
When a SIEM contract comes up for renewal, the logs that get cut are high-volume: DNS query telemetry, full NetFlow records, verbose endpoint process logs, and cloud API audit trails. Per-GB billing punishes volume, so anyone who has sat through a renewal conversation knows those sources are the first to go.
So the engineering team starts trimming. They sample the flow data, filter DNS at the shipper, and push the rest to a cold tier nobody can reach mid-incident.
The uncomfortable part is that those exact sources are the forensic record of how attacks unfold. Command-and-control beaconing hides in DNS traffic. Lateral movement leaves its trail in network flow data, and privilege escalation is reconstructed from endpoint process logs. Dropping those sources is treated as a storage decision, even though the actual issue is how much of the environment remains visible during an incident. The renewal conversation almost never names it that way. SIEM costs are a visibility problem more than a procurement one, because under per-GB pricing the cheapest way to cut the bill is to stop collecting the data that shows you what is happening.
SIEM costs live in four places.
Ingestion and retention are the obvious ones.
Per-GB-per-day pricing scales with log volume, which is why the high-volume sources get cut at renewal. Retention compounds it, since keeping data hot and queryable costs more than the raw ingest.
Compute and search are the parts nobody budgets for.
Correlation rules, scheduled searches, and ad hoc hunting all burn processing. Older licenses folded this into the ingest price, while newer models break it out, and inefficient queries can quietly outrun your ingest spend.
Operational costs never appear on the invoice, but they are usually the largest line item.
Engineer hours go to tuning parsers, maintaining detections, chasing false positives, and keeping the thing fed. Running a SIEM takes ongoing staff time, not just a purchase order.
The last cost only shows up during an incident,
The telemetry you sampled was either sent away or aged in cold storage. That cost doesn't disappear at renewal; it just gets deferred and surfaces as a gap in your timeline at 2 am.
Per-GB billing makes volume look like the problem, so teams optimize for less data. What's underneath is a security tradeoff wearing the costume of a budget decision.
License is a minority of year-one spend.
Total year-one SIEM TCO runs roughly 2.5 to 3.0x the headline license fee, and licensing accounts for only about 30 to 40% of that total (SIEMCostCalculator.com, May 2026). The remaining 60-70% is paid after the contract is signed. A representative 100 GB/day mid-market Splunk deployment reaches $1.16M in its first year when the full picture is accounted for.
Staffing is the largest single ongoing line.
A SIEM administrator, security analysts, and a SIEM engineer cost between $170K and $900K per year, depending on team size and seniority, more than any other line item in the breakdown below. The BLS puts the median information security analyst salary at $124,910 (May 2024), and a 24/7 SOC needs five to six FTE minimum before benefits enter the math.
Add it up, and the license is the smallest piece of what a SIEM costs to run.
The hiring market makes staffing harder to control.
CyberSeek data, via Blumira, reports 514,359 open U.S. cybersecurity positions, with only 74% filled (as of June 2025). Teams routinely budget for analysts they cannot hire at the pace the budget assumes, and first-year cost overruns of 40-60% over the initial estimate are common. Strike48's 2026 survey of 100 security leaders found that 80% cite the cost of keeping data live and searchable as painful or a major budget concern, which tells you this pressure is systemic rather than a few unlucky deployments.
The per-GB mechanic charges the same price per log line, regardless of its security value.
A DNS query that might reveal C2 beaconing costs the same to ingest as a routine health-check log that will never matter. At enterprise scale, where Splunk at 500 GB/day reaches roughly $788,000 per year in ingestion alone, no team can retain everything, so something gets cut. What gets cut is determined by volume and price, not by how much an attacker cares about it.
DNS query telemetry is usually the first to go.
It is one of the highest-volume sources in the stack, and because it reads as routine, a shipper can drop 60 to 80% of it before anyone notices a gap in the dashboard. DNS is also where command-and-control beaconing and DNS tunneling exfiltration show up, so an attacker moving data out over DNS never registers in a SIEM that has filtered full DNS telemetry to keep the bill down.
Full NetFlow data follows.
Network flow records the connections between internal hosts, including when and for how long, and that record is the raw material for reconstructing lateral movement. At scale, NetFlow is expensive to ingest, so teams sample it (1-in-10 records) or push it to cold storage where it becomes functionally inaccessible during a live incident. Cold-tier queries routinely take four or more hours, a latency that renders the data unusable while an investigation is underway.
Verbose endpoint process logs and cloud API audit trails are third.
These reveal privilege escalation, process injection, and API-layer persistence, and they are among the most voluminous sources in any modern environment. Every endpoint agent and every cloud workload generate orders of magnitude more telemetry than a traditional on-premises host did, making them prime targets for the budget axe.
These cuts break detection in measurable ways.
CardinalOps' 2025 State of SIEM Detection Risk report, which analyzed 13,000 detection rules and 2.5 million logs, found that 50% of detection rule failures in 2025 were traced directly to gaps in log collection. The rules were written correctly; the logs they depended on were not arriving. Strike48's 2026 Agentic Security Survey of 100 security leaders found that 84% say their current tools cannot access all their log data for investigations, and 65% have had at least one investigation stall because data was trapped in a system their tools could not reach. Per IDC research, the average enterprise monitors only about two-thirds of its environment, and cost-driven exclusion is the mechanism that produces that gap.
The math compounds.
Telemetry volume tends to grow 20 to 30% per year as cloud workloads expand and endpoint agents proliferate, so a coverage gap that was 30% of the environment in year one becomes 40% by year three with no architectural change at all.
Pre-ingestion filtering moves the coverage decision earlier, not closer to the right answer. When a team filters at the log shipper before data hits the SIEM, they are making a permanent determination that a source is not worth monitoring before any investigation has shown what will matter. A firewall rule generating 500,000 events a day that has never fired a detection looks like pure noise, right up until the day it contains the single event that exposes a misconfigured allow rule an attacker walked through. The filter happens before the answer is available.
Cold-tier archiving preserves the logs without preserving access to them. Data sitting in a cold tier technically exists and satisfies compliance retention requirements. But querying it during an active incident takes hours per cycle, which means investigators are making case decisions on the hot-tier logs they can reach: the filtered, reduced version of the environment.
Telemetry sampling drops resolution at exactly the events that matter most. Sampling 1-in-10 NetFlow records cuts costs by 90% and discards 9 connection events for every 1 it keeps. Attacks are not evenly distributed across sampled and unsampled records. The connections that reveal lateral movement are usually short-duration and low-frequency, which makes them statistically unlikely to survive a 10% sample in the first place.
The fix is to stop making the coverage decision at ingestion time.
Strike48 runs search-in-place log intelligence: raw logs stay where they already sit and get queried on demand, so keeping a source no longer means paying to re-ingest, parse, and store it under a per-GB meter. The DNS telemetry and full NetFlow that were unaffordable to ingest have become affordable to keep, because the cost of holding a log is separated from the cost of searching it. Nothing has to be dropped to control the bill.
Strike48's federated search queries existing S3, Splunk, and Elastic stores through native APIs without migration, so complete coverage does not require abandoning the infrastructure already paid for. Logs already sitting on one platform are not ingested and stored a second time to make them visible in an investigation. Our SIEM Modernization Playbook found that 60 to 80% of SIEM-ingested data in most organizations is retention and compliance data that does not need real-time query performance, which means the hot tier driving per-GB cost can often shrink to 20 to 40% of current volume without losing detection coverage.
The premise here is different from cost optimization. Coverage should be a risk decision, not a function of what fits inside a per-GB budget. Search-in-place and federated search are how that becomes operational, and they are also the reason a team can evaluate SIEM alternatives without committing to a multi-year migration first.
The question every SOC team should bring to its next SIEM renewal is not "how do we reduce per-GB costs," but "what percentage of our environment is currently monitored, and how was that percentage determined?" If the honest answer involves sources excluded for budget reasons, then the budget cut created the blind spot, and the renewal spreadsheet is where that call gets made without anyone naming it as a security decision. Strike48 helps security teams achieve complete log coverage without forced migration or duplicate storage, so coverage is driven by risk rather than storage budget. Strike48's autonomous investigation agents fire against that complete data, which is the only condition under which agent outputs can be trusted.
How much does a SIEM cost per year? Mid-market organizations of 100 to 500 employees spend $250,000 to $600,000 per year, all-in, once staffing, storage, integration, tuning, and training are accounted for, with the headline license making up only 30 to 40% of that. A 100 GB/day Splunk deployment, a heavier ingestion profile than most organizations that size run, reaches $1.16M in year one (SIEMCostCalculator.com, May 2026), and enterprise deployments at higher ingestion volumes scale proportionally.
Why do SIEM costs keep rising year over year? Telemetry volume grows 20 to 30% per year as organizations add cloud workloads, expand endpoint coverage, and adopt SaaS tools that each generate logs. Under per-GB pricing, cost growth tracks volume growth directly, and a firewall replacement or new EDR agent can spike daily ingestion overnight with no advance warning in the contract.
What is the difference between SIEM cost and SIEM TCO? License or subscription cost is what appears on the procurement invoice. TCO adds staffing ($170K to $900K/year), integration ($75K to $300K year one), tuning ($50K to $120K initial), storage, threat intelligence, and training, which together push first-year TCO to 2.5 to 3.0x the headline license fee.
How does search-in-place change SIEM economics? Search-in-place leaves raw logs in the stores you already have and queries them on demand, so the cost of keeping a source is separated from the cost of searching it. With Strike48's federated search, data is accessed through native APIs, which lets you retain DNS telemetry, full NetFlow, and verbose endpoint process logs without the per-GB penalty that makes them unaffordable in a traditional SIEM.