SIEM Platform Licensing: Three Different Meters
SIEM platform licensing is the single most volatile line in the cloud security budget because the leading platforms — Splunk, Microsoft Sentinel, and IBM QRadar — meter cost on fundamentally different units. Splunk historically priced on data ingested per day and now also on Splunk Virtual Compute units; Microsoft Sentinel prices per gigabyte ingested into the analytics tier; QRadar prices on events-per-second and perpetual licence plus maintenance. Until you normalise all three to your own daily ingest volume, the quotes are not comparable, and that is exactly the confusion vendor account teams rely on.
The headline numbers tell the story. Splunk runs $150+ per GB per day, or roughly $2,000–$3,500 per GB per year for enterprise deployments, with Splunk Cloud about 33% above on-premises Enterprise. Microsoft Sentinel charges $4.30 per GB (East US) to $5.59 per GB (West US) on pay-as-you-go, with free ingestion of Microsoft 365 audit data. QRadar starts around $10,000 a year for small deployments but is dominated at enterprise scale by perpetual licence plus 18–22% annual maintenance. SIEM is typically the largest single tool in the cloud security contract stack, and total cost of ownership reliably runs 2–3x the headline licence once staffing and integration are added.
Splunk vs Sentinel vs QRadar: The Cost Spread
The table normalises all three to annual licence cost at representative ingest volumes. The 40–60% gap between Sentinel and Splunk at scale is the reason SIEM migration is one of the most common cloud security cost actions we run.
| Platform | Licensing Unit | ~50 GB/day Annual | ~200 GB/day Annual |
|---|---|---|---|
| Microsoft Sentinel (PAYG) | Per GB ingested | ~$95K | Drops with commitment tiers |
| Microsoft Sentinel (commitment) | Reserved GB/day tier | Up to 52% below PAYG | ~$242K |
| Splunk Cloud | Ingest / SVC units | ~$135K | $400K+ |
| Splunk Enterprise (on-prem) | Ingest per day | ~33% below Cloud | ~33% below Cloud |
| IBM QRadar | EPS + perpetual licence | Licence + 18–22% maintenance | Maintenance negotiable to 12–16% |
At 200 GB per day, Microsoft Sentinel on commitment tiers lands around $242,000 a year against Splunk Cloud at $400,000-plus — a $160,000 annual gap on licensing alone. Before that comparison means anything, normalise both quotes to the same daily ingest volume and the same retention period; vendors routinely quote different volumes to obscure the gap.
Microsoft Sentinel: Commitment Tiers and the Data Lake
Sentinel's commitment tiers reserve daily ingest capacity from 100 GB to 50,000 GB per day and cut up to 52% off pay-as-you-go rates. Microsoft also opened a 50 GB promotional commitment tier in October 2025, with sign-up open until 30 June 2026 and promotional pricing held until 31 March 2027 — a genuine, time-boxed lever worth capturing if your volume sits near that band. The 2025 Sentinel Data Lake tier stores long-retention logs at up to 85% below analytics-tier cost, which reshapes the economics of compliance retention.
The Sentinel trap is the assumption that "free Microsoft 365 ingestion" makes it cheap. Free ingestion applies to a defined set of Microsoft connectors; everything else — firewall, network, third-party SaaS, custom logs — bills at full per-GB rates and is usually 70–80% of total volume. We cover the platform-specific mechanics in our dedicated Microsoft Sentinel licensing guide, and the Sentinel commercial relationship sits inside the wider Microsoft vendor negotiation.
Splunk: Workload Pricing and the SVC Question
Splunk's workload pricing meters Splunk Virtual Compute units — purchased at roughly $55,000–$75,000 per SVC per year — rather than raw ingest, which lets you bring more data in and search selectively. For high-ingest, low-search estates this can be cheaper than ingest-based pricing; for search-heavy SOCs it can be more expensive. Splunk does not retire the old ingest model, so the negotiation question is which model fits your search profile — and Splunk will not volunteer the cheaper one. Model both against 12 months of your own search telemetry before committing.
Splunk also concentrates leverage at term boundaries. Multi-year Enterprise Adoption Agreements bundle ingest, premium apps such as Enterprise Security and SOAR, and support into a single commitment — attractive headline discounting, but the bundle locks you into volume you may not reach and apps you may not deploy. Price each premium app separately, hold Splunk to a documented adoption ramp, and refuse minimum-volume commitments above your measured 90th-percentile daily ingest. Over-committed Splunk EAAs are one of the most common sources of stranded spend we unwind, frequently 15–25% of the annual contract value.
IBM QRadar: The Maintenance Renewal Lever
QRadar's enterprise economics are dominated by the perpetual-licence maintenance renewal. List maintenance runs 18–22% of perpetual licence value annually, but benchmark data shows major accounts negotiate this to 12–16% — a 6-point swing worth six figures on a large estate. Because QRadar migrations are expensive and disruptive, IBM relies on renewal inertia; the lever is a credible, documented migration assessment to Sentinel or a cloud-native alternative, presented before the maintenance renewal window. This is the same audit-and-alternative discipline set out in our vendor audit defence handbook, and the QRadar relationship sits within the broader IBM licensing picture.
The Hidden Costs Behind the Per-GB Rate
The headline per-GB or per-SVC rate is rarely the real number. Three hidden costs reliably push SIEM total cost of ownership to 2–3x the licence line. The first is retention: compliance frameworks such as PCI DSS 4.0 and many financial-services regulators require 12 months of searchable logs, and analytics-tier retention is the most expensive storage a SIEM sells. Sentinel's Data Lake tier at up to 85% below analytics cost, and Splunk's frozen-bucket archiving, exist precisely because long retention at full rate is punitive — but you have to design the tiering deliberately, not accept the default.
The second hidden cost is data egress and integration. Pulling logs out of a cloud platform into an on-premises SIEM, or moving between clouds, incurs egress charges that can rival the licence; the contract should address who bears egress for the connectors you actually use. The third is professional services and content: detection-rule development, use-case engineering and managed-service overlays are often sold as mandatory attach and quietly add 30–50% to year-one cost. Itemise each and treat it as separately negotiable rather than a fixed component of the platform.
Negotiation Levers That Work
The first lever is ingest reduction before pricing. Because every major SIEM meters on volume, filtering and routing low-value logs (verbose firewall accept events, debug logs) to cheaper storage before ingest cuts the bill 20–40% with no detection loss. Do this first — never negotiate price on an un-optimised volume baseline. This pairs naturally with the data-tiering work in endpoint and identity telemetry, which are often the largest ingest sources.
The second lever is the commitment-tier true-up clause. Commitment tiers reward predictability but punish over-commitment; negotiate the reserved volume against measured baseline plus 20% headroom, with a quarterly right to step the tier down. The third lever is a competitive migration quote: Sentinel is one of the few platforms that publishes pricing, which makes it a powerful benchmark to put in front of Splunk or IBM. Negotiated SIEM deals routinely save 20–40% off list. To benchmark your SIEM contract against current market rates, request a confidential briefing or read our price benchmarking research.