SIEM cost per EPS in 2026: every major vendor normalised
Independent normalised cost-per-EPS comparison across all twelve major SIEM vendors. Native per-EPS pricing for QRadar, Securonix, and LogRhythm; per-GB vendors converted to per-EPS equivalents. Updated May 2026.
Why a cost-per-EPS comparison matters
Cost-per-EPS comparisons matter for two buyer profiles. First, organisations evaluating natively per-EPS-priced vendors (IBM QRadar, Securonix EON, LogRhythm Axon via MPS) where the meter aligns directly with the buying axis. Second, organisations whose log profile is event-rate-driven rather than volume-driven (network-heavy environments with extensive firewall, NetFlow, and DNS logs) where the per-EPS view of vendor pricing more accurately reflects actual cost dynamics than per-GB view.
The table below shows the published native per-EPS rate for vendors that price per-EPS, and the converted per-EPS equivalent for vendors that price per-GB. Conversions use a typical 75 EPS-per-GB ratio for mixed enterprise log mix. For specific environments the conversion can vary by 30-50 percent in either direction depending on log source mix; see our EPS-to-GB conversion page for the full methodology and per-source ratio reference.
For comparison purposes, Google Chronicle's per-employee meter is included with a per-EPS equivalent assuming a 1,000-employee organisation at 5,000 EPS sustained. The per-EPS equivalent for Chronicle is essentially meaningless because the meter does not move with EPS; the entry is for reference and to remind buyers that the per-employee model exists outside the per-EPS comparison framework entirely.
All twelve vendors normalised to per-EPS equivalents
| Vendor | Model | $/EPS/mo | All-in @ 5K EPS | Note |
|---|---|---|---|---|
| IBM QRadar | Per EPS native | $2.40-$4.60 | $165K-$240K | Native model; cleanest EPS comparison |
| Securonix EON | Capacity (EPS) native | $2.20-$3.40 | $120K-$180K | Plus separate Snowflake bill (30-60% more) |
| LogRhythm Axon | Per MPS (≈EPS) | $2.80-$4.20 equiv | $165K-$240K | MPS is messages per second; effectively EPS |
| Splunk Cloud (per-GB equiv) | Per-GB converted | $2.50-$4.10 equiv | $155K-$245K | At ~70 EPS/GB, with ES included |
| Microsoft Sentinel (per-GB equiv) | Per-GB converted | $1.50-$2.40 equiv | $95K-$150K | Free MS365 ingest tilts comparison |
| Sumo Logic (per-GB equiv) | Per-GB credits converted | $2.30-$3.50 equiv | $140K-$220K | Tier-mix discipline cuts further |
| Datadog Cloud SIEM (per-GB equiv) | Per-GB converted | $3.00-$4.50 equiv | $175K-$240K | Includes per-host base assumption |
| CrowdStrike LogScale (per-GB equiv) | Indexing-free converted | $0.80-$1.40 equiv | $48K-$85K | Cheapest converted rate |
| Devo (per-GB equiv) | Per-GB converted | $2.20-$3.30 equiv | $140K-$210K | Includes 400-day retention bundled |
| Exabeam Nova (modular equiv) | Modular converted | $3.30-$5.00 equiv | $200K-$300K | Per-user UEBA premium included |
| Google Chronicle (per-emp equiv) | Per-employee | Variable | $60K-$95K (1,000 emp) | Per-employee meter; not really per-EPS |
| Panther (modular equiv) | Base + per-source converted | $2.50-$3.80 equiv | $150K-$230K | Detection-as-code premium |
List $/EPS/month ranges based on published vendor pricing pages, partner channel references, and customer write-ups during Q2 2026. All-in column at 5,000 EPS represents typical mid-market deployment. Negotiated multi-year EA discounts of 25-40 percent are routine at meaningful scale.
Pricing by EPS band
| EPS band | Profile | Typical annual range |
|---|---|---|
| 1,500 EPS | SMB / lower mid-market | $45K-$95K (most vendors) |
| 5,000 EPS | Mid-market | $120K-$240K (most vendors) |
| 15,000 EPS | Lower enterprise | $320K-$650K |
| 50,000 EPS | Enterprise | $650K-$1.5M |
| 200,000+ EPS | Global enterprise | $1.5M-$3.5M |
When per-EPS is the right comparison axis
Per-EPS comparison is the right axis for organisations whose log volume is event-rate-driven rather than gigabyte-driven. The classical fit is regulated mid-market with extensive network telemetry: financial services with deep firewall logging, retail with PCI-scope payment processing networks, healthcare with detailed access logs from clinical systems. These environments produce high event rates relative to byte volume and benefit from comparing vendors on the meter that genuinely tracks underlying cost.
Per-EPS comparison is the wrong axis for cloud-native environments whose log mix is dominated by verbose JSON audit logs (AWS CloudTrail, Azure Activity Log, Microsoft 365 audit). These environments produce low event rates relative to byte volume; per-EPS comparison overstates the relative cost of per-GB vendors and understates per-EPS vendors. Per-GB comparison is the cleaner axis for this profile.
Per-EPS comparison is also the wrong axis for organisations whose buying decision is dominated by per-employee Chronicle math (high log-volume-to-employee ratio environments). The per-employee meter does not align with either per-EPS or per-GB axes; the comparison is fundamentally different. Use the SIEM cost-by-org-size page for the per-employee analysis instead.
Always combine cost-per-EPS analysis with detection content fit, compliance content pack value, SOC retraining capacity, and broader IT consolidation context before making vendor decisions. Per-EPS normalisation is a useful starting point for event-rate-driven environments, not a substitute for the broader buyer-fit analysis.