If your security team is evaluating SIEM options, you will hit the same fork in the road everyone hits: pay six figures for Splunk or Sentinel, or run Wazuh for the cost of the infrastructure.
The honest answer is that neither choice is wrong — but the question being asked is usually wrong too. This post breaks down what Wazuh actually does well, where commercial SIEMs genuinely earn their cost, and how to decide based on your real constraints rather than vendor positioning.
If you’re new to what a SOC does and why SIEM is part of it, start with What is a SOC?
What Is a SIEM?
A SIEM (Security Information and Event Management) platform collects log data from across your environment — servers, firewalls, endpoints, cloud services — correlates it in real time, and generates alerts when something looks like an attack.
Core SIEM functions:
| Function | What It Does |
|---|---|
| Log aggregation | Collects logs from all sources into one place |
| Normalization | Converts different log formats into a common schema |
| Correlation | Matches patterns across sources to detect attacks |
| Alerting | Triggers an analyst when a threat pattern is detected |
| Retention | Stores logs for compliance and forensic investigation |
| Reporting | Generates dashboards and compliance reports |
What Is Wazuh?
Wazuh is an open-source security platform that combines SIEM, HIDS (Host Intrusion Detection), FIM (File Integrity Monitoring), and vulnerability detection in a single agent-based stack.
It is built on a fork of OSSEC and is now maintained by the Wazuh company with an active open-source community. The core platform is free under the GPL v2 license. Wazuh Cloud and commercial support are paid.
Wazuh’s architecture:
flowchart TD
A["Endpoints (Linux / Windows / macOS)"] --> B["Wazuh Agent"]
C["Network Devices / Firewalls"] --> D["Syslog / API Ingestion"]
E["Cloud Services (AWS, Azure, GCP)"] --> F["Cloud Security Module"]
B --> G["Wazuh Manager"]
D --> G
F --> G
G --> H["OpenSearch / Wazuh Indexer"]
H --> I["Wazuh Dashboard"]
I --> J["Analyst Workstation"]What Wazuh does out of the box:
- Agent-based log collection from Linux, Windows, macOS, Docker, Kubernetes
- 3,000+ built-in detection rules (MITRE ATT&CK mapped)
- File Integrity Monitoring (FIM) on critical paths
- Vulnerability detection via CVE database integration
- Active response (auto-block, quarantine, process kill)
- PCI DSS, HIPAA, GDPR, NIST compliance dashboards
- Integration with VirusTotal, YARA, ClamAV, TheHive, Shuffle
The Main Commercial SIEM Platforms
| Platform | Vendor | Pricing Model | Best For |
|---|---|---|---|
| Splunk Enterprise | Splunk (Cisco) | Daily data ingest volume (GB/day) | Large enterprise, mature SOC teams |
| Microsoft Sentinel | Microsoft | Per GB ingested + analytics rules | Microsoft 365 / Azure-heavy environments |
| IBM QRadar | IBM | Event Per Second (EPS) licensing | Government, regulated industries |
| Elastic SIEM | Elastic | Managed or self-hosted; tiered | Developer-friendly, hybrid cloud |
| LogRhythm | LogRhythm | User/host + module licensing | Mid-market, compliance-focused |
Cost Comparison: What Does Each Actually Cost?
This is where most comparisons go wrong by using list prices. Here are realistic figures for a 200-user, 50-server environment ingesting approximately 20 GB/day of logs:
| Platform | Annual Cost Estimate | Notes |
|---|---|---|
| Wazuh (self-hosted) | $0–$8,000 | Infrastructure + labor to maintain; no license fee |
| Wazuh Cloud | $15,000–$25,000 | Managed indexing + support SLA |
| Microsoft Sentinel | $35,000–$70,000 | Varies heavily with data ingestion and Microsoft 365 licensing |
| Splunk Cloud | $80,000–$150,000 | 20 GB/day; drops with commitment discount |
| IBM QRadar | $60,000–$120,000 | Includes base EPS + modules |
| LogRhythm | $40,000–$80,000 | Mid-market bundle |
Note: All figures are estimates based on public pricing tiers and market experience as of 2026. Actual costs depend on negotiated contracts, existing licenses, and deployment complexity.
The Wazuh "free" figure is misleading in isolation. Self-hosting requires:
- An engineer who understands OpenSearch tuning
- Ongoing rule maintenance and false-positive reduction
- Infrastructure (typically 3–5 VMs or equivalent cloud resources for this size)
- Incident response tooling (TheHive, Shuffle, or equivalent) to operationalize alerts
When you include realistic labor cost, self-hosted Wazuh for a 200-user organization typically costs $25,000–$45,000 per year in total when properly staffed. That’s still cheaper than Splunk — but not free.
Capability Comparison
flowchart TD
A["SIEM Capability Areas"] --> B["Log Coverage"]
A --> C["Detection Quality"]
A --> D["Investigation UX"]
A --> E["Compliance Reporting"]
A --> F["Integration Ecosystem"]
A --> G["Scalability"]
B --> B1["Wazuh: strong on endpoints, moderate on network/cloud"]
B --> B2["Sentinel: strongest on Microsoft 365 / Azure"]
B --> B3["Splunk: broadest connector library"]
C --> C1["Wazuh: MITRE-mapped rules, customizable, no ML out of box"]
C --> C2["Sentinel: ML-based anomaly detection built in"]
C --> C3["Splunk: UEBA + ML with ES premium module"]
D --> D1["Wazuh: functional but requires customization"]
D --> D2["Sentinel: best UX for hybrid investigation"]
E --> E1["Wazuh: PCI, HIPAA, GDPR, NIST dashboards included"]
E --> E2["Commercial: audit-ready reports with vendor certification"]Where Wazuh Wins
1. Endpoint visibility depth. Wazuh’s agent collects syscall-level data, running process lists, open ports, and file changes. This is more granular than most commercial SIEMs without premium add-ons.
2. Rule customization. Wazuh’s XML-based rule system is open. You can write detection logic for your specific application stack — custom web app error patterns, internal API abuse, ERP-specific events — without waiting for vendor support or paying for custom content packs.
3. Cost at small-to-medium scale. Under 50 servers with a team that can maintain it, Wazuh is genuinely cost-effective.
4. PDPA / on-premise data sovereignty. For organizations in Thailand under PDPA, or Japanese manufacturers with data residency requirements, self-hosted Wazuh keeps all log data on-premise with no third-party cloud exposure.
Where Commercial SIEMs Win
1. Microsoft 365 and Azure coverage. Sentinel’s native connectors for Teams, Exchange, Azure AD, and Defender give it an edge that Wazuh’s API-based integrations can’t fully match for Microsoft-heavy organizations.
2. ML-based anomaly detection. Wazuh’s detection is rule-based. Sentinel and Splunk include user behavior analytics (UEBA) — detecting things like impossible travel, unusual data access patterns, and insider threat indicators without manual rule authoring.
3. Tier-1 vendor SLA. For regulated industries (banking, healthcare, critical infrastructure), a vendor-backed SLA with formal support escalation is a compliance requirement, not a preference.
4. Case management and automation. Enterprise SIEMs include built-in SOAR capabilities. Wazuh requires integrating separate tools (Shuffle, TheHive, n8n) to achieve comparable workflow automation.
5. Analyst UX at scale. At 500+ servers and complex multi-cloud environments, Splunk’s SPL query language and investigation interface remain more mature than Wazuh’s OpenSearch Dashboards.
Decision Framework
flowchart TD
A["Start: What is your environment?"] --> B{"Microsoft 365 / Azure as primary platform?"}
B --> |"Yes"| C["Consider Microsoft Sentinel first"]
B --> |"No"| D{"Do you have an in-house team to maintain SIEM?"}
D --> |"No team / small team"| E["Use managed SOC with Wazuh (MDR/SOC-as-a-service)"]
D --> |"1-2 security engineers"| F{"How many endpoints and servers?"}
F --> |"Under 100"| G["Self-hosted Wazuh is viable"]
F --> |"100–500"| H["Wazuh Cloud or LogRhythm mid-market"]
F --> |"500+"| I["Evaluate Splunk or QRadar for scale + support SLA"]
C --> J["Get Sentinel pricing with your M365 licensing rep"]
G --> K["Start with Wazuh, plan for managed SOC as you grow"]
H --> L["Compare TCO including staff time"]
I --> M["RFP process; get 3-year TCO comparison"]What simpliSOC Uses and Why
simpliSOC runs a Wazuh-core stack for managed detection across client environments, extended with:
- Custom detection rules for OT/ICS environments, Thai-language application logs, and ERP systems common in Japanese-owned factories
- Automated alert triage via Shuffle SOAR
- Case management in TheHive with SLA-tracked response workflows
- PDPA-compliant log handling with on-premise data options for regulated clients
- 24/7 analyst coverage with Thai, Japanese, and English escalation paths
This approach gives clients enterprise-grade detection coverage at mid-market cost — with the data sovereignty control that a Sentinel or Splunk cloud deployment cannot offer for Thai PDPA or Japanese Act on Protection of Personal Information (APPI) requirements.
Want to see what simpliSOC would detect in your environment?
Book a free security assessment → hello@simplico.net
FAQ
Is Wazuh really free?
The software is open source and free to use. Running it effectively requires infrastructure, engineering time for tuning and maintenance, and integration with case management tools. Total cost of ownership for a 200-user environment typically runs $25,000–$45,000 per year when staffed correctly.
Can Wazuh replace Splunk?
For endpoint detection, file integrity monitoring, and rule-based threat detection, Wazuh covers much of what Splunk’s Security Premium does at far lower cost. For ML-based anomaly detection, mature UEBA, and complex multi-cloud correlation at scale, Splunk remains more capable.
What is the difference between Wazuh and an SIEM?
Wazuh is an open-source security platform that functions as an SIEM plus endpoint agent. Traditional commercial SIEMs are primarily log aggregation and correlation platforms that rely on separate endpoint agents (like Splunk UF or Sentinel’s MMA). Wazuh combines both in one stack.
Is Wazuh suitable for compliance (PCI DSS, ISO 27001, PDPA)?
Yes. Wazuh includes built-in compliance dashboards for PCI DSS, HIPAA, GDPR, NIST, and TSC. For Thai PDPA and ISO 27001, the file integrity monitoring, log retention, and access monitoring capabilities are directly applicable. Audit-ready report formatting may require customization compared to certified commercial products.
What is Microsoft Sentinel best for?
Microsoft Sentinel is the best choice for organizations where Microsoft 365, Azure AD, and Defender are the primary platforms. Its native connectors and Copilot for Security integration give it advantages in Microsoft-centric environments that Wazuh’s API-based integrations cannot fully replicate.
How long does Wazuh take to deploy?
A basic Wazuh deployment on 20–50 agents can be done in 1–2 days. A production deployment with tuned rules, integrations, and SOAR automation typically takes 2–4 weeks, followed by 4–6 weeks of rule tuning to reduce false positives to a manageable level.
Can Wazuh monitor cloud environments?
Yes. Wazuh supports AWS CloudTrail, AWS GuardDuty, Azure Activity Logs, and Google Cloud Audit Logs via API-based integration. Coverage depth is narrower than native cloud SIEMs (Sentinel for Azure, Security Hub for AWS), but sufficient for most mid-market environments.
FAQ Schema
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "Is Wazuh really free?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The software is open source and free to use. Running it effectively requires infrastructure, engineering time, and integration tooling. Total cost of ownership for a 200-user environment typically runs $25,000–$45,000 per year when staffed correctly."
}
},
{
"@type": "Question",
"name": "Can Wazuh replace Splunk?",
"acceptedAnswer": {
"@type": "Answer",
"text": "For endpoint detection and rule-based threat detection, Wazuh covers much of Splunk's core capability at far lower cost. For ML-based anomaly detection and complex multi-cloud correlation at scale, Splunk remains more capable."
}
},
{
"@type": "Question",
"name": "What is Wazuh best used for?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Wazuh is strongest for endpoint visibility, file integrity monitoring, rule-based threat detection, and compliance reporting. It is particularly effective for organizations with on-premise data requirements and teams that can maintain custom detection rules."
}
}
]
}→ What is a Security Operations Centre? A Guide for ASEAN IT Managers
Questions about SIEM selection or managed detection for your organization?
Talk to the simpliSOC team → hello@simplico.net
Latest Posts
- How to Calculate OEE (and Why Your Factory is Losing 20% Throughput) May 31, 2026
- What is a Manufacturing Execution System (MES)? A Plain-English Guide May 31, 2026
- The Jellyfish Computer: Why the Future of Computing Might Float in Water May 28, 2026
- Why Your ERP Project Failed — And What to Do Next May 24, 2026
- Your ERP Shouldn’t Hit a Ceiling: Custom ERP Development on Frappe May 23, 2026
- Lean Stacks: Why We Pick Boring, Purpose-Built Tools Over Frameworks May 23, 2026