Reference / Normalised

SIEM cost per GB in 2026: every major vendor compared

Independent normalised cost-per-GB comparison across all twelve major SIEM vendors. Headline list rates, all-in math at 50 GB per day, and the honest cheapest-at-this-profile ranking. Updated May 2026.

Cheapest list

$0.55-$1.10

CrowdStrike Falcon LogScale

Median range

$1.90-$2.80

Sumo Logic, Devo, Sentinel

Premium tier

$2.40-$3.50

Splunk, Datadog, Securonix

Variable

Chronicle

Per-employee meter

Why a cost-per-GB comparison matters

Headline per-GB rates are the single most-cited number in SIEM evaluations and one of the most misleading. List rates from vendor pricing pages frequently bear little resemblance to actual paid prices, particularly at meaningful scale where multi-year EA discounts of 25-40 percent are routine. Per-GB rates also miss the structural cost dimensions that dominate real bills: separate licensing for SIEM analytics on top of base log retention (Splunk Enterprise Security, Datadog Cloud SIEM), bundled features that change effective per-GB economics (Microsoft 365 free ingest on Sentinel, included long retention on Devo), and meter-axis differences that require conversion (per-employee Chronicle, per-EPS QRadar, per-MPS LogRhythm).

The honest comparison treats per-GB rate as a starting point and adjusts for the structural factors that materially change effective cost. Microsoft 365 share matters for Sentinel; existing Datadog spend matters for Datadog Cloud SIEM; existing Falcon platform spend matters for LogScale; employee-to-log-volume ratio matters for Chronicle; retention requirement matters for Devo and Sumo Logic. The table below shows the headline per-GB list, the all-in math at 50 GB per day for a typical mid-market profile, and a brief note on what changes the effective rate for that vendor.

For comparison purposes, per-EPS-priced vendors (QRadar, Securonix EON, LogRhythm via MPS) are normalised to per-GB equivalents using a typical 70-80 EPS-per-GB conversion. Real conversions for specific environments can vary by 30-50 percent in either direction; see our EPS-to-GB conversion page for the full methodology. The per-GB equivalent for Google Chronicle is essentially meaningless because the meter is per-employee; the Chronicle row uses a 1,000-employee organisation at 50 GB per day for normalisation purposes only and the rate flips dramatically at different employee-to-log-volume ratios.

All twelve vendors normalised to per-GB equivalents

Vendor	Pricing model	List $/GB/yr	All-in @ 50 GB/day	Note
Splunk Cloud	Per-GB ingested	$2,000-$3,500	$135K + ES	Headline most expensive; multi-year EA discounts close gap
IBM QRadar	Per-EPS (~70 EPS/GB)	$2,200-$3,400 equiv	$165K-$240K	Equivalent at typical mix; cheaper for network-heavy
Microsoft Sentinel	Per-GB commit tier	$1,250-$1,900	$74K	Free Microsoft 365 ingest tilts further
Sumo Logic Cloud SIEM	Tier-based credits	$1,900-$2,700	$95K-$135K	Tier-mix discipline cuts further; Infrequent at $0.33/GB
Datadog Cloud SIEM	Per-GB layered	$2,400-$3,200	$120K-$160K	Includes per-host base; consolidation-driven
CrowdStrike LogScale	Indexing-free per-GB	$550-$1,100	$32K-$58K	Cheapest published rate; bundle math with Falcon
Devo	Daily ingest tier	$1,800-$2,800	$185K-$280K	Includes 400-day hot retention bundled
Securonix EON	Capacity (EPS-equiv)	$2,400-$3,600 equiv	$120K-$180K + Snowflake	Snowflake bill adds 30-60% on top
Exabeam Nova	Modular per-user + source	$2,800-$4,400 equiv	$140K-$220K	Per-user UEBA included on Professional+
LogRhythm Axon	Per-MPS (~70 MPS/GB)	$2,200-$3,400 equiv	$165K-$240K	Base licence + per-MPS structure
Google Chronicle	Per-employee	Variable (depends on emp/GB ratio)	$60K-$95K (1,000 emp)	Per-employee meter; volume-irrelevant within tier
Panther	Base + per-source	$2,200-$3,400 equiv	$110K-$170K	Detection-as-code premium; engineering-led

List $/GB/yr ranges based on published vendor pricing pages, partner channel references, and customer write-ups during Q2 2026. All-in column at 50 GB per day represents typical mid-market deployment with 30-day indexed retention; longer retention adds materially. Negotiated multi-year EA discounts of 25-40 percent are routine at meaningful scale.

The honest cheapest-at-this-profile ranking

For a typical 50 GB per day, 30-day retention, mid-market deployment with moderate Microsoft footprint:

#1 CrowdStrike LogScale

Indexing-free architecture; structurally lowest per-GB

#2 Microsoft Sentinel (with MS365 share)

Free MS365 ingest dominates effective per-GB

#3 Google Chronicle (high log volume per employee)

Per-employee meter caps cost at log-heavy profiles

#4 Sumo Logic with tier-mix

Infrequent tier at 0.10 credits cuts long-retention

#5 Datadog Cloud SIEM (existing customer)

Marginal Cloud SIEM line tiny if hosts already paid

What this ranking does not show

Cost-per-GB is one buying axis among several. The cheapest vendor at the per-GB rate is rarely the cheapest vendor on total spend, and is often not the right vendor for buying decisions where detection content depth, SOC familiarity, compliance content packs, or broader IT consolidation strategy matters more than raw licence cost. CrowdStrike LogScale at the cheapest published per-GB rate is the right shape for organisations already on Falcon EDR/XDR; for organisations not on Falcon, the broader agent rollout cost makes the comparison less favourable than the per-GB number suggests.

Microsoft Sentinel at the cheapest effective rate (factoring free MS365 ingest) is the right shape for Microsoft-heavy environments; for organisations whose log mix is dominated by non-Microsoft sources, the per-GB rate is closer to the headline list and the comparison flips. Google Chronicle at the cheapest effective rate (high log-volume-to-employee ratio) is the right shape for cloud-native engineering organisations; for headcount-heavy professional services firms, the per-employee meter overpays for the log infrastructure consumed.

Always combine cost-per-GB with detection content fit, compliance content pack value, SOC retraining capacity, and broader IT consolidation context before making vendor decisions. Per-GB normalisation is a useful starting point, not a substitute for the broader buyer-fit analysis.

FAQ

Common questions

Which SIEM is cheapest per GB in 2026?

On published headline per-GB list rates, CrowdStrike Falcon LogScale is the cheapest at $0.55-$1.10 per GB ingested. Microsoft Sentinel is structurally cheaper at any meaningful Microsoft 365 share because Microsoft 365 audit logs ingest free. Google Chronicle is cheapest at high log-volume-to-employee ratios where the per-employee meter caps cost. Sumo Logic with disciplined tier-mix optimisation lands competitive across most profiles. The honest answer depends on the specific environment shape rather than a single ranking; use the table above to compare your specific log volume, retention, and existing-platform context.

Why does Splunk look so expensive per GB?

Splunk's headline per-GB list rate is the most expensive in the SIEM market because the Splunk pricing model amortises platform development, content library investment, and best-of-class search performance into the per-GB rate. The honest comparison frequently shifts when negotiated multi-year EA discounts (25-40 percent off list at meaningful scale) are applied, when the breadth of Splunk's content library and search capability is valued separately from raw cost, and when migration cost from existing Splunk deployment is factored in. Splunk wins on premium product capability rather than headline price; the buyer-fit math has to weigh both.

How accurate are these per-GB equivalents for non-per-GB vendors?

The per-GB equivalents for non-per-GB-priced vendors (QRadar, Securonix, Exabeam, LogRhythm, Chronicle) require a conversion step that varies materially by environment. The numbers in our table represent typical mixed-enterprise observations; specific environments can vary by 30-50 percent in either direction. For Chronicle specifically, the per-GB equivalent is largely meaningless because the meter is per-employee; the Chronicle row in our table assumes a 1,000-employee organisation at 50 GB per day for normalisation purposes only. See our EPS-to-GB conversion page for the full conversion methodology.

Why isn't open-source SIEM (Wazuh, ELK, Graylog) in the comparison?

Open-source SIEMs have zero per-GB licence cost but meaningful operational cost (infrastructure, engineering hours, staff training). Realistic year-one TCO for a 50 GB-per-day Wazuh deployment runs $180K-$280K once you add infrastructure and an engineer who genuinely understands Elasticsearch, comparable to Microsoft Sentinel at the same volume but with substantially more operational risk. Per-GB licence comparisons against commercial SIEMs are misleading; see our open-source SIEM page for the honest TCO breakdown.

Do these per-GB rates include staffing and storage?

No. The per-GB rates in our table cover SIEM platform licensing only (and bundled Cloud SIEM analytics where applicable). Staffing (typically one analyst FTE per 50-75 GB per day at $170K-$250K loaded cost), storage and retention extension (typically 18-30 percent of licence at 365-day retention), integration and custom connectors (typically $75K-$300K in year one), and tuning and detection-rule development (typically $50K-$120K initial spend) are separate cost lines. Total Year 1 SIEM TCO reliably runs 2-3x the per-GB licence figure once staffing is included.

Related cost references

SIEM cost per EPS

All vendors normalised to $/EPS

EPS to GB conversion

Conversion methodology

Pricing models explained

How each model works

SIEM cost calculator

Multi-vendor side-by-side

Hidden SIEM costs

Beyond licensing

Splunk pricing

Most expensive headline