The list price of a SIEM tells you almost nothing about what it will actually cost. Cloud and on-premise SIEMs have fundamentally different cost structures, and the model that looks cheaper at the pilot stage is often far more expensive in production. This guide breaks down the real total cost of ownership of each.
Cloud SIEM is an operating expense priced primarily on data volume — you pay per GB ingested and stored, monthly, forever. On-premise SIEM is a flat or capacity-based licence plus your own hardware and operational effort. The crucial difference: cloud cost scales with your data volume, while on-premise cost scales with infrastructure you control and own.
The defining cost of a cloud SIEM is per-GB ingestion pricing, and its effect is worse than the headline rate suggests. As your environment grows, your bill grows with it. Worse, this model actively discourages good security: teams reduce what they log to control costs, deliberately creating the visibility gaps attackers exploit.
The crossover point
At low data volumes, cloud is genuinely cheaper — no hardware, no ops. But there is a crossover point, often reached surprisingly early in production, beyond which the cumulative ingestion-and-storage bill exceeds the all-in cost of self-hosting. The higher your log volume and the longer your retention, the more decisively on-premise wins.
On-premise is not free, just structured differently: hardware (a one-time CapEx for servers with fast SSD storage — a depreciating asset you own); a flat or capacity-based licence that is predictable year over year; and operational effort for deployment and tuning. That last concern is far smaller than it used to be — nPro deploys in five minutes and runs on ClickHouse, which needs far less tuning than a traditional ELK stack. See our Ubuntu deployment guide.
Consider an organisation ingesting 50GB of logs per day with 12-month retention. On a cloud SIEM priced per GB, ingestion alone runs into hundreds of thousands of dollars annually, storage adds more, and both rise every year as data grows. On a self-hosted deployment, the same workload needs a server with fast SSD storage (a one-time cost in the low tens of thousands) plus a flat annual licence, with no penalty for data growth. Over three years, the cumulative difference is typically very large in favour of on-premise. Cloud is cheaper to start; on-premise is cheaper to scale.
Choose cloud if your data volume is low and stable, you have no residency constraints, and no in-house ops capacity. Choose on-premise if your volume is significant or growing, you have compliance or sovereignty requirements, you need long retention, or you want predictable costs that do not punish you for logging more. For most growing SEA organisations, data-residency pressure plus rising log volumes make on-premise the stronger long-term choice.
nPro is self-hosted with flat licensing — log everything without watching the meter.
Related: nPro vs Splunk · Log Retention Best Practices · What is a SIEM?