazuh, or Hadoop competently command salaries comparable to senior site reliability engineers, with a 20-30 percent premium for security-context expertise.
Open-source SIEM also lacks the vendor-curated detection content that commercial SIEMs ship out of the box. Splunk Enterprise Security, Sentinel Analytics rules, and QRadar content packs represent thousands of hours of detection engineering. Replicating that internally takes 6-18 months of dedicated detection engineering capacity.
What you gain is control: full access to the underlying data model, complete customisation, no per-GB or per-EPS pressure, and zero vendor lock-in. For engineering-strong organisations with sustained log volume, the trade-off often makes sense. For everyone else, the implicit cost outweighs the explicit savings.
Open-source SIEM options
| Project | Strength | Weakness | Infra cost | Licence |
|---|---|---|---|---|
| Wazuh | Endpoint + log SIEM, agent-based | Detection content lighter than commercial | $15K-$40K/yr at mid-market | Free (GPLv2) |
| ELK Stack (Elastic) | Best-in-class search, Elastic SIEM detection rules | Operations skill premium, licensing change to ELv2 in 2021 | $20K-$60K/yr at mid-market | Free Basic / paid tiers |
| OpenSearch | Apache 2 fork of Elasticsearch, AWS-backed | Detection content gap vs Elastic, smaller community | $15K-$50K/yr | Free (Apache 2.0) |
| Security Onion | Curated bundle of open tools, network + endpoint | Hard to scale, opinionated stack | $10K-$30K/yr | Free (Elastic Licence) |
| OSSIM (AlienVault) | Mature, packaged, asset discovery built-in | Slow innovation, owned by AT&T | $8K-$25K/yr | Free open-source |
| Apache Metron / Hadoop | Massive scale, big-data architecture | Project less active in 2026, complex ops | $30K-$100K/yr | Free (Apache 2.0) |
True annual cost: 50 GB/day open-source SIEM
Real fully loaded cost for a credible Wazuh or ELK deployment supporting a mid-market security operation.
| Cost component | Range | Detail |
|---|---|---|
| Infrastructure (50 GB/day cluster) | $25K-$45K/yr | Hot, warm, cold tiers; 365-day retention |
| Senior Elastic / Wazuh engineer | $120K-$180K + 28% | Includes 28% benefits load |
| Engineer ops time (25-30%) | $38K-$57K | Cluster maintenance, upgrades, capacity planning |
| Detection content development | $50K-$120K Y1 | No vendor pack equivalent |
| Lack of commercial support (incident impact) | $15K-$50K | Industry estimate of one extended incident per year |
| Training and certification | $8K-$15K | Self-study + community resources cheaper than vendor |
| Year 1 total fully loaded | $256K-$467K | Compare against Sentinel at same volume |
Open-source vs commercial: break-even by volume
| Volume | Open-source TCO | Sentinel TCO | Winner |
|---|---|---|---|
| 10 GB/day | $140K-$190K | $45K-$70K | Sentinel |
| 50 GB/day | $190K-$280K | $95K-$140K | Sentinel |
| 100 GB/day | $240K-$340K | $180K-$250K | Sentinel marginal |
| 200 GB/day | $310K-$430K | $320K-$420K | Tied |
| 500 GB/day | $450K-$620K | $650K-$900K | Open-source |
| 1 TB/day | $680K-$900K | $1.2M-$1.6M | Open-source |
Open-source TCO includes infrastructure plus one engineer FTE. Sentinel TCO includes commercial licence plus one analyst FTE. Both assume 365-day retention and standard log mix. Break-even sits in the 200-500 GB per day range for most deployments.