SaaS SIEM vs on-premise TCO: 200 servers and 10k events/sec, 3-year numbers
Datadog, Splunk Cloud, Sentinel — or an open-source on-prem stack. For a 200-server estate producing 10k events/sec, the financial comparison over 3 years with hidden costs included.
SaaS SIEM vs on-premise TCO: 200 servers and 10k events/sec, 3-year numbers
TL;DR
- For a 200-server estate with 10k events/sec sustained and 200 GB/day log volume, 3-year TCO differs significantly between the main options.
- SaaS (Datadog, Splunk Cloud, Microsoft Sentinel): 400,000-700,000 EUR over 3 years.
- On-premise stack (Graylog + Wazuh + Prometheus + Suricata + Zeek): 80,000-180,000 EUR over 3 years.
- The difference is not only list price — there are also SaaS hidden costs (egress, retention, premium features) plus Schrems II risk for EU customers.
- On-premise requires initial CapEx + 0.5-1 FTE ops; SaaS is pure OpEx but unpredictable at renewal.
- For regulated clients (NIS2, sensitive GDPR, legal), on-premise is often the only option compatible with compliance.
The SIEM decision is one of the largest IT acquisitions for a mid-market. Getting it wrong costs 200-400K EUR over 3 years and — worse — saddles you with lock-in that is hard to break. This article quantifies the real TCO for the typical profile of an active mid-market — 200 servers, 10k events/sec, 12-month retention.
Comparison profile
Common setup for the numbers:
- 200 mixed Linux+Windows servers.
- 10,000 events/sec sustained, 25,000 peak.
- 200 GB/day aggregate log ingest (apps + system + security + network).
- Retention: 12 months online + 24 months archive.
- Regulation: GDPR + possibly NIS2.
- SecOps team: 1-2 people with other responsibilities.
We address four options:
- Datadog Cloud SIEM (US-headquartered SaaS).
- Splunk Cloud (US-headquartered SaaS, now Cisco).
- Microsoft Sentinel (SaaS on Azure, EU regions available).
- On-premise open-source stack — Graylog + Wazuh + Prometheus + Suricata + Zeek, as in AEGIS.
Datadog Cloud SIEM — 3-year TCO
Datadog uses two pricing schemes:
- Logs: per GB ingested and selected retention (15 days vs 30 vs 90 days).
- Cloud SIEM: separate, per analyzed events.
Typical 2026 numbers:
- Log ingest with 30-day retention: 0.10-0.25 USD/GB.
- Cloud SIEM: 0.40-0.60 USD/million events analyzed.
- Egress from your own cloud to Datadog: variable, 0.05-0.10 USD/GB.
3-year calculation:
- Log ingest: 200 GB/day × 365 × 3 × 0.20 USD = 43,800 USD (with 30-day hot retention).
- Cloud SIEM: 10,000 events/sec × 86,400 × 365 × 3 × 0.50 / 1,000,000 = 472,500 USD.
- Egress: ~10K USD/year × 3 = 30,000 USD.
- Datadog admin (part-time): 30K EUR/year × 3 = 90,000 EUR.
Datadog 3-year total: ~600,000 EUR (550,000 USD + 90K EUR personnel).
Additional hidden costs:
- Long-term archive (>90 days) requires separate storage with reactivation cost on search.
- Complex custom dashboards may add to billing on other Datadog products.
- 15-25% year-over-year inflation at renewal documented in industry forums.
Splunk Cloud — 3-year TCO
Splunk Cloud has per-GB ingestion or per-workload pricing. For 200 GB/day:
Typical 2026 numbers:
- 200 GB/day ingest: ~12,000-18,000 USD/month workload pricing.
- 12-month online retention: additional ~30-50% over ingest pricing.
- Egress: similar, 0.05-0.10 USD/GB.
3-year calculation:
- Subscription: 15,000 USD/month × 36 = 540,000 USD.
- Retention surcharge: ~150,000 USD.
- Egress + premium apps: ~50,000 USD.
- Personnel: 50K EUR/year × 3 = 150K EUR.
Splunk Cloud 3-year total: ~800,000 EUR (740,000 USD + 150K EUR personnel).
Hidden costs:
- Volume-based pricing penalizes organic growth.
- Premium Splunkbase apps add costs.
- Migrating away from Splunk is a 6-12 month project if you want to switch.
Microsoft Sentinel — 3-year TCO
Sentinel is Microsoft’s SIEM on Azure, with native integration to Microsoft 365, Defender, Entra ID. Pricing per GB ingested into Log Analytics.
Typical 2026 numbers:
- Log Analytics ingest: ~2.30 USD/GB for 100-300 GB/day tier.
- Sentinel analytics: ~2.00 USD/GB on top of ingest.
- Retention >90 days: ~0.10 USD/GB/month.
3-year calculation:
- Log ingest: 200 GB/day × 365 × 3 × 4.30 USD = 941,700 USD.
- Long-term retention (90+ days): ~50K USD over 3 years.
- Sentinel admin: 40K EUR/year × 3 = 120K EUR.
Sentinel 3-year total: ~1,020,000 EUR (~990K USD + 120K EUR personnel).
Sentinel can be more efficient if you already use Microsoft 365 E5 (Defender included, Microsoft logs are “free” in Sentinel). For a greenfield client it is the most expensive option.
Hidden costs:
- Azure egress bandwidth between regions or to on-prem.
- Reservation pricing reduces cost ~30% but locks in for 1-3 years.
- Schrems II — even with EU regions, US sub-processors.
On-premise open-source stack — 3-year TCO
AEGIS stack — Graylog + OpenSearch + MongoDB + Wazuh + Prometheus + Grafana + Suricata + Zeek + local LLM.
Hardware (CapEx year 1):
- 5 VMs (40 vCPU + 64 GB RAM + 800 GB combined storage): ~25K EUR on existing virtualization infra; 50K EUR if buying new dedicated servers.
- 1 enterprise GPU (A100 or open equivalent) for AI triage: 15-25K EUR amortized over 3 years.
- Dedicated traffic-monitoring server (Suricata + Zeek): 8-12K EUR.
- Network tap for span: 2-5K EUR.
Software: 0 EUR. The whole stack is open-source (Apache 2.0, AGPL, BSD, SSPL for Graylog Open).
Operational (annual OpEx):
- DC energy + cooling: 3-5K EUR/year.
- 0.5-1 part-time FTE for ops, tuning, on-call: 30-60K EUR/year.
- Optional Graylog Operations support: 5-10K EUR/year.
3-year calculation:
- CapEx hardware: 50-90K EUR (amortized).
- OpEx: 35-75K EUR/year × 3 = 105-225K EUR.
- Initial setup (consulting, deployment, tuning): 20-40K EUR year 1.
On-premise 3-year total: ~150,000-300,000 EUR.
With minimalist setup (mature internal team, no consulting, existing hardware): can drop to 80-150K EUR.
Direct comparison
| Option | 3-year TCO | Schrems II | Lock-in | Predictability | Internal effort |
|---|---|---|---|---|---|
| Datadog | ~600K EUR | Yes, US vendor | High | Medium (+20%/yr renewal) | Low |
| Splunk Cloud | ~800K EUR | Yes, US vendor | High | Medium | Low |
| Sentinel | ~1,020K EUR | Medium (US sub-proc) | High | Medium | Low |
| On-premise | ~80-300K EUR | No | Low | High | Medium |
Hidden costs that do not show up in the calculation
SaaS — renewal surprises. After 12-24 months, the vendor asks for a price increase (15-40%). Negotiation consumes time. Migration to another vendor consumes 6-12 months. You are practically captive.
SaaS — egress equals log volume. With 200 GB/day of logs sent to the vendor, you are at 73 TB/year uploaded. At cloud egress of 0.05-0.10 USD/GB, that is 4-7K USD/year just for bandwidth.
SaaS — Schrems II disclosure. For regulated EU clients (NIS2, financial, legal, public sector), using a US-headquartered SIEM requires a DPIA, additional safeguards, or accepting legal risk. See Why not Auth0 — Schrems II for details.
On-premise — internal capability. Requires 0.5-1 part-time FTE. For an SMB without existing SecOps, it can be a blocker. Partial outsourcing (managed AEGIS) is an option.
On-premise — migration window. Initial setup is 4-12 weeks. During that period, the old system must run in parallel. Dual cost in months 2-3.
Decision per profile
Tech startup, no strict compliance, small internal capability: SaaS justified. Datadog optimal for combined observability + SIEM. Accept the cost if zero-to-value time is critical.
Mid-market, 100-300 server estate, moderate compliance: Mixed decision. For the largest segment, on-premise produces clear ROI past 18 months. Sentinel justified only if you are already full Microsoft 365 E5.
Regulated mid-market, NIS2 critical, financial/legal: On-premise predominantly. US SaaS fails Schrems II. Sentinel with EU regions is marginally acceptable but high lock-in.
Mature enterprise, mature threat hunting, large internal capability: On-premise for sensitive data + SaaS for cross-org correlation. Hybrid is feasible.
Non-financial arguments
Cost is not the only factor. For regulated organizations, data sovereignty and internal control of the SecOps stack can matter more than the TCO difference.
Sovereignty. Logs remain physically in the client’s infrastructure. No dependency on geopolitics, on vendor term changes, on supplier outage.
Auditability. Open-source = open source code. Auditors can verify exactly what the stack does. SaaS = black box treated with trust.
Adaptability. Custom rules, custom parsers, exotic integrations. On-premise allows it. SaaS allows less.
Internal capability. The team gains transferable expertise. With SaaS, expertise is product-bound.
Related articles
- Graylog vs Splunk for 50-500 server SMBs: 3-year TCO and scaling pain points
- On-premise SIEM with a local LLM: AI incident analysis without breaking confidentiality
- AI incident analysis with a local LLM: triage from 30 minutes to 30 seconds
- NIS2 implementation — operational checklist for essential and important entities
- Pillar AEGIS — on-premise SIEM with local AI
Next steps
For a 4-8 hour workshop with CFO + CTO to compute TCO specific to your organization, see AEGIS or write to contact. The detailed calculation requires concrete data on log volume, retention, existing hardware profile.
Related: Graylog vs Splunk for SMBs · On-premise SIEM with a local LLM · Why not Auth0 — Schrems II.