SIEM Pricing Models Explained
The pricing model you choose has a bigger impact on long-term SIEM cost than the vendor selection itself. Understanding each model helps you negotiate better and optimize before you sign.
Per GB Ingested
Used by: Splunk, Microsoft Sentinel, Datadog
You pay for every gigabyte of log data ingested into the SIEM, regardless of whether events are queried or correlated. Some vendors also charge separately for storage beyond a short hot-storage window.
Advantages
- +Simple to understand and forecast if log volume is stable
- +Rewards reduction in log noise (filtering before ingest)
- +No per-user seat cost as analyst team grows
Disadvantages
- -Costs grow linearly with log volume - cloud sprawl hurts
- -Storage and retention fees typically charged separately
- -Perverse incentive to exclude valuable but high-volume sources
Cost Optimization Tip
Use log filtering, aggregation, and sampling on noisy but low-value sources (e.g. NetFlow, verbose application logs). Reduce volume 30-50% before ingest.
Per EPS (Events Per Second)
Used by: IBM QRadar, ArcSight
You license based on the peak or average number of events per second your sources generate. One EPS is typically one log line per second sustained. License tiers are often 1,000, 2,500, 5,000, 10,000 EPS and above.
Advantages
- +Rewards filtering and aggregation before the SIEM
- +Predictable if your event rate is stable
- +Storage usually included in more EPS tiers
Disadvantages
- -EPS bursts during incidents can require costly tier upgrades
- -Harder to predict for organizations with variable workloads
- -EPS definition varies by vendor - normalize carefully
Cost Optimization Tip
Aggregate repeated identical events at the collector layer. Syslog aggregators and SIEM forwarders can reduce EPS 40-60% through event deduplication.
Per User
Used by: LogRhythm, some SOAR-bundled SIEMs
You pay per named user or security analyst seat accessing the SIEM platform. Often combined with a base platform fee. Some vendors distinguish between analyst seats and read-only viewer seats.
Advantages
- +Costs scale with team size, not data volume
- +Predictable for small, stable analyst teams
- +Often includes generous data volume allowances
Disadvantages
- -Base platform fee can be significant regardless of team size
- -Expensive if you need broad access for IT and development teams
- -Volume overages still apply if ingest limits exceeded
Cost Optimization Tip
Limit SIEM access to analysts who actively triage. Use separate dashboards or BI tools for executive reporting to avoid paying for viewer seats.
Flat Rate (Tiered Subscription)
Used by: Sumo Logic, Panther, some cloud-native SIEMs
You select a subscription tier that includes a daily GB ingest allowance and a set of features. You pay a fixed monthly fee up to your tier limit, then pay overage rates if you exceed it. Tiers typically step at 1 GB, 5 GB, 20 GB, 50 GB, 200 GB/day.
Advantages
- +Fully predictable cost when usage stays within tier
- +Simple procurement and budgeting
- +Often includes all features - no feature upsell surprises
Disadvantages
- -Overages can be expensive and hard to predict during incidents
- -Jumping tiers causes significant price steps
- -Underutilization means paying for unused capacity
Cost Optimization Tip
Monitor daily ingest continuously. Set up ingest alerts at 80% of your tier limit. Pre-negotiate overage rates or a burst allowance before you need it.
Choosing the Right Model for Your Environment
| Scenario | Recommended Model | Reason |
|---|---|---|
| High volume, small analyst team | Per User | Team size controls cost, not data |
| Low volume, compliance-driven retention | Flat Rate | Predictable cost, storage included |
| Microsoft-heavy environment | Per GB (Sentinel) | Native connectors reduce integration cost |
| Noisy network infrastructure | Per EPS | Aggregate and filter to control EPS |
| Cloud-native organization | Per GB (cloud SIEM) | Native cloud log ingestion keeps costs low |