Why your SIEM costs more than your cloud bill

Most SIEM vendors price by ingest volume. The more logs you send, the higher the bill. This creates a perverse incentive: the worse your security posture, the more you pay to observe it. Teams start filtering logs before they reach the SIEM — which means detections run on incomplete data.

The ingest model made sense when storage was the bottleneck. Today, object storage is cheap. Compute for detection is cheap. The expensive part is the engineering time spent tuning noisy rules, chasing false positives, and explaining to finance why the SIEM line item doubled after onboarding a new log source.

A better model charges for detection capacity, not data volume. You should be able to ship every log you have without worrying about cost. The SIEM's job is to find signal — and you should pay for how well it does that, not for how many bytes it ingested.

At Sandworm, Sandworm SIEM is priced by tier, not by GB. Starter gives you 10 GB/day with Sigma-compatible rules and basic search. Professional scales to 100 GB/day with UEBA, MITRE heatmaps, and threat hunting. Enterprise removes limits entirely. The price goes up because the capability goes up — not because your infrastructure grew.

If your SIEM bill surprises you every quarter, the pricing model is the problem. Your security budget should scale with your team's capability, not your infrastructure's log volume.