LogRhythm Axon pricing in 2026: per-MPS, per-user, and the full TCO
The independent LogRhythm Axon pricing reference. MPS-based licensing explained, user counts, Essentials vs Enterprise tier, real cost scenarios from 500 MPS to 50,000-plus, and where LogRhythm beats per-GB SIEMs on TCO. Updated May 2026.
Estimates triangulated from logrhythm.com/products/axon, public RFP responses, and customer write-ups during 2026.
How LogRhythm pricing actually works
LogRhythm bills on Messages Per Second (MPS), which measures the sustained event rate the platform processes rather than the gigabyte volume it stores. The MPS unit is the largest structural difference from Splunk and Sentinel, and it changes which buyer profiles win on cost. Quiet, predictable log sources where each event represents real detection value (Windows security events from a hardened estate, application audit logs, authentication systems) translate efficiently to MPS. Verbose, low-fidelity sources where each event is mostly noise (debug logs, NetFlow, deep packet inspection metadata) translate poorly: high MPS, low value-per-event. The pricing model rewards source discipline at the agent level.
On top of per-MPS, every Axon contract carries a base licence fee that covers the platform itself. Essentials sits around $40K base and includes core SIEM analytics, dashboards, and 1 year retention. Enterprise sits around $95K base and adds UEBA, advanced analytics, threat intelligence, and integration with the SOAR add-on if licensed. The base fee is non-negotiable below volume floors but compresses as contract value grows; multi-year Enterprise commits at $500K-plus list reduce the implied base licence ratio meaningfully.
User counts (analyst seats) are bundled into Axon at meaningful scale (typically 10 named users on Essentials, 25 on Enterprise). Beyond bundle, additional analyst seats list at roughly $850 per user per year, though this is rarely the binding constraint: most LogRhythm customers operate well below seat limits. The user count line matters more on the legacy LogRhythm SIEM product where seat-based pricing was historically more granular.
The largest source of LogRhythm bill surprise is the gap between contracted MPS and observed MPS at peak. Customers contract on a 60-day moving average; spikes that breach the contracted ceiling for sustained periods trigger overage MPS at list rate, which is roughly 1.4x to 1.6x the in-contract rate. Sampling the true 95th percentile MPS for 60 days before signing avoids this. LogRhythm provides the visibility natively, but customers under-size and pay the spread.
Negotiated discounts of 15-25 percent at term renewal are standard for contracts above $200K list. Multi-year commits push the band to 25-30 percent. Mid-term upsells almost never trigger structural discounts; saving the negotiation for renewal time is the right discipline. LogRhythm has been aggressive on price competitiveness against Splunk and Sentinel since the 2024 Exabeam merger discussion, and the 2026 quarter-end environment is genuinely productive for buyers.
LogRhythm pricing by MPS band
| MPS band | GB equivalent | Profile | Annual licence |
|---|---|---|---|
| 500 MPS | ~5-7 GB/day | Small business, single data centre | $45K-$65K/yr |
| 2,500 MPS | ~20-30 GB/day | Mid-market, multi-site | $110K-$170K/yr |
| 10,000 MPS | ~100-130 GB/day | Lower enterprise | $320K-$480K/yr |
| 25,000 MPS | ~250-320 GB/day | Large enterprise, multi-region | $650K-$950K/yr |
| 50,000+ MPS | ~500+ GB/day | Global enterprise, regulated industry | $1.2M-$2.0M/yr |
Estimates triangulated from public RFP submissions, customer LinkedIn write-ups, and partner referrals. Multi-year EA discounts of 20-30 percent routine above $300K list value.
LogRhythm SKU reference
| SKU | Pricing | What it actually buys |
|---|---|---|
| Axon Cloud SIEM (Essentials) | From ~$40K base + per-MPS | Cloud-native, includes 1 year retention |
| Axon Cloud SIEM (Enterprise) | From ~$95K base + per-MPS | Adds advanced analytics, UEBA, threat intel |
| LogRhythm SIEM (self-managed) | Per-MPS perpetual + maintenance | On-prem appliance or virtual; long product lineage |
| Add-on: NDR (NetMon) | Per-monitored-bandwidth | Network detection module |
| Add-on: SOAR (RespondX) | Per-playbook + per-action | Response automation |
Five LogRhythm cost optimisations that genuinely work
Right-size MPS at peak, not average
10-15% on overage exposureLogRhythm bills against sustained MPS, but peak excursions count. Sample your true 95th percentile MPS over 60 days before sizing. Customers routinely contract on average and absorb the peak surcharge for the rest of the term.
Filter low-fidelity sources at the agent
20-30% on MPSLogRhythm's System Monitor agent supports source-side filtering. Dropping non-actionable Windows event noise (Service Control Manager spam, routine logon successes) cuts the MPS line meaningfully without losing detection coverage.
Use SmartResponse instead of full SOAR
30-50% on SOAR add-onSmartResponse is the included automation feature on Axon. For organisations whose response playbooks are simple (notify, isolate, ticket), SmartResponse covers the use case without paying for the full RespondX SOAR add-on, which is metered per execution.
Negotiate at term renewal, not mid-cycle
15-25% listLogRhythm's renewal cycle is the credible negotiation pressure point. Mid-term upsells lock in list pricing; term renewals open structural discounts in the 15-25 percent band, deeper at multi-year commit.
Move archive to S3 or Azure Blob
60-70% on retention beyond 1 yearAxon includes 1 year retention; beyond that, the per-MPS retention extension is expensive. Configuring archive export to commodity object storage and querying back via Axon's archive search dramatically reduces long-tail retention spend.
When LogRhythm is the right SIEM
LogRhythm wins for organisations with stable, quiet log sources where MPS-based pricing rewards source discipline. The classical fit is regulated mid-market: financial services firms below 1,000 employees, regional healthcare networks, manufacturing with strong PCI scope. These organisations generate predictable event rates, value the included UEBA and content packs on Enterprise tier, and want SaaS without the per-GB price volatility that defines Splunk and Datadog at their scale. LogRhythm's depth on compliance reporting (PCI, HIPAA, SOX content packs ship in product) saves real implementation effort versus building equivalent reporting on Sentinel or Sumo Logic.
LogRhythm is the wrong pick for cloud-native, high-cardinality environments where event rates are inherently spiky and where logs originate from APIs and SaaS apps rather than systems and network appliances. The MPS model punishes this profile structurally; Datadog or Sentinel typically win cleanly. LogRhythm is also wrong for organisations whose detection content investment is built around custom analytics: Splunk's flexibility and content library are unmatched at that profile.
The 2026 buyer environment is unusually favourable. The post-Exabeam-merger talk competitive dynamic has LogRhythm pricing aggressively on new logos and renewals, and quarter-end deal pressure is producing 25-30 percent discounts on previously-list business. Buyers in the 2,500-15,000 MPS band who run a competitive process against Sumo Logic or Sentinel are landing materially better terms than the same buyers landed in 2024.