Independent reference. Not affiliated with any vendor mentioned on this site.
Vendor / Tenzir

Tenzir pricing in 2026: Community, Professional, Enterprise and Sovereign

The independent Tenzir pricing reference. The free Community tier and its limits, what each paid tier actually unlocks, where Tenzir sits in the security data lifecycle, and an honest account of what is and is not publicly listed. Built from Tenzir's published pricing and product material. Updated June 2026.

Pricing model
Per licensed volume
Free Community tier, paid tiers quoted
Community tier
Free
1 TB/day, unlimited nodes
Where it sits
Upstream of SIEM
Pipeline, not a SIEM
Paid tiers
3 levels
Professional, Enterprise, Sovereign

What Tenzir is, and why it matters for SIEM cost

Tenzir is a security data pipeline. It sits between your log sources (servers, firewalls, applications, endpoints) and your SIEM (Splunk, Sentinel, QRadar, Elastic). Telemetry flows into Tenzir, gets shaped and reduced, then routes to one or many destinations. The expensive SIEM only receives the data that matters for detection. The verbose noise goes to cheap storage or gets dropped before it is ever metered at SIEM rates.

This matters because SIEM pricing is overwhelmingly ingest-metered. Splunk Cloud lists at $1,800 to $3,500 per GB per year. Microsoft Sentinel runs $2.96 to $4.30 per GB. At those rates, every gigabyte of debug chatter, DNS noise or verbose Windows event you do not actually use for detection is taxed at SIEM list prices.

Tenzir's lineage is part of why buyers take it seriously. It grew out of VAST (Visibility Across Space and Time), a research engine for security telemetry with roots in the Zeek lineage, and its pipeline language TQL handles parsing, reshaping and routing of events. Tenzir's own material frames the goal as slashing SIEM, cloud and data costs; in practice most environments find 30 to 50 percent of their ingest is detection-irrelevant, which is the headroom a pipeline reclaims before the SIEM ever meters it.

How Tenzir fits, in three parts

Where Tenzir sits

Tenzir is a security data pipeline. It sits upstream of the SIEM, between your log sources and Splunk, Sentinel, QRadar or Elastic. Telemetry flows into Tenzir, gets shaped, reduced and routed, and only the data that matters for detection reaches the expensive SIEM.

This is the same structural position as the rest of the pipeline category: upstream plumbing, destination-agnostic. Tenzir is not a SIEM and is not sold as one.
What it is built on

Tenzir grew out of VAST (Visibility Across Space and Time), an open research engine for security telemetry with roots in the Zeek/Bro lineage. The pipeline language is TQL (Tenzir Query Language), which handles parsing, reshaping and routing of events.

The engineering heritage is the differentiator buyers cite: a data layer designed by people who have worked on security visibility at the engine level since the mid-2000s.
Why it affects SIEM cost

SIEM pricing is overwhelmingly ingest-metered. Splunk Cloud lists at $1,800 to $3,500 per GB per year; Microsoft Sentinel runs $2.96 to $4.30 per GB. Every gigabyte of low-value telemetry is taxed at those rates once it lands in the SIEM.

A pipeline that filters and routes upstream means you stop paying SIEM ingest on data you never query for detection. Most environments find 30 to 50 percent of ingest is detection-irrelevant and safe to drop or divert to cheap storage.

The four Tenzir tiers

Community
Free, no credit card
  • · Unlimited nodes
  • · 1 TB/day ingress + 1 TB edge storage
  • · Cloud
  • · Community support
$0
Professional
Contact sales
  • · Licensed volume
  • · Multi-tenancy + Platform API
  • · Cloud
  • · 5x8 support
Custom quote
Enterprise
Contact sales
  • · Licensed volume
  • · External secrets, RBAC, audit logs
  • · Cloud
  • · 24x7 support and SLAs
Custom quote
Sovereign
Contact sales
  • · Multiple platform instances
  • · Custom identity provider
  • · On-premise deployment
  • · Dedicated support
Custom quote

Source: tenzir.com/pricing. Community tier limits are published. The paid tiers publish their feature sets and support levels; pricing is quoted per licensed volume and is not listed publicly. This page does not invent dollar figures for the unlisted tiers.

The SIEM savings math, worked

Before a pipeline
Splunk ingest: 500 GB/day
Splunk list rate: $1,800/GB/yr
Annual Splunk cost: $900,000
After filtering upstream
Pipeline filters 40% noise, Splunk ingest: 300 GB/day
New Splunk cost: $540,000/yr
Gross Splunk saving: $360,000/yr (40%)
Pipeline licence: Tenzir volume quote

Illustrative. The filter ratio (40 percent) sits inside the typical 30 to 50 percent of ingest that most environments find detection-irrelevant (verbose Windows events, DNS chatter, debug streams). Net saving depends on Tenzir's volume-based quote, which is not publicly listed, so the licence line is left as a quote rather than a fabricated number.

When a pipeline like Tenzir is the right call, and when it is not

Right call when
  • + SIEM bill above $300K/yr and ingest-metered
  • + 30%+ of ingest is detection-irrelevant noise
  • + Multiple destinations needed (SIEM + data lake + analytics)
  • + Migrating SIEMs and need to reshape data in flight
  • + On-premise deployment requirements (Sovereign tier)
Overkill when
  • - SIEM bill is under $100K/yr (the math does not work)
  • - Single destination, simple log flow
  • - Already on Sentinel with free Microsoft 365 source data
  • - No engineering capacity to design pipelines properly
  • - Below 200 GB/day total ingest (Community tier may be enough)
FAQ

Common questions

Is Tenzir a SIEM?

No. Tenzir is a security data pipeline. It sits upstream of the SIEM, shaping, reducing and routing telemetry before it reaches Splunk, Sentinel, QRadar or Elastic. The goal is to stop paying SIEM ingest rates on data that has no detection value. Tenzir is destination-agnostic and does not replace the SIEM as the place where analysts run detections and investigations.

Is there a free tier?

Yes. The Community edition is free with no credit card required. It covers unlimited nodes, up to 1 TB per day of ingress and 1 TB of edge storage, runs in the cloud, and comes with community support. For home labs, researchers and small environments it is a genuinely usable tier rather than a time-limited trial.

How much do the paid tiers cost?

Tenzir does not publish list prices for Professional, Enterprise or Sovereign. All three are quoted per licensed volume through a sales conversation. Professional adds multi-tenancy, the Platform API and 5x8 support on top of Community. Enterprise adds external secrets, RBAC, audit logs and 24x7 support with SLAs. Sovereign adds on-premise deployment with multiple platform instances, a custom identity provider and dedicated support. Because pricing is volume-based and unlisted, this page does not quote dollar figures it cannot verify.

What is the difference between the four tiers?

Community is the free cloud tier (1 TB/day, unlimited nodes, community support). Professional is the first paid step: licensed volume, multi-tenancy, Platform API and 5x8 support, aimed at consultants and smaller commercial deployments. Enterprise layers on the security and governance controls larger organisations need: external secrets, RBAC, audit logging and 24x7 support with SLAs. Sovereign is for deployments that cannot run in shared cloud at all: on-premise, with multiple platform instances, a custom identity provider and dedicated support, typically for service providers and regulated environments.

How much can Tenzir save on a SIEM bill?

It depends on how much of your ingest is detection-irrelevant. Most environments find 30 to 50 percent is safe to drop or divert to cheap storage rather than meter at SIEM rates. As a worked illustration, a 500 GB per day Splunk environment at $1,800 per GB per year costs about $900,000 annually; filtering 40 percent of low-value data upstream drops Splunk ingest to 300 GB per day and the Splunk bill to about $540,000, before the pipeline licence. The exact net saving depends on Tenzir's volume-based quote, which is not publicly listed. Tenzir's own material frames the goal qualitatively as slashing SIEM, cloud and data costs rather than quoting a fixed percentage.

Is Tenzir's pricing publicly listed?

Only partially. The Community tier and its limits (1 TB per day, unlimited nodes, 1 TB edge storage, free) are published. The Professional, Enterprise and Sovereign tiers list their feature sets and support levels but not their prices: all three are quoted per licensed volume through sales. This page reflects Tenzir's published tier structure and feature splits and deliberately does not invent dollar figures for the unlisted tiers.
Continue reading

Related cost references

Cribl pricing
The other major telemetry pipeline
Splunk pricing
The ingest bill a pipeline reduces
Microsoft Sentinel pricing
Where free MSFT ingest changes the math
Pricing models explained
Why ingest pricing is the lever
SIEM cost optimisation
Run the calculator

Updated 2 May 2026