Which SIEM is cheapest for high log volumes?

Wazuh is cheapest as it's open-source with no license fees, but requires self-managed infrastructure. For managed solutions, Elastic SIEM is typically 40-60% cheaper than Splunk for volumes above 100GB/day.

What hidden costs should I consider when choosing a SIEM?

Beyond license fees, account for compute infrastructure (self-hosted SIEMs), storage retention costs, engineering time for maintenance and tuning, and training. These hidden costs often double or triple the sticker price.

Calculator

SIEM Total Cost Calculator

Compare true monthly TCO across Splunk, Microsoft Sentinel, Elastic, and Wazuh — including hidden costs: compute, storage, and engineering time.

Your Environment

Log Volume10 GB/day

300 GB/month ingested

Monitored Agents / Hosts100

Servers, endpoints, network devices

Retention Period180 days

6 months — compliance often requires 12+ months

Engineering Cost Assumption

Engineer time valued at $150/hr — fully burdened. Wazuh requires more ops effort than managed SaaS.

🏆 Lowest TCO

Microsoft Sentinel

$3.8k/mo

Saves $3.7k/mo vs Splunk(49% less)

🟢

Splunk Enterprise

Industry standard — powerful but expensive at scale

$7.5k

/month TCO

$90.0k/year

License

$1.5k

Compute

Managed

Storage

Engineering

$6.0k

40h/mo

Most integrations (2,400+)SPL query languageMature ecosystemOn-prem or cloud

🔵

Microsoft Sentinel

Native Azure SIEM — great if already in Microsoft stack

$3.8k

/month TCO

$46.2k/year

License

$828

Compute

Managed

Storage

$21

Engineering

$3.0k

20h/mo

Native Microsoft integrationKQL query languageBuilt-in SOAR (Playbooks)UEBA included

🟡

Elastic SIEM

Flexible open-core — strong for log analytics

$14.9k

/month TCO

$179.4k/year

License

$9.5k

Compute

$800

Storage

$150

Engineering

$4.5k

30h/mo

Full-text search powerOpen-source coreEQL detection languageScalable architecture

🩵

Wazuh (Open Source)

Free and powerful — high engineering investment required

$9.4k

/month TCO

$113.0k/year

License

FREE

Compute

$400

Storage

$21

Engineering

$9.0k

60h/mo

Zero license costAgent-based detectionHIPAA/PCI rule packsActive open-source community

TCO at Scale

Scenario	Splunk	Microsoft	Elastic	Wazuh
Startup (1 GB/day, 20 agents)	$6.2k	$3.1k	$7.2k	$9.4k
SMB (10 GB/day, 100 agents)	$7.5k	$3.8k	$14.9k	$9.4k
Mid-market (50 GB/day, 500 agents)	$13.5k	$7.5k	$54.5k	$9.7k
Enterprise (200 GB/day, 2K agents)	$36.0k	$20.8k	$202.0k	$10.7k

Choose Wazuh if…

✓ < 50 GB/day ingestion
✓ You have ops engineering capacity
✓ Open-source is a hard requirement
✓ Compliance-driven (HIPAA, PCI rules included)

Choose Sentinel if…

✓ Microsoft/Azure shop
✓ M365 E5 already licensed
✓ Need native Azure integrations
✓ Want managed SOAR (Playbooks)

Choose Elastic if…

✓ Need powerful full-text search
✓ Mixed SIEM + observability use case
✓ Comfortable managing Elasticsearch
✓ Per-host pricing fits your environment

Choose Splunk if…

✓ Enterprise with compliance mandate
✓ Need 2,400+ integrations
✓ Budget is not the primary concern
✓ Complex SPL queries and dashboards

SIEM Total Cost Calculator

SIEM cost tactics in your inbox