Architecture / SIEM vs XDR
SIEM vs XDR vs SOAR: cost comparison and when you need each
Three security platforms, three pricing models, three roles in the modern stack. When XDR replaces SIEM, when both are needed, what SOAR adds, and the combined cost model with cross-references to xdrcost.com and edrcost.com.
SIEM mid-market
$150K-$500K/yr
Per-GB or per-EPS
XDR mid-market
$50K-$200K/yr
Per-endpoint
SOAR mid-market
$25K-$100K/yr
Per-action or flat
Full stack mid-market
$225K-$800K/yr
Combined licensing
Capability and cost comparison
| Dimension | SIEM | XDR | SOAR |
|---|---|---|---|
| Primary purpose | Log aggregation, correlation, compliance | Cross-surface threat detection and response | Automated incident response orchestration |
| Pricing model | Per-GB / per-EPS / per-user | Per-endpoint / per-asset | Per-action / flat tier |
| Typical cost (mid-market) | $150K-$500K/yr | $50K-$200K/yr | $25K-$100K/yr |
| Data scope | All log sources | Endpoint + network + cloud + email | Cross-platform actions |
| Compliance fit | Strong (audit trails, retention) | Partial (detection logs only) | Operational record only |
| Deployment time | 3-6 months | 2-6 weeks | 1-3 months |
| Operations burden | High (rule tuning ongoing) | Medium (vendor-managed detections) | Medium (playbook maintenance) |
Architecture by organisation profile
100-employee SaaS startup
Recommended
XDR alone (e.g. CrowdStrike Falcon, SentinelOne Singularity)
Compliance light, cloud-native infrastructure, small security team. XDR provides 80 percent of detection at 30 percent of SIEM cost.
Combined cost: $30K-$60K/yr
1,000-employee mid-market
Recommended
XDR + lightweight SIEM (e.g. Sentinel for compliance)
PCI or SOC 2 compliance demands log retention, but XDR delivers most detection. Use Sentinel as compliance layer.
Combined cost: $120K-$250K/yr
5,000-employee regulated enterprise
Recommended
SIEM + XDR + SOAR full stack
Compliance demands SIEM. Threat surface demands XDR. Alert volume demands SOAR for automation. Each plays a distinct role.
Combined cost: $600K-$1.5M/yr
Government / defence
Recommended
SIEM-led with selective XDR integration
Compliance-first, on-prem requirements often eliminate cloud-native XDR. SIEM handles detection at scale.
Combined cost: $1M-$5M+/yr
MSSP
Recommended
Multi-tenant SIEM + XDR fleet
Service delivery requires SIEM for client data segregation. XDR aggregated across clients drives margin.
Combined cost: Per-client model
SOAR ROI: the alert reduction case
Industry benchmark for a mid-market SOC handling roughly 1,200 tier-1 alerts per week, deploying SOAR with automated triage and enrichment.
| Metric | Before SOAR | After SOAR | Change |
|---|---|---|---|
| Tier-1 alert volume reduction | 1,200/week | 200/week | -83% |
| Mean time to triage | 45 min | 8 min | -82% |
| Tier-1 analyst FTE required | 4 FTE | 1.5 FTE | -62% |
| Annual staffing saved | $435K | $163K | $272K saved |
FAQ
Common questions
What is the difference between SIEM, XDR, and SOAR?
SIEM aggregates logs from across the environment, correlates them, and surfaces detections (Splunk, Sentinel, QRadar). XDR (Extended Detection and Response) detects threats across endpoint, network, cloud, and email surfaces with a focus on response actions (CrowdStrike, SentinelOne, Palo Alto Cortex). SOAR (Security Orchestration, Automation, Response) automates the response to detections by orchestrating actions across the security stack (Splunk SOAR, Palo Alto XSOAR, Swimlane). The three play distinct roles: SIEM is the audit-grade record, XDR is the detection-action engine, SOAR is the automation layer.
Can XDR replace SIEM?
For organisations without compliance requirements demanding centralised log retention (PCI, HIPAA, SOX, FedRAMP), XDR can functionally replace SIEM in 2026. XDR vendors have added log retention, custom detection authoring, and limited correlation capabilities that cover most use cases. For organisations with audit requirements, XDR can substantially reduce SIEM scope but rarely fully replace it: auditors expect a system of record for security events, and XDR's surface-bounded data model does not satisfy that on its own. Hybrid stacks (XDR for detection, SIEM for compliance retention) are increasingly common.
Does SOAR pay for itself?
For organisations with sustained tier-1 alert volume above 500 alerts per week, SOAR routinely pays for itself within 6-12 months. A typical mid-market deployment processes 1,000-1,500 tier-1 alerts per week. Automated triage and enrichment via SOAR cuts that volume by 70-85 percent and reduces tier-1 staffing requirements by 50-65 percent. At a $50K-$100K SOAR licence and $250K-$300K in saved tier-1 staffing, the ROI is straightforward. Below 500 alerts per week, SOAR rarely justifies the licence cost.
What does a full SIEM + XDR + SOAR stack cost?
For a 5,000-employee enterprise: SIEM (Sentinel commitment tier or Splunk Cloud) $400K-$800K per year, XDR (CrowdStrike Falcon Insight or SentinelOne Singularity) $150K-$350K per year, SOAR (Splunk SOAR or Palo Alto XSOAR) $75K-$200K per year. Combined annual licence runs $625K-$1.35 million. Add SOC staffing (5-7 FTE for 24x7 coverage) and the full operating cost reaches $1.4-$2.5 million per year. Compare against the breach cost the stack prevents using the SIEM ROI page.
How do I migrate from SIEM-only to a SIEM + XDR architecture?
Standard migration: keep the SIEM as compliance system of record, deploy XDR alongside for primary detection, gradually migrate detection rules from SIEM to XDR where the data lives, and reduce SIEM data volume to compliance-relevant logs only. Most organisations cut SIEM ingest volume 30-50 percent during this transition, partially offsetting the new XDR licence. Timeline: 6-12 months. Risk: detection coverage gaps during transition. Run both detection planes in parallel for at least 90 days before cutting SIEM detection rules.
Continue reading