Buying SIEM

Buyer's guide.

Evaluation criteria

SIEM buying is mostly cost and detection content fighting each other. Pick on one axis alone and the other becomes the surprise. The right evaluation looks at ingestion capacity, pricing model, and out-of-box detection content together.

• Ingestion volume capacity. Peak-throughput headroom matched to expected log sources at peak; under-sizing produces dropped events at the worst time.
• Pricing model. Per-GB ingest, per-host, or per-event basis; the same workload prices very differently depending on which axis applies.
• Detection content. Rule library, ML detection, threat intelligence integration; vendors with thin rule libraries push detection authoring back to your team.
• 30-90 day proof-of-value. Real logs against real detections; catches detection gaps and ingestion surprises before contract signature.

Major options

The enterprise market has narrowed to four credible picks. Each fits a different shape of organisation; pick on cloud gravity, existing observability, and budget more than on benchmark wins.

• Splunk. Mature, expensive, deeply customisable; industry standard at large enterprises with the budget to operate it.
• Datadog Security. Observability-integrated; best for Datadog-heavy shops where consolidation matters more than peak SIEM features.
• Microsoft Sentinel. Cloud-native, Azure-integrated, competitive pricing; the right answer for Microsoft 365 / Azure-heavy estates.
• Elastic SIEM. Open-core, lower-cost, mature; fits teams already on the Elastic stack who want SIEM without leaving it.

Integration requirements

Integration breadth drives whether the SIEM is actually useful. EDR, cloud audit, and IdP are the minimum; missing any one cripples the correlation that justifies the licence.

• EDR integration. Endpoint-detection feed; SIEM correlation depends on EDR signal for most modern threat patterns.
• Cloud audit logs. CloudTrail, Azure Monitor, GCP Cloud Audit; critical for cloud-heavy environments where the perimeter is the cloud control plane.
• Identity provider logs. Failed-auth, privilege-change, lifecycle events; identity threat detection lives or dies on this feed.
• Application audit feeds. Per-application audit log streams; investigations need application context, not just infrastructure.

Operating costs

Licence is the headline; operations is the multiplier. Plan for both, since the SIEM nobody operates is a SIEM nobody trusts during incidents.

• Licence cost per year. Headline number; budget 20-50 percent on top for tuning, content authoring, and alert triage that the licence does not cover.
• SOC team cost per year. Analyst headcount to actually watch the SIEM; without analysts, the SIEM is half-deployed and the alerts go unread.
• Quarterly tuning. False-positive reduction and new content authoring on a fixed cadence; tuning is operational, not optional.
• Cost attribution per source. Per-source ingestion-cost line items catch noisy log sources before they dominate the bill.