SIEM pricing models: per-GB vs per-EPS vs per-employee vs flat-rate

The dominant SIEM pricing model in 2026. The vendor meters every log byte that crosses the ingest boundary. Compression at rest does not reduce the bill. Splunk, Sentinel, Datadog, and most newer cloud SIEMs use this model.

Wins when security data is high-value (authentication logs, EDR alerts, threat detections) and low volume. Per-GB lines up cost with detection value.

Loses when verbose, low-value sources dominate. Firewall syslog, NetFlow, and DNS query logs can quickly consume 80 percent of GB billing while contributing 10 percent of detection value.

Worked example. 50 GB per day at $4.30/GB Sentinel PAYG = $78,475 per year. Filter 30 percent of low-value logs at the agent and the same environment costs $54,933. Filtering pays back faster than negotiation.

QRadar and ArcSight bill on event rate, not data volume. The metric is sustained events per second across all log sources, with a separate peak ceiling. EPS billing flatters quiet sources and penalises spiky ones.

Wins when log sources are predictable and balanced. Compliance environments with steady audit logging benefit.

Loses when bursty sources push the peak EPS ceiling. Web traffic spikes, batch jobs, or attack waves can force a tier upgrade based on bursts that don't reflect sustained value.

Worked example. 50 GB per day with mixed sources averages roughly 3,500 EPS sustained. QRadar on Cloud at this tier runs $95K-$110K per year on licence. Equivalent per-GB billing would run $95K-$135K depending on vendor.

Google SecOps (formerly Chronicle) is the defining per-employee SIEM: it sizes the subscription per employee per year rather than billing purely on log volume, with a generous GB data cap and 12 months of hot retention bundled into the headcount rate. Within that cap, cost is largely decoupled from how much you log; ingestion above the cap is billed as overage.

Wins when the log-volume-to-employee ratio is high: lean headcount generating verbose telemetry (firewall, NetFlow, EDR, cloud) ingests without the bill moving, as long as it stays inside the data cap.

Loses when the ratio inverts, large headcount producing modest log volume, because the per-employee meter becomes structural overpayment for the log infrastructure actually consumed.

Worked example. A 1,000-employee organisation on Google SecOps Enterprise (~$60-$95 per employee per year) lands at roughly $60K-$95K per year before negotiated discount, with a generous GB data cap included. The same firm ingesting 200 GB per day pays Chronicle about $80K against roughly $480K on Splunk Cloud plus Enterprise Security. Invert it (30,000 employees, 25 GB per day) and Chronicle runs $1.8M-$2.5M where Sentinel costs about $35K.

Sumo Logic, Panther, and Blumira sell tiered subscriptions: a fixed monthly fee covers a defined ingest ceiling, log retention period, and feature set. Cross the ceiling and you either upgrade tier or pay overage rates.

Wins when volume is predictable and growth is slow. The bill is genuinely flat for budgeting.

Loses when volume crosses the ceiling. Overage rates are typically 1.5-2x the in-tier per-GB equivalent. Tier upgrades create cliffs.

Worked example. Sumo Logic Enterprise at 50 GB per day runs ~$80K-$95K per year. The same volume on Splunk Cloud would run $135K. Flat tiers genuinely save money inside the tier; the discipline is monitoring ingest against the ceiling.