Independent reference. Not affiliated with Splunk, Microsoft, IBM, Elastic, Sumo Logic, LogRhythm, or any SIEM vendor.
Pricing Models

SIEM pricing models: per-GB vs per-EPS vs per-user vs flat-rate

The four billing structures every SIEM uses, the trade-offs of each, the vendors behind each, and a side-by-side comparison of the same environment priced under all four. Worked examples, no hand-waving.

Most common
Per GB
Splunk, Sentinel, Datadog
Most predictable
Flat tier
Sumo Logic, Panther
Best for SMB
Per user
Stable headcount
Best for compliance
Per EPS
QRadar, ArcSight

Model comparison matrix

ModelVendorsBest forWorst forPredictability
Per GB ingestedSplunk, Sentinel, DatadogHigh-value, low-volume telemetryVerbose firewall and NetFlowLow (volatile with noise)
Per EPSQRadar, ArcSightQuiet, predictable sourcesSpiky bursts that breach peakMedium (peak governs)
Per userElastic Security tiers, LogRhythmStable analyst headcountGrowing teams, MSSPsHigh (linear with users)
Flat-rate tiersSumo Logic, Panther, BlumiraPredictable budgets, SMBVolume crossing tier ceilingsHigh within tier; cliffs between

Per-GB ingested

The dominant SIEM pricing model in 2026. The vendor meters every log byte that crosses the ingest boundary. Compression at rest does not reduce the bill. Splunk, Sentinel, Datadog, and most newer cloud SIEMs use this model.

Wins when security data is high-value (authentication logs, EDR alerts, threat detections) and low volume. Per-GB lines up cost with detection value.

Loses when verbose, low-value sources dominate. Firewall syslog, NetFlow, and DNS query logs can quickly consume 80 percent of GB billing while contributing 10 percent of detection value.

Worked example. 50 GB per day at $5.22/GB Sentinel PAYG = $95,265 per year. Filter 30 percent of low-value logs at the agent and the same environment costs $66,686. Filtering pays back faster than negotiation.

Per-EPS (events per second)

QRadar and ArcSight bill on event rate, not data volume. The metric is sustained events per second across all log sources, with a separate peak ceiling. EPS billing flatters quiet sources and penalises spiky ones.

Wins when log sources are predictable and balanced. Compliance environments with steady audit logging benefit.

Loses when bursty sources push the peak EPS ceiling. Web traffic spikes, batch jobs, or attack waves can force a tier upgrade based on bursts that don't reflect sustained value.

Worked example. 50 GB per day with mixed sources averages roughly 3,500 EPS sustained. QRadar on Cloud at this tier runs $95K-$110K per year on licence. Equivalent per-GB billing would run $95K-$135K depending on vendor.

Per user

Elastic Security tiers and LogRhythm bill primarily on named user count, often with a base platform fee and a separate component for ingested or stored data. Per-user pricing decouples cost from log volume.

Wins when analyst headcount is small and stable. A two-analyst team can ingest substantial volume without the bill scaling.

Loses when the team grows, when MSSPs need many low-touch viewer accounts, or when audit requires every department head to access reports.

Worked example. Elastic Platinum at 25 users = $37,500 per year on user fees. Add resource-based ingest at 50 GB per day (~$45K) for $82,500 total before storage or staff. Comparable to per-GB Sentinel but without ingest pressure.

Flat-rate tiers

Sumo Logic, Panther, and Blumira sell tiered subscriptions: a fixed monthly fee covers a defined ingest ceiling, log retention period, and feature set. Cross the ceiling and you either upgrade tier or pay overage rates.

Wins when volume is predictable and growth is slow. The bill is genuinely flat for budgeting.

Loses when volume crosses the ceiling. Overage rates are typically 1.5-2x the in-tier per-GB equivalent. Tier upgrades create cliffs.

Worked example. Sumo Logic Enterprise at 50 GB per day runs ~$80K-$95K per year. The same volume on Splunk Cloud would run $135K. Flat tiers genuinely save money inside the tier; the discipline is monitoring ingest against the ceiling.

Same environment, four pricing models

Annual licensing only (no staffing or storage). Same log volume; different billing structure.

Model and vendorSmall (10 GB/day)Mid (50 GB/day)Enterprise (200 GB/day)
Per GB (Splunk Cloud)$30K$135K$580K
Per GB (Sentinel)$15K$74K$240K
Per EPS (QRadar Cloud)$28K$110K$340K
Per User (Elastic Platinum)$25K$95K$320K
Flat-rate (Sumo Logic)$22K$80K$280K

Comparison assumes mixed log source profile, 365-day retention, no negotiated discount, and no premium add-ons. Real-world deals routinely vary 20-40 percent either direction.

FAQ

Common questions

Which SIEM pricing model is most cost-effective?

It depends on your log mix. Per-GB pricing rewards organisations that filter aggressively and ingest mostly high-value security data. Per-EPS pricing rewards predictable, quiet sources but punishes bursts. Per-user pricing rewards stable analyst teams and small operations. Flat-rate tiers reward predictable volume that fits within a tier ceiling. Modelling your real log profile against each structure before signing matters more than picking a 'best' model in the abstract.

Why does Splunk charge per GB and QRadar per EPS?

Splunk's history is log analytics: their search engine scales by data volume, so per-GB billing aligned costs with the resource genuinely consumed. QRadar's history is correlation engine performance: their detection engine scales by event rate, so per-EPS billing aligned costs with the constraint that mattered. Both models survived because they roughly track the underlying cost driver, even though customers find one or the other easier to reason about depending on their environment.

How do I convert EPS to GB for vendor comparisons?

Rough conversions vary by source type. Windows event logs average 60-80 EPS per GB per day. Firewall and NetFlow data run 200-400 EPS per GB. SaaS audit logs run 30-50 EPS per GB. As a starting point, 1 GB per day of mixed enterprise log volume equates to roughly 70 EPS sustained. Sample your real environment for 30 days before locking in a per-EPS commitment; first estimates routinely understate by 30-50 percent.

Are flat-rate SIEM tiers cheaper than per-GB?

Within tier, yes. Sumo Logic and Panther flat tiers are typically 20-30 percent cheaper than equivalent per-GB pricing while volume sits comfortably inside the tier ceiling. The risk is the cliff: cross the ceiling and you pay overage rates that can spike sharply. Flat-rate tiers work best for organisations with predictable, slow-growing volume and an alerting discipline that catches tier breaches before they become bills.
Continue reading

Related cost references

SIEM cost calculator
Run your environment through every model
Splunk pricing
Per-GB deep dive
QRadar pricing
Per-EPS deep dive
Elastic SIEM pricing
Per-user deep dive
Hidden SIEM costs
Beyond the licence line
SIEM cost by org size
Which model fits your size

Updated 2 May 2026