Join or Log In

SIEM Cost Calculator

Estimate and compare annual and 3-year SIEM costs across Microsoft Sentinel, Splunk, IBM QRadar, and Elastic. Set your daily log volume, retention, and add-ons to see how the platforms diverge — before you sit down with a vendor.

Splunk add-ons
Elastic SecurityLowest modeled
Year 1 $16,425·3-year $52,805

Resource-based; cheapest ingest, less out-of-the-box content.

Microsoft Sentinel
Year 1 $29,382·3-year $94,462

Microsoft-source logs ingest free; SOAR + UEBA bundled.

IBM QRadar
Year 1 $56,575·3-year $181,883

EPS-based in reality — predictable for steady volumes, spikes on incidents.

Splunk Enterprise Security
Year 1 $117,050·3-year $376,304

Ingest $62,050 + add-ons $55,000/yr · Add-ons (ES, SOAR, UEBA) are separate licenses.

Estimates, not quotes. Rates are illustrative, modeled from public list pricing (2026). Negotiated deals typically land 20–40% below list. Use this to compare and model, then get a vendor quote.

How this calculator works

Modern SIEM licensing is dominated by one number: how much log data you ingest per day. This calculator takes your daily volume in GB, annualizes it, and multiplies by a modeled per-GB rate for each platform. It then projects three years with a compounding annual uplift, because renewal increases are where SIEM budgets quietly blow up.

Two platform-specific rules matter. Microsoft Sentinel ingests most Microsoft-source telemetry (Microsoft 365, Entra ID, Defender, Azure Activity) for free — so the calculator bills only the non-Microsoft share of your volume, and bundles SOAR and UEBA rather than charging for them separately. Splunk prices Enterprise Security, SOAR, and UEBA as separate licenses, so toggling those add-ons on is where the Sentinel-vs-Splunk gap widens.

The per-GB rates are illustrative estimates modeled from public 2026 list pricing and vendor pricing pages — not quotes. Negotiated enterprise deals commonly land 20–40% below list, and marketplace credits or multi-year commitments shift the numbers further. Treat the output as a planning model and a way to compare platforms on equal assumptions, then confirm with a written vendor quote.

What actually drives SIEM cost

Daily log ingest (GB/day)

The single biggest lever. Verbose sources — firewall, DNS, proxy, cloud audit, and network flow logs — can dwarf endpoint and identity telemetry. Filtering and routing low-value logs to cheaper storage before ingest is the highest-leverage cost control most teams under-use.

Retention length and tier

Hot, searchable retention costs far more than cold archive. Compliance mandates (PCI DSS, HIPAA, regulator requirements) often force 12+ months, but you rarely need all of it hot. Platforms that decouple ingest from storage (Sentinel via ADX, Elastic frozen tier) let you keep long retention affordable.

Add-on modules

SOAR/automation, UEBA, threat intelligence, and premium detection content are frequently separate licenses on legacy platforms. On Splunk these can rival the ingest cost itself; on Sentinel much of it is bundled. This is where “cheap per GB” platforms can end up more expensive overall.

Detection content and analyst time

A SIEM with weak out-of-the-box content shifts cost into detection engineering and analyst hours. The lowest ingest price does not guarantee the lowest total cost of ownership once you account for the people needed to make it useful.

SIEM cost — frequently asked questions

How much does a SIEM cost per year?

Enterprise SIEM pricing runs from roughly $30,000/year for a small deployment to $5M+ at scale. The dominant variable is daily log ingest volume (GB/day), followed by retention length and paid add-on modules like SOAR, UEBA, and premium detection content. Cloud-native platforms that ingest first-party telemetry for free (e.g. Microsoft Sentinel with Microsoft 365 logs) can materially lower the effective per-GB rate.

How is SIEM pricing calculated?

Most modern SIEMs bill on data volume — dollars per GB ingested per day, annualized. Legacy platforms like IBM QRadar bill on events per second (EPS). On top of ingest, vendors charge separately for add-on modules (Splunk Enterprise Security, SOAR/automation, UEBA) and longer retention tiers. This calculator models the ingest component plus optional add-ons so you can compare platforms on the same volume assumptions.

Why is Microsoft Sentinel often cheaper than Splunk?

Two reasons. First, Sentinel ingests most Microsoft-source telemetry (Microsoft 365, Entra ID, Defender, Azure Activity) for free, which removes a large slice of billable volume for Microsoft-heavy shops. Second, SOAR (playbooks) and UEBA are bundled into the platform rather than sold as separate high-cost licenses. Splunk’s modular licensing — Enterprise Security, SOAR, and UEBA priced separately — is what drives the gap wider as you add capabilities.

Are these SIEM cost estimates accurate?

They are planning estimates, not quotes. The per-GB rates are modeled from public 2026 list pricing and vendor pricing pages. Real negotiated enterprise deals commonly land 20–40% below list, and volume commitments, multi-year terms, and Microsoft/Google marketplace credits can shift the numbers further. Use the calculator to compare platforms and pressure-test a budget, then get a written quote before committing.

What log volume should I use in the calculator?

If you already run a SIEM, use your current average daily ingest in GB/day and add ~25% headroom for the next telemetry source you have not onboarded yet (usually cloud workload or network logs). If you are scoping a new deployment, a common starting point is 0.5–1 GB/day per 100 employees for endpoint, identity, and email logs, rising sharply once you add verbose network, DNS, and cloud audit logs.

Does the cheapest SIEM give the lowest total cost of ownership?

Not always. Ingest price is only part of TCO. A cheaper platform with weak out-of-the-box detection content shifts cost into detection-engineering and analyst time. A platform that is expensive per GB but bundles SOAR and strong content can lower total cost by reducing headcount and mean-time-to-respond. Model the ingest here, then weigh content quality, automation, and staffing when you compare vendors.

Keep going