SIEM Pricing Models Explained: Per-GB vs Per-EPS vs Per-User vs Flat Rate
The biggest obstacle to comparing SIEM vendors is that they use different pricing models. Splunk charges per-GB, QRadar charges per-EPS, Elastic charges per-user, and some vendors offer flat-rate tiers. This guide explains each model, its economics, and which environments favour each approach.
The Four SIEM Pricing Models
Per-GB Ingested
$3 - $25/GB depending on vendor and volume commitmentsUsed by: Splunk, Microsoft Sentinel, Datadog, Sumo Logic
Charges based on the volume of log data ingested per day, measured in gigabytes.
Environments with consistent, predictable log volumes and large event sizes
Environments with volatile data volumes or many verbose, small-event log sources
Medium -- costs change when log sources or volumes change
Per-EPS (Events Per Second)
$10K - $380K/year depending on EPS tierUsed by: IBM QRadar, LogRhythm, ArcSight
Charges based on the sustained average rate of events processed, measured in events per second.
Environments with many small events (DNS, NetFlow) where GB volume is disproportionate to event count
Environments with few but very large events (detailed audit logs, packet captures)
High -- event rates change only when sources are added or removed
Per-User / Per-Endpoint
$5 - $175/user/month or $2 - $15/endpoint/monthUsed by: Elastic Security (paid tiers), CrowdStrike Falcon LogScale, Securonix
Charges based on the number of users, endpoints, or assets being monitored.
Organisations with many endpoints but low log volume per endpoint
Environments with few assets generating high data volumes (data centres, CDNs)
High -- costs tied to headcount or asset inventory, which changes slowly
Flat-Rate Tiers
$2,000 - $15,000/month depending on tier and vendorUsed by: Blumira, Panther, Arctic Wolf (bundled with MDR)
Fixed monthly pricing within defined usage bands (e.g., 'up to 50 GB/day').
SMBs wanting budget certainty and simplified procurement
Organisations between tier boundaries who overpay for unused capacity
Very high -- monthly cost is fixed unless you change tiers
Per-GB Pricing Deep-Dive
Per-GB pricing is the most common SIEM pricing model in 2026, used by the two market leaders (Splunk and Microsoft Sentinel) and increasingly adopted by newer entrants like Datadog Security. The model charges based on the volume of raw log data ingested into the SIEM platform, typically measured as a daily average in gigabytes.
The economics of per-GB pricing favour organisations with large but infrequent events. Database audit logs averaging 2-4 KB per event, detailed endpoint telemetry, and packet capture summaries generate significant GB volume from relatively few events. Under per-EPS pricing, these same organisations would pay less because their event rate is low despite high data volume. Conversely, organisations with many small events (DNS queries at 100-200 bytes each, syslog messages, NetFlow records) get penalised by per-GB pricing because their GB volume is disproportionately high relative to event count.
The critical per-GB optimization is filtering before ingestion. Both Splunk (Ingest Actions) and Sentinel (Data Collection Rules) allow you to transform, filter, and route data before it counts against your licensed volume. Effective pre-ingestion filtering typically reduces billed volume by 20-40% without meaningful security coverage loss. This is the single highest-ROI cost optimization available to per-GB customers. See our Splunk and Sentinel pricing guides for vendor-specific techniques.
Per-EPS Pricing Deep-Dive
Events-per-second pricing, used primarily by IBM QRadar and LogRhythm, measures cost by the rate at which security events are processed rather than their raw data volume. This model originated in the era when SIEM platforms were primarily correlation engines that cared about event patterns, not data warehouses that cared about storage volume.
EPS pricing has a significant advantage in cost predictability. Your event rate changes only when you add or remove log sources, not when individual sources become more verbose. A firewall firmware update that triples the verbosity of connection logs would cause a major cost increase under per-GB pricing but have zero impact under per-EPS pricing (assuming the same number of connections per second).
The conversion between GB/day and EPS is not straightforward because average event size varies dramatically by source type. A general approximation is 1 GB/day equates to 8-12 EPS sustained average, but this can range from 3 EPS per GB (for large database audit events) to 50+ EPS per GB (for compact syslog messages). When comparing QRadar quotes against Splunk or Sentinel, always calculate the equivalent in both metrics for your specific log source inventory. Our QRadar pricing guide includes detailed EPS estimation guidance.
Per-User / Per-Endpoint Pricing Deep-Dive
Per-user and per-endpoint pricing models decouple SIEM costs from data volume entirely. Instead, you pay based on the number of entities (users, endpoints, or assets) being monitored. Elastic Security's paid tiers use per-user pricing for the analysts accessing the platform, while some cloud-native SIEMs charge per-endpoint for the devices generating log data.
This model is most advantageous for organisations with many endpoints generating moderate log volumes per device. A 5,000-endpoint environment generating an average of 10 MB/day per endpoint (50 GB/day total) would pay based on 5,000 endpoints regardless of whether the per-endpoint volume increases to 20 MB/day. Under per-GB pricing, that doubling would double the bill.
The disadvantage surfaces in environments with few but very active assets. A data centre with 50 servers generating 200 GB/day total would pay a low per-endpoint price but might pay more under a per-GB or per-EPS model optimised for high-volume, low-asset-count environments. Per-user pricing for analyst access (as Elastic uses) adds a layer of cost on top of infrastructure, making it harder to calculate total spend. See our Elastic Security pricing guide for specific tier costs.
Flat-Rate Tier Pricing Deep-Dive
Flat-rate tier pricing offers the highest cost predictability: you pay a fixed monthly fee within a defined usage band. Blumira, for example, offers tiers at approximately $2,500/month (up to 10 GB/day), $5,000/month (up to 50 GB/day), and $10,000/month (up to 100 GB/day). Arctic Wolf bundles SIEM with managed detection and response at flat monthly rates typically ranging from $3,000-$15,000/month depending on organisation size.
The appeal is simplicity: procurement teams know exactly what the SIEM will cost each month, with no surprise bills from log volume spikes or new source integrations. The risk is inefficiency at tier boundaries. An organisation consistently ingesting 55 GB/day pays the same as one ingesting 99 GB/day on a 100 GB tier, effectively subsidising the higher-volume user. And exceeding the tier limit either triggers overage charges (often at punitive per-GB rates) or forces an upgrade to the next tier with significant unused capacity.
Flat-rate tiers are most cost-effective for SMBs with stable, well-understood environments where log volume is unlikely to change significantly. For growing organisations or those with seasonal traffic patterns, the risk of tier boundary issues makes consumption-based models (per-GB or per-EPS) more cost-efficient despite their lower predictability.
Same Environment, Four Pricing Models
A mid-market organisation with 500 employees, 50 GB/day log volume, ~500 EPS, and 2 security analysts. Annual licensing cost under each model:
Per-GB
Sentinel (committed)
100 GB/day tier at $2.96/GB effective rate
Per-EPS
QRadar
500 EPS tier plus 22% maintenance
Per-User
Elastic Gold
2 analysts x $95/user/mo + cloud infra $36K-$72K
Flat Rate
Blumira
50 GB/day tier at ~$5,000/month
This comparison demonstrates why vendor selection cannot be based on pricing model alone. The same environment costs $22,800 to $70,560 in licensing depending on vendor and model -- a 3x range. When you add infrastructure, staffing, and hidden costs, the total TCO gap narrows but remains significant. Use our multi-vendor calculator to model your specific environment.
SIEM Pricing Models FAQ
What are the main SIEM pricing models?
The four main SIEM pricing models are: Per-GB ingested (used by Splunk and Microsoft Sentinel, charging based on daily data volume), Per-EPS or events per second (used by IBM QRadar, charging based on event processing rate), Per-User or per-endpoint (used by Elastic Security and some cloud SIEMs, charging based on the number of monitored entities), and Flat-Rate tiers (used by Blumira, Sumo Logic, and Panther, offering fixed monthly pricing within defined usage bands). Each model favours different environments and usage patterns, making direct vendor comparison difficult without modelling costs for your specific situation.
Which SIEM pricing model is the cheapest?
There is no universally cheapest model -- it depends on your data characteristics. Per-GB pricing is cheapest when your events are large but few (like database audit logs averaging 2-4 KB per event). Per-EPS pricing is cheapest when your events are small but numerous (like DNS query logs at 100-200 bytes each). Per-User pricing is cheapest for organisations with many endpoints but low log volume per endpoint. Flat-rate tiers are cheapest for organisations whose usage falls well within a pricing band. The only way to determine which model is cheapest for your environment is to calculate your costs under each model.
How do I convert between GB/day and EPS for SIEM pricing?
The conversion ratio varies by log source type, but a general rule of thumb is that 1 GB of log data contains approximately 8,000 to 12,000 events, assuming an average event size of 80-120 bytes after indexing. This means 100 GB/day equates to roughly 800-1,400 EPS sustained average. However, DNS query logs average 100-200 bytes per event while Windows Security Event logs average 1-4 KB per event, so the conversion can range from 3,000 EPS per GB to 250 EPS per GB depending on your log source mix. The most accurate approach is to sample your actual data or use your existing log management tool to measure both metrics.
What are the pros and cons of per-GB SIEM pricing?
Per-GB pricing advantages include simplicity (easy to estimate costs from existing log volumes), alignment with data value (you pay for the data you ingest), and availability from the two largest SIEM vendors (Splunk and Sentinel). The disadvantages are cost unpredictability when new log sources are added, potential budget overruns from verbose logging changes, and the incentive to reduce data ingestion which can create security blind spots. Per-GB pricing also penalises organisations that generate verbose but low-value logs, such as debug-level application logging or detailed DNS query logs.
Are flat-rate SIEM tiers actually flat?
Flat-rate SIEM tiers provide fixed monthly pricing within defined usage limits, but they are not truly unlimited. Blumira's plans include specific daily ingestion limits (typically 10-100 GB/day depending on tier), and exceeding them incurs overage charges or requires upgrading to the next tier. Sumo Logic's tiers include defined daily ingest limits and retention periods. The advantage is budget predictability within the tier; the risk is being caught between tiers where you consistently exceed your current tier but would underutilise the next one, effectively overpaying for unused capacity.