TL;DR
Microsoft Sentinel is one of the few major vendors that publishes real SIEM pricing numbers ($4.30–$5.59/GB in the US, depending on region, PAYG). Most others — including Splunk, Sumo Logic, CrowdStrike NG-SIEM, and Cortex XSIAM — want to get you on a sales call. But while figuring out SIEM pricing is a headache, bringing it down doesn't have to be. Since SIEM costs are primarily driven by ingest volume, and log volumes keep growing year-on-year, the answer is to filter the noise before it gets priced. Realm.Security customers typically reduce ingested volume into their SIEM by 50% to 70% and cut their SIEM costs by 40% or more, without losing critical visibility.
What does SIEM pricing look like in 2026? If you've spent any time looking into this question, you know the answer can be remarkably complex.
Many SIEM vendors don't even publish their actual pricing, preferring you to book a sales call instead, where they can price based on your specific situation.
In the vast majority of cases, what you pay for a SIEM depends on factors such as environment size, data volume, number of users, cloud vs. on-premises deployment, geography, and contract length. The influence of each factor varies significantly by vendor.
But to paraphrase one user who put it aptly: a good rule of thumb is that if you're getting a crazy number for a SIEM, you probably got the calculation right.
A big part of SIEM cost of ownership is driven by log volumes. The more logs you ingest, the higher the SIEM pricing, and modern environments generate a lot of logs.
As someone recently asked online: "Why are we still burning money on SIEM log volume?"
It's a fair question. Legacy SIEM pricing models were designed for a different era, before cloud-native infrastructure made log volumes essentially unlimited.
We built Realm.Security to solve exactly this problem.
Reduce SIEM Pricing With a Security Data Pipeline Platform
Regardless of which vendor you choose, one of the biggest cost drivers in most SIEM deployments is the amount of data you're ingesting. Realm.Security sits in front of your SIEM to reduce that volume before it gets priced.
By automatically filtering non-relevant telemetry using machine learning without sacrificing critical detection signals, Realm.Security customers typically see at least a 40% reduction in SIEM costs and a 50–70% reduction in data volume flowing into their SIEM or XDR platform.
More on how Realm.Security works below. But first, let's look at what the major SIEM vendors actually charge in 2026.
SIEM Pricing 2026: Leading SIEM Providers Compared
Here's an indicative breakdown of what the major SIEM vendors charge in 2026.
Note that all numbers are based on vendor websites where possible, followed by marketplace listings and public references. As a result, actual pricing may vary.
Bottom line: SIEM pricing is confusing. For the most part, it's also very opaque.
| Microsoft Sentinel | Splunk Enterprise Security | Sumo Logic Cloud SIEM | CrowdStrike NG-SIEM | Cortex XSIAM | |
|---|---|---|---|---|---|
| Pricing transparency | High — fully published | Low — contact sales | None — contact sales | Low — contact sales | None — contact sales |
| Pricing model | Per GB ingested | Per GB/day or compute units; also predictive | Credit-based, per GB scanned | Per GB ingested (third-party data) | GB/day + FTE count + add-ons (per community reports) |
| Rates (indicative / marketplace-based estimates) | $4.30–$5.59/GB in the US, depending on region (PAYG) | $8,100–$80,000/year (base platform only, from AWS Marketplace) | None published for SIEM specifically | $5.95/GB (AWS pay-as-you-go) | None published |
| Free tier / free sources | Yes — Azure, O365, Defender logs free | Unknown | Unknown | 10 GB/day free for Falcon Insight XDR customers | Unknown |
| Typical contract size | Varies | Contact sales | Contact sales | Contact sales | $1M+ ARR average |
Microsoft Sentinel pricing
Sentinel is the outlier of all the SIEMs in this article because it is one of the few major vendors with transparent pricing. It also splits pricing into two tiers depending on what you're trying to do with the data, which is worth understanding before you commit to anything.
The two tiers are:
- Analytics tier
- Data lake tier
The analytics tier is for active security monitoring (real-time alerts, detections, investigations). It's best for high-value data like identity logs and endpoint alerts, and it's priced per GB ingested.
Pay-as-you-go depends on where you reside. If you're in the US, it's $4.30/GB (East US — most affordable) and $5.59/GB (West US — most expensive) at the time of writing.
Commitment tiers use a fixed daily rate, ranging from $161.25/day (East US) to $209.625/day (West US) at 50 GB, with promotional pricing up to $102,600/day (East US) – $121,068/day (West US) at 50,000 GB/day.
For a 100 GB/day example, you'd pay roughly $156,950/year (East US) – $204,035/year (West US) on PAYG versus $108,040/year – $127,574.80/year on commitment.
The data lake tier is aimed at the opposite use case: cheap, long-term storage for high-volume data like network, firewall, and proxy logs that you need to keep around but don't need to alert on in real time.
The cost structure reflects that, with $0.05/GB for ingestion, $0.10/GB for processing, $0.026/GB/month for storage, and $0.005/GB for querying (all for East US — pricing is not available for certain regions, including West US, which we used in our previous example).
Support plans for Sentinel follow Azure's general support tiers rather than being Sentinel-specific. "Basic" support (for those using Azure in non-production environments or for trial and evaluation) is included in pricing, but other tiers cost extra. For example, "Standard" support (for small- or mid-size organizations with limited business-critical reliance on Azure) is $100 extra, and "Professional Direct" (for mid-size to large companies with substantial business-critical Azure use) is $1,000 extra per month.
Microsoft has a pricing calculator where you can calculate Microsoft Sentinel pricing based on your exact situation.
Sentinel also offers free sources , including Azure Activity Logs, Office 365 Audit Logs, and Defender security alerts (XDR, Endpoint, Identity, Cloud Apps). In addition, there's a 31-day free trial that covers 10 GB/day on the analytics side, though data lake charges still apply during that window.
Splunk Enterprise Security pricing
The first thing to understand with Splunk is that Splunk Enterprise Security is an add-on, not a standalone product. It runs on top of one of two base platforms: either Splunk Enterprise (self-hosted, on-prem, or in your own cloud infrastructure) or Splunk Cloud (Splunk's managed SaaS).
On Splunk Cloud, a 100 GB/day deployment is listed at roughly $80,000/year in the US, and that's just for the base platform (as per its AWS Marketplace listing ). You also need to add Splunk Enterprise Security on top of that.
According to third-party estimates , Splunk Enterprise Security is often priced at a premium to the base platform (sometimes cited in the ~1.5–2x range), though Splunk does not publish official pricing and actual costs vary significantly by contract.
So the total bill for a Splunk SIEM deployment is always at least two line items (though in practice, these may be bundled into a single enterprise agreement):
- The base platform license, plus
- The Enterprise Security add-on license
As per Splunk's security pricing FAQ page , Splunk offers ingest-based (GB/day), workload-based (compute units), and predictive pricing models, but it does not share actual dollar amounts. To get a quote, you'll have to talk to sales.
Sumo Logic Cloud SIEM pricing
Sumo Logic is cloud-native only (i.e., there is no on-premises deployment option), and is appropriately called Sumo Logic Cloud SIEM. The product is delivered as SaaS, though it can still collect log and event data from on-premises systems.
Sumo Logic Cloud SIEM is part of the Enterprise Suite tier. It requires separate activation and comes with minimum volume requirements that get confirmed at contract time.
The SIEM itself includes 900+ out-of-the-box detection rules, MITRE ATT&CK mapping, UEBA behavioral models, entity timelines, premium threat intelligence feeds from CrowdStrike and Intel471, and an automation/playbook service. Unlimited users are included across all tiers.
Sumo Logic does not publish pricing for its Cloud SIEM, which means you'll need to go on a call with someone from the company. Enterprise Suite pricing likewise requires a sales conversation.
CrowdStrike NG-SIEM pricing
Like Sumo Logic Cloud SIEM, CrowdStrike NG-SIEM is also cloud-native SaaS only (i.e., there's no on-premises deployment option). Data sources can be on-prem (via the Falcon Log Collector), but the SIEM platform itself always runs in CrowdStrike's cloud.
NG-SIEM isn't included by default in any of the published Falcon tiers (Go, Pro, or Enterprise), and we couldn't find a direct self-serve path to buy NG-SIEM on its own from CrowdStrike's website, where most product pages route you to a sales conversation.
That said, CrowdStrike's NG-SIEM can be purchased as a standalone product rather than as an add-on to an existing Falcon subscription. A few things back this up: it has its own dedicated pricing entry in CrowdStrike's UK government procurement listing and its own pay-as-you-go SKU on AWS Marketplace. Plus, CrowdStrike's March 2026 announcement that NG-SIEM can ingest Microsoft Defender for Endpoint telemetry was explicitly aimed at organizations that don't use CrowdStrike for endpoint protection at all.
Nonetheless, if you're already a CrowdStrike customer, the NG-SIEM integrates most tightly with Falcon Insight XDR, and Falcon Insight XDR customers get 10 GB/day of third-party data ingestion free. Falcon Fusion SOAR is also included at no additional cost within NG-SIEM.
Licensing costs are based on data ingestion volume and retention length (with up to 36 months retention period). Note that the AWS Marketplace pay-as-you-go listing includes 13-month retention, but it's worth confirming what retention window is included in any direct contract you're offered.
CrowdStrike doesn't publish NG-SIEM pricing on its website, but there are two public data points that give us a reference point.
The first is the AWS Marketplace pay-as-you-go listing , which comes in at $0.00595/MB, or $5.95/GB, for third-party data with 13-month retention included.
The second is CrowdStrike's own pricing response on the UK Government's G-Cloud 14 Framework , which lists Falcon Next Gen-SIEM at £2,000 (around $2,700) per GB/day per year for third-party data, with extended retention adding £615 (around $825) per GB/day per year on top. For context, that works out to roughly £200,000 (around $270,000) per year in ingestion alone for a 100 GB/day deployment at list price, before retention or support costs.
However, CrowdStrike explicitly notes that the published figures represent "lowest commit GB/day and highest retention," which means these are list rates at the smallest volume tier, and volume discounts are available on larger commits. The rates also assume a 2-year term and a 7-day default retention window unless you negotiate something else.
Support is priced separately on top, at 12% of annual subscription cost for Express and Essential tiers and 25% (minimum £120,000 or around $162,000) for Elite, which includes a dedicated Technical Account Manager.
Since the document is from April 2024, we have to treat it as directional for 2026 rather than current. But what's useful about having both the AWS Marketplace and G-Cloud data points is that they line up. £2,000 per GB/day per year is roughly $2,700/year per 1 GB/day at current exchange rates, and the AWS Marketplace rate of $5.95/GB annualizes to about $2,170 per 1 GB/day of sustained ingestion.
CrowdStrike also offers a broader subscription model called Falcon Flex, where you buy a credit pool and spend it across the Falcon platform, including NG-SIEM, though no public pricing exists for that either.
Cortex XSIAM by Palo Alto pricing
Palo Alto's website has no pricing page for Cortex XSIAM. There are no published per-GB rates and no AWS Marketplace listing with prices.
However, we know, from Palo Alto Networks' own earnings disclosures , that XSIAM had around 470 customers as of December 2025, and that on average, each customer spends more than $1 million in annual recurring revenue. Their largest deal to date was an $85 million contract with a large US telecom company.
Based on community reports , XSIAM appears to use a hybrid licensing model combining three elements: GB/day ingestion for third-party log sources, a per-employee (FTE) count for endpoint coverage, and add-on modules priced per employee. These details are unverified and may have changed, so treat them as directional only.
Reduce SIEM Pricing with Realm.Security
Whichever SIEM you choose, Realm.Security can meaningfully reduce what you pay for it.
Realm.Security is an AI-native security data pipeline that sits between your data sources and your SIEM.
It acts as an intelligent pre-processor, collecting, cleaning, normalizing, and routing your security telemetry so that only the data you actually need ever reaches your SIEM or XDR.
The rest is either filtered out entirely or streamed into Realm Data Haven , a dedicated retention layer that keeps full-fidelity, normalized logs accessible for compliance and forensic investigations at a fraction of SIEM storage cost, with default retention of one year and the ability to scale up to five.
A few things make this possible without breaking the detection content you already have in place.
Realm.Security automates log formatting. When a new data source is onboarded, Realm.Security's ingestion engine maps the raw events to whatever format your destination SIEM expects, so native parsers handle the data without manual intervention.
Importantly, Realm.Security filters events rather than changing them. When we identify noise, we strip the full event out of the stream.
Realm is also SIEM-aware.
Before applying any filtering strategy to your data, Realm.Security validates that strategy against a knowledge base of detection rules and logic from across the major SIEM products. If an event is required by a known downstream detection rule, it doesn't get filtered, full stop. That's how we prevent the false-negative problem that would otherwise come with aggressive volume reduction.
The result is a cleaner, higher-fidelity data stream and a meaningfully smaller SIEM invoice.
Most customers see real impact inside the first week of deployment, and over time, the typical outcomes are a 40% or greater reduction in SIEM cost, a 50% to 70% reduction in data volume ingested, and a lot of time back for the analysts.
With Realm.Security, You're Not Locked Into Whatever SIEM You Choose Today
Not happy with your chosen SIEM's pricing? Looking at a SIEM migration? Realm.Security lets you quickly switch or consolidate technologies without disrupting your day-to-day operations.
Realm's pipeline routes data to multiple destinations simultaneously without requiring you to reconfigure the source integration, which means the same ingestion sources can feed multiple archives, SIEMs, and data lakes at the same time.
It's something we like to call "collect once, route anywhere," and it's designed to help you avoid downstream vendor lock-in and eliminate the headaches associated with evaluating different technologies that would otherwise require separate data ingestion.
When it comes to retention, Realm.Security can store your logs in a raw format with OCSF-based IOC fields added at ingestion, which means your entire historical record remains portable and accessible regardless of your primary security stack. You're no longer locked into a specific SIEM provider's proprietary data format for forensics.
See What You'd Actually Save on SIEM Pricing
Whether you're renewing a SIEM contract in 2026, evaluating a new SIEM vendor, or simply tired of watching your SIEM bill increase as your log volumes grow, Realm.Security can help make SIEM pricing work for you.
Book a demo of Realm.Security , and we'll walk you through how much you could cut from your next SIEM invoice without giving up visibility.