Almost every SIEM migration I’ve watched started the same way: someone opened the renewal quote, saw a number that had doubled, and typed “Splunk alternatives” into Google. The trigger is never a feature gap. It’s the bill.
That’s the thing most SIEM comparisons get wrong. They line up detection features, threat-intel integrations, and UEBA checkboxes as if any of that is what breaks the deal. It isn’t. In 2026 the SIEM decision is a pricing-model decision, and the five leading platforms don’t just charge different amounts — they charge in completely different units. One bills you per gigabyte ingested. One bills you per employee. One bills you for compute nodes. Comparing them on a single spreadsheet column is how people end up locked into a contract that scales against them.
So this is a pricing-model breakdown, not a feature checklist. If you’re choosing a SIEM in 2026 — or trying to figure out whether to switch — start here.
Why the pricing model matters more than the price
Here’s the trap. Two SIEMs can both quote you “$40,000 for year one” and be wildly different deals, because one of them charges against a number that grows every quarter and the other doesn’t.
Log volume only goes up. New workloads, more endpoints, a cloud migration that triples your CloudTrail output — your ingest grows whether you planned for it or not. If your SIEM bills per GB ingested, your cost curve is bolted to that growth. If it bills per employee or per compute node, log growth is basically free until you hit an infrastructure wall. Same starting price, opposite trajectory over three years.
So the real question isn’t “what does it cost.” It’s “what does it cost when my data doubles.” Keep that in your head for the rest of this.
The pricing models, decoded
There are essentially five ways SIEM vendors meter you in 2026:
- Per-GB ingest — you pay for every gigabyte that lands in the platform. Predictable per unit, dangerous at scale. (Splunk’s legacy model, Sentinel’s classic model.)
- Workload / compute — you pay for the searches, dashboards, and alerts consuming resources, not raw ingest. (Splunk’s SVC model, Elastic’s node model.)
- Node / resource-based — you pay for the CPU, memory, and storage you provision. Ingest is “free”; capacity isn’t. (Elastic.)
- Flat-rate / subscription with a data cap — you buy a bucket of capacity up front, overage billed after. (Google SecOps / Chronicle.)
- Per-employee — you pay by headcount, and data volume is decoupled from price entirely. (Google SecOps’ seat model.)
Every platform below is some flavor of these. The mismatch between your data profile and the metering unit is where budgets die.
Splunk: the most powerful, and the reason you’re reading this
Splunk is still the platform everyone benchmarks against. The search language (SPL) is genuinely excellent, Splunkbase has an add-on for basically everything, and if your SOC already lives in Splunk, the muscle memory is worth real money. Since Cisco closed its $28 billion acquisition in March 2024, the roadmap has leaned hard into the Cisco security ecosystem, which is either reassuring or concerning depending on how you feel about Cisco.
The pricing is where it hurts. Legacy ingest pricing runs roughly $150 to $200 per GB per day on the current rate card — up from around $90/GB/day back in 2018. Nobody actually pays list; enterprise discounts of 40 to 70 percent are routine. But even discounted, a 100 GB/day shop is looking at a six-figure annual number, and every new log source pushes it up.
Splunk’s answer to the ingest-cost complaints is workload pricing, billed in SVCs (Splunk Virtual Compute units) instead of GB. A single SVC runs somewhere around $55,000–$75,000 a year depending on tier. The pitch: decouple cost from ingest, pay for what your searches actually consume. For predictable, search-heavy workloads it can save 15–25% over per-GB. For ingest-heavy compliance logging — where you’re dumping huge volumes you rarely query — it can actually run higher than the legacy model. Read your own usage before you assume workload pricing is the escape hatch.
Splunk is the right call when you have the budget, the in-house expertise, and workloads complex enough to justify SPL. For most teams reading a scary renewal, it’s the incumbent they’re trying to leave.
Microsoft Sentinel: cheap if you’re already in Azure, a maze if you’re not
Sentinel’s whole pitch is that it’s cloud-native and it plugs straight into the Microsoft security stack — Defender, Entra, and Security Copilot. If your org is already a Microsoft shop, the integration story is hard to beat, and there’s a real discount: certain Microsoft 365 E5 data sources ingest into Sentinel free, which can knock a serious chunk off the bill.
The pricing has gotten more complex — and more interesting — in 2026. Pay-as-you-go per-GB is still there, but the commitment tiers are where the savings live. Committing to 100 GB/day drops the effective rate to about $2.96/GB (roughly a 31% saving over PAYG); 500 GB/day gets you to $2.53/GB (~41%); the largest tiers push past 50% off. There’s also a promotional 50 GB/day tier in preview at about $3.23/GB if you sign up before the end of 2026.
The genuinely new piece is the data lake tier. Ingest into the lake is just $0.05/GB, storage is $0.026/GB/month (billed on 6:1 compression, so 600 GB of raw logs bills as 100 GB), and KQL queries against the lake cost $0.005/GB scanned. That’s a real shift: you can route high-volume, low-query “keep it for compliance” data into cheap lake storage and reserve the expensive analytics tier for logs you actively hunt in. Done right, it changes the cost math substantially.
Done wrong, it’s a footgun. Sentinel’s flexibility is also its complexity — the number of ways to misconfigure retention, tiering, and commitment levels is high, and I’ve seen teams overspend precisely because they treated the data lake like a magic discount instead of designing what goes where. Budget for someone who understands the tiering, not just the per-GB number.
Elastic Security: the volume play
Elastic breaks the per-GB model entirely. Cloud billing is resource-based — you pay for compute (CPU and memory) and storage, not for ingest. That’s a structural advantage if your problem is volume: once you’ve provisioned your nodes, pushing more logs through them doesn’t directly add cost until you need more capacity.
Cloud subscription tiers run from about $99/month (Standard) up through Gold ($114), Platinum ($131, adds machine learning and cross-cluster search), and Enterprise (~$184, adds endpoint security and SOAR). A typical mid-market security deployment provisions 4–8 hot data nodes plus warm and cold tiers. Self-managed changes the math again: the Basic license is free, but the tier that unlocks production SIEM features runs roughly $7,200–$12,800 per node per year.
The honest caveat: Elastic’s advertised base price is not the bill. Resource consumption, data transfer, snapshot storage, and support surcharges can add 25–40% on top. One analysis pegged a 70-system, 100 GB/day deployment with 37-day retention at around $6,400/month on Enterprise tier. That’s still competitive at volume — but “resource-based” doesn’t mean cheap, it means the cost lives in nodes and ops instead of a per-GB meter.
Elastic wins when you have high data volume and the engineering depth to run a cluster well. It loses when a small team picks it expecting “free” and discovers Elasticsearch operations is a full-time job.
Google SecOps (Chronicle): flat-rate for the log-heavy
Chronicle — now folded into Google Security Operations — was built around a genuinely different idea: don’t bill per GB at all. You buy a subscription with an included data cap, and ingestion draws down a credit balance rather than metering each gigabyte. Blow past the cap and Google invoices the overage in arrears at your negotiated rate. For organizations drowning in logs relative to their headcount, this is the model that finally decouples cost from volume.
The pricing structure is per-employee, per-year, tiered: Standard runs roughly $30–$50 per employee/year, Enterprise $60–$95, and Enterprise Plus $100–$140. Multiply by headcount and you get a number that barely moves when your log volume spikes — which is exactly the point. A 500-person company generating enormous log volume can come out dramatically cheaper here than on any per-GB platform.
New for 2026: starting February 1, Google’s Data Benefit Program lets it designate certain data sources that don’t count against your cap at all — but only for Enterprise and Enterprise Plus subscriptions above a minimum annual contract value. If you’re at that scale, it’s another lever.
The catch with Chronicle is the inverse of its strength. If you have a low log-to-employee ratio — a big headcount but modest data — per-employee pricing works against you, and you’re subsidizing a model built for the opposite profile. It’s also the most “you’re in the Google ecosystem now” of the bunch. Great fit for high-volume shops; awkward for small teams with lots of seats.
Open source: Wazuh, OpenSearch, and the “free” that isn’t
Every SIEM evaluation eventually asks: why pay at all? Wazuh, the OpenSearch/ELK stack, and Security Onion are legitimately capable and the license is $0. For the right team they’re the correct answer.
But the license was never the cost. Running Wazuh at production scale means infrastructure in the $15,000–$40,000/year range for a mid-market deployment, plus — and this is the part people skip — an engineer who genuinely understands Elasticsearch operations, at $130,000–$160,000 loaded. Add it up and a realistic year-one cost for a 50 GB/day Wazuh deployment lands around $180K–$280K. That’s roughly what Sentinel costs at the same volume, with substantially more operational risk on your shoulders.
Self-hosting a SIEM isn’t cheaper. It trades a vendor bill for a payroll line and an on-call rotation. If you have the talent and want total control over your data, it’s a fine trade. If you’re choosing open source to save money on a small team, you’ve probably miscounted.
A worked example: 100 GB/day, mid-size team
Numbers make it concrete. Take a 300-person company ingesting 100 GB/day, roughly 37-day retention, mid-market complexity. Rough order-of-magnitude annual cost, list-ish rates before heavy negotiation:
| Platform | Model | Ballpark annual (100 GB/day) |
|---|---|---|
| Splunk (ingest) | Per-GB/day | ~$150K–$250K before discount; 40–70% off with negotiation |
| Splunk (workload) | SVC/compute | 1–2+ SVCs, ~$55–75K each; better only if search-light |
| Microsoft Sentinel | Commitment tier | ~$108K/yr at ~$2.96/GB, less if E5 sources offset ingest |
| Elastic (Cloud, Enterprise) | Resource/node | |
| Google SecOps | Per-employee | ~$18K–$42K/yr for 300 employees (volume-independent) |
| Wazuh (self-host) | Free license | ~$180K–$280K yr-one (infra + one engineer) |
Read that table carefully, because the ranking flips depending on your profile. At 300 employees and 100 GB/day, Google SecOps looks like the runaway winner — its per-employee pricing barely notices your log volume. But bump the company to 5,000 employees with the same 100 GB/day, and suddenly per-employee pricing is charging you for headcount that generates no logs, while Elastic’s node-based cost sits still. The “best” SIEM is entirely a function of your data-to-headcount ratio.
These are rough figures for framing, not quotes — every one of these is negotiable, and list price is fiction in enterprise security sales. Use them to understand the shape of each cost curve, then get real quotes.
So which one
Short version, by profile:
If you’re a Microsoft shop, Sentinel’s E5 offsets and Azure integration usually make it the pragmatic default — just design your data tiering before you sign. If you have high log volume and strong engineering, Elastic’s resource-based model scales better than any per-GB platform. If you’re log-heavy relative to headcount, Google SecOps’ flat-rate capacity model is built for exactly your problem. If you have deep budget, complex use cases, and existing SPL expertise, Splunk is still the most capable platform money can buy. And if you have the talent and want control, open source is real — just don’t pretend it’s free.
Whatever you’re leaning toward, do one thing first: pull your actual ingest volume, project it out three years at your real growth rate, and price each option at year three, not year one. The SIEM that’s cheapest today and the SIEM that’s cheapest when your data has doubled are frequently not the same product — and that gap, not the intro quote, is the number that should decide it.
Sources: Microsoft Sentinel billing docs, Sentinel pricing 2026 breakdown, Splunk pricing guide 2026, Splunk workload pricing, Elastic Security pricing 2026, Google SecOps billing, Google SecOps pricing 2026, Open-source SIEM true cost