Independent reference. Not affiliated with any vendor mentioned on this site.
Vendor / Elastic Security

Elastic Security SIEM pricing in 2026: self-managed vs cloud, and the true cost

Independent Elastic Security pricing reference. Open-source Basic tier vs paid subscriptions, Elastic Cloud resource-based pricing (not per-user), self-managed infrastructure and engineering costs, and where Elastic genuinely wins or loses against Splunk and Sentinel. Rates re-verified against the Elastic Cloud Hosted price list, June 2026.

Pricing model
Resource-based
Compute + storage, not per-user
Basic tier
Free
Open-source SIEM core
Platinum
From ~$131/mo
ML, cross-cluster search
Engineer premium
$120K-$180K
Elastic experience scarce

How much does Elastic Security SIEM cost in 2026?

Elastic Security has no single price because it does not license per user or per GB. The free, open-source Basic tier runs the core SIEM at $0 licence, self-managed, so you pay only for your own infrastructure and engineers. On Elastic Cloud Hosted the bill is resource-based (compute plus storage) with a subscription tier layered on top: Standard from ~$99/mo, Gold ~$114/mo, Platinum ~$131/mo (adds machine learning and cross-cluster search), and Enterprise ~$184/mo (adds Endpoint Security and SOAR). Those are starting rates for a small production cluster (roughly 120 GB storage across two zones) and scale with provisioned resources, not headcount. A 50 GB/day mid-market deployment lands near $240K-$320K all-in once infrastructure and the scarce Elastic engineering premium are counted; the licence line is the small part.

Tier rates verified against the Elastic Cloud Hosted price list, June 2026.

Subscription tier comparison

Basic

Free (self-managed)
Includes

Core SIEM rules, basic detections, ELK stack

Missing

Machine learning, advanced analytics, premium support

Standard

From ~$99/mo
Includes

Cloud entry tier: core Elastic Security on managed cloud, resource-based

Missing

Reporting, Watcher, third-party alerting actions (Gold+)

Gold

From ~$114/mo
Includes

Standard + reporting, Watcher, third-party alerting, multi-stack monitoring

Missing

ML, advanced security, cross-cluster

Platinum

From ~$131/mo
Includes

Gold + ML jobs, advanced security, cross-cluster

Missing

Endpoint integrations, advanced UEBA

Enterprise

From ~$184/mo
Includes

Platinum + Endpoint Security, SOAR, advanced UEBA

Missing

Bespoke MSSP features only

Elastic does not license by seat. The subscription tier is a feature gate applied on top of resource-based consumption (compute, memory, and storage), not a per-user charge. The figures above are Elastic Cloud Hosted starting rates for a small production configuration (roughly 120 GB storage across two zones); the bill scales with provisioned resources, not headcount. Gold is no longer sold to new self-managed customers. Source: elastic.co/pricing/cloud-hosted, June 2026.

The "free software, expensive people" reality

The Elastic Basic tier is genuinely free, but operating an Elasticsearch cluster at security-grade reliability is a specialised skill. Engineers who can tune shards, manage rollover policies, and debug cross-cluster replication command a 30-50 percent premium over generic SREs. Budget honestly.

Infrastructure

$15K-$50K per year for 50-200 GB/day clusters. Hot, warm, and cold tiers required for cost-effective retention.

Engineering FTE

$120K-$180K per year for an engineer who can run Elasticsearch competently. 20-30 percent of their time goes to cluster ops alone.

Detection content

Open-source rule sets exist but lag commercial vendors. Plan for a detection engineering function, not just a SIEM operator.

Real-world Elastic cost scenarios

ScenarioProfileLicenceTotal TCONotes
Startup5 GB/day, Basic + self-hosted$0 licence$45K-$70KSingle engineer maintains, infra ~$8K-$15K
Mid-market cloud50 GB/day, Elastic Cloud Platinum, hot-warm cluster$85K-$110K/yr$240K-$320KResource-based; provisioned compute and storage drive cost
Mid-market self-managed50 GB/day, Platinum subscription, on-prem cluster$70K-$95K/yr$310K-$420KEngineer salary premium dominates
Enterprise200 GB/day, Elastic Cloud Enterprise, multi-tier$280K-$400K/yr$760K-$1.1MFull Endpoint Security included
Open-source heavy200 GB/day, Basic only, 2 dedicated engineers$0 licence$520K-$680KEngineering, infra, opportunity cost
FAQ

Common questions

Is Elastic SIEM free?

Elastic Security ships in tiers. The Basic (open-source) tier is free and includes core SIEM detection rules, the Elastic Common Schema, basic Kibana, and the underlying Elasticsearch and Logstash. Gold, Platinum, and Enterprise are paid subscription tiers that unlock progressively more capability: Gold adds Kibana spaces and alerting, Platinum adds machine learning jobs and cross-cluster search, and Enterprise adds Endpoint Security and SOAR. These tiers are not licensed per user. On Elastic Cloud Hosted they are a feature gate applied on top of resource-based consumption (compute, memory, storage), with starting rates of roughly $114, $131, and $184 per month for a small production configuration that scales with provisioned resources. The free tier is genuinely usable for SIEM but lacks ML-driven detections and the integrated endpoint agent.

How does Elastic Cloud pricing actually work?

Elastic Cloud uses resource-based pricing: you pay for compute (CPU and memory) and storage rather than ingest. A typical mid-market security deployment provisions 4-8 hot data nodes plus warm and cold tiers. Pricing is consumption-based and varies by region; expect roughly $0.50 to $1.10 per GB ingested as an effective rate once compute and storage are amortised, with the subscription tier (Gold, Platinum, or Enterprise) applied as a feature-access uplift rather than a per-user charge. Resource-based pricing penalises spiky workloads less than per-GB models but rewards careful capacity planning.

What is the true cost of self-managed Elastic Security?

Self-managed Elastic appears cheap on the licence line and expensive everywhere else. Expect $15,000 to $50,000 per year in infrastructure for a mid-market deployment, plus a dedicated Elastic engineer at $120,000 to $180,000 per year (Elastic experience commands a premium). Add 20-30 percent of that engineer's time on cluster maintenance, version upgrades, and capacity planning. Real total is typically $200,000 to $300,000 annually for a 50 GB-per-day deployment, comparable to Sentinel or Sumo Logic.

Elastic Cloud vs self-managed: which is cheaper?

For most organisations under 200 GB per day, Elastic Cloud wins on TCO because the infrastructure operations burden vanishes. Self-managed wins where you already have an Elasticsearch practice (data engineering, observability, search), where data residency requirements demand on-prem, or above 500 GB per day where amortised hardware beats consumption pricing. The break-even is rarely about the licence line; it is about whether you have or want to build operational capability around the cluster.

How does Elastic Security compare to Splunk on cost?

At 50 GB per day with equivalent capability (Elastic Platinum vs Splunk Cloud with Enterprise Security), Elastic typically lands 30-50 percent below Splunk on total cost. The trade-off is detection content and search ergonomics: Splunk's premium app ecosystem (ES, ITSI, premium content packs) is mature, while Elastic relies more heavily on community detection rules and your team's ability to write KQL or Lucene queries. For organisations that value Splunk's analyst experience, the premium is justified; for cost-conscious teams with engineering capacity, Elastic wins.

Updated 2 May 2026