Independent reference. Not affiliated with Splunk, Microsoft, IBM, Elastic, Sumo Logic, LogRhythm, or any SIEM vendor.
Org Size

SIEM cost by organisation size: from startup to enterprise

Annual SIEM cost ranges, vendor recommendations, and staffing requirements for every organisation size band. From startup ($12K) to large enterprise ($5M+), with the trade-offs that drive each band's vendor decision.

Small business
$12K-$60K
Per year
Mid-market
$60K-$300K
Per year
Enterprise
$300K-$1.5M
Per year
Large enterprise
$1M-$5M+
Per year
Small business

Under 100 employees, <10 GB/day

$12K-$60K/yr

At this size, the SIEM decision is usually managed-vs-DIY rather than vendor-vs-vendor. Sentinel wins for Microsoft 365 environments because audit logs are free. Blumira targets this band with predictable monthly pricing and bundled detection content. Wazuh works if you have an in-house Linux engineer who enjoys it. Skip Splunk, QRadar, and Elastic Cloud at this size: they are overkill and overpriced.

Recommended vendors
  • + Microsoft Sentinel (free M365 ingest)
  • + Blumira flat-rate
  • + Wazuh self-managed
Typical staffing

1 part-time analyst or MSSP coverage

Mid-market

100-1,000 employees, 10-100 GB/day

$60K-$300K/yr

The middle band is the most contested. Sentinel almost always wins for Microsoft shops. Sumo Logic delivers predictable flat-rate pricing for SaaS-first organisations. Elastic Cloud suits engineering-strong teams. Splunk Cloud is viable but rarely the cheapest. QRadar appears only when compliance audit history demands it. Most organisations land here on a co-managed model: in-house tier 1 plus MSSP overnight coverage.

Recommended vendors
  • + Microsoft Sentinel commitment tier
  • + Sumo Logic Enterprise
  • + Elastic Cloud Platinum
Typical staffing

2-4 FTE analysts or co-managed MSSP

Enterprise

1,000-10,000 employees, 100-500 GB/day

$300K-$1.5M/yr

At enterprise scale, all three legacy SIEM vendors are credible. Splunk wins on analytics depth and the premium app ecosystem. Sentinel wins on Microsoft integration and TCO when commitment tiers apply. QRadar wins on compliance audit history. Multi-year Enterprise Agreements with 25-40 percent list discounts are routine. In-house 24x7 SOC capability becomes economically viable above 5,000 employees.

Recommended vendors
  • + Splunk Cloud / Enterprise
  • + Microsoft Sentinel commitment
  • + IBM QRadar
Typical staffing

5-10 FTE 24x7 SOC + engineering

Large enterprise

10,000+ employees, 500+ GB/day

$1M-$5M+/yr

Above 500 GB per day, the conversation shifts from licence cost to operations cost. Splunk on-prem starts to win on unit economics. QRadar's distributed architecture handles the volume. Sentinel scales technically but the bill scales linearly. Most large enterprises run multi-vendor stacks: SIEM for compliance and high-fidelity detection, XDR for endpoint, dedicated threat intel platform, and a custom detection engineering function.

Recommended vendors
  • + Splunk Enterprise on-prem
  • + Splunk Cloud + Enterprise hybrid
  • + QRadar distributed
Typical staffing

10-30 FTE SOC + threat intel + detection engineering

What does each budget tier actually buy?

Annual budgetWhat it buys
$50KCloud SIEM with 30-50 GB/day, 90-day retention, business-hours coverage, basic detection rules from vendor pack
$100KCloud SIEM with 75-100 GB/day, 365-day retention, 1-2 analysts, vendor content packs plus light tuning
$250KCloud or hybrid SIEM with 150-200 GB/day, 365-day retention, 3 analysts, custom detection content, weekly threat hunts
$500KSplunk or QRadar at 200-300 GB/day, full 24x7 SOC (5-6 FTE), threat intel feeds, monthly red team exercises
$1M+Multi-vendor stack at 500+ GB/day, dedicated detection engineering function, threat intel platform, custom integrations

Five common cost traps as you grow

Per-GB pricing growing faster than budget

When log volume grows 30+ percent year over year, per-GB SIEM costs outpace budget. Switch to commitment tiers earlier than the break-even calculator suggests.

Tier ceiling cliffs in flat-rate models

Sumo Logic and Panther flat tiers have ceilings; crossing them triggers overage rates 1.5-2x in-tier pricing. Monitor ingest weekly and upgrade before crossing.

Splunk Cloud committed retention

Splunk Cloud commitments lock retention at the contract level. Reducing retention mid-term does not reduce cost. Right-size retention before signing.

Sentinel commitment tier mismatch

Sentinel commitment tiers are flexible but require monitoring. Volume staying below your tier costs you the difference; volume exceeding it incurs overage.

QRadar EPS peak bursts

QRadar measures peak EPS and reconciles. Bursts from non-security sources (web traffic spikes, batch jobs) trigger tier upgrades that don't reflect security value.

FAQ

Common questions

How much does SIEM cost for a small business?

Small businesses (under 100 employees, under 10 GB per day of logs) typically spend $12,000-$60,000 per year on SIEM. The cheapest option is Microsoft Sentinel for organisations on Microsoft 365 E5 licensing, where most primary log sources ingest free; total cost often lands $15,000-$30,000 per year. Blumira offers flat-rate pricing from $5,000-$10,000 per year for SMB scope. Wazuh self-managed is technically free as software but requires roughly $30,000-$50,000 per year in operations costs. Most small businesses skip in-house operations entirely and use a managed SIEM at $3,000-$5,000 per month.

How much does SIEM cost for an enterprise?

Enterprise organisations (1,000-10,000 employees, 100-500 GB per day) typically spend $300,000-$1.5 million per year on SIEM all-in. Licensing is 30-40 percent of that; the remainder splits across staffing, storage, integration, and threat intelligence. Splunk Cloud or Enterprise lands $400,000-$900,000 on licensing alone for this band. Sentinel commitment tiers lower licence cost to $250,000-$600,000. QRadar's EPS-based model lands roughly between. Multi-year Enterprise Agreements with 25-40 percent list discounts are standard.

What is the cheapest SIEM for a startup?

For Microsoft-first startups, Sentinel pay-as-you-go with free Microsoft 365 ingest is almost always cheapest, often under $15,000 per year for a small startup. For non-Microsoft startups, Blumira's flat-rate SMB pricing or Sumo Logic Free / Essentials tier are competitive. Wazuh open-source is free as software but only viable if you have an engineer with Linux and Wazuh experience already on the team. Most startups should start with managed SIEM rather than building in-house: $3,000-$5,000 per month with no operational burden.

How many security analysts do I need by org size?

Small business (<100 employees): 0.5 FTE or MSSP coverage. Mid-market (100-1,000): 2-4 FTE for business-hours coverage with overnight MSSP, or 5-6 FTE for full 24x7. Enterprise (1,000-10,000): 5-10 FTE for 24x7 SOC plus a SIEM engineer and detection engineer. Large enterprise (10,000+): 10-30 FTE across tiered SOC, threat intelligence, detection engineering, and red team coordination. Add 28-30 percent benefits load to all salary numbers. The hiring market in 2026 favours candidates; expect to budget at the high end of these ranges.

When should I switch SIEM vendors as my org grows?

Three reliable triggers: log volume crossing a tier ceiling that triggers significant cost penalty (Sentinel commitment tier mismatches or Sumo Logic flat-tier overages), licence cost growing faster than budget can absorb (typically when per-GB SIEMs scale linearly past 200 GB per day), or capability gap when current SIEM cannot deliver detection content the team needs. Avoid switching for marginal cost differences: migration costs $150K-$400K and re-tunes detection coverage from scratch. The right time to switch is when current spend exceeds new-vendor cost plus migration cost, paid back in 18-24 months.
Continue reading

Related cost references

SIEM cost calculator
Run your specific volume
Splunk pricing
Enterprise band detail
Sentinel pricing
Mid-market band detail
Managed SIEM cost
SMB and mid-market option
Open-source SIEM
Budget-constrained option
SIEM ROI calculator
Justify the chosen budget

Updated 2 May 2026