Back to Blog
Pricing

SIEM Without Ingestion Fees: How to Stop Paying to Store Your Own Logs

· 11 min read · By Bal Singh

Ask any security leader what they dislike most about their SIEM and the answer is rarely the detections. It is the bill. Specifically, it is the ingestion fee that climbs every time the business grows, every time a new log source comes online, and every time an auditor asks for longer retention. This article explains why ingestion-based pricing punishes the teams that use it well, what a SIEM without ingestion fees actually looks like, and how to evaluate the model for your own environment.

Why traditional SIEM pricing works against you

Most legacy SIEM platforms charge by data volume. You pay for the gigabytes you send in per day, or for the rate of events per second your sources generate. On the surface this sounds fair. In practice it creates a perverse incentive that quietly weakens your security posture.

Here is the problem. The whole purpose of a SIEM is visibility. You want to collect logs from as many relevant sources as possible so that nothing slips through unseen. But under ingestion-based pricing, every additional source raises your cost. Verbose cloud logs, chatty firewalls, and high-volume endpoint telemetry are some of the most useful data for detection, and they are also the most expensive to ingest.

So teams start making cuts. They sample logs instead of collecting all of them. They drop sources that feel less critical. They shorten retention to the bare minimum. Each of these decisions saves money and creates a blind spot at the same time. The pricing model has turned a security tool into a budgeting exercise, and security loses.

What "SIEM without ingestion fees" really means

A SIEM without ingestion fees removes the per-gigabyte toll on getting your data into the system. Instead of charging you to ingest and store data inside a proprietary backend, this model separates the cost of storage from the cost of the SIEM itself.

There are two pieces to understand.

The first is storage. In a no ingestion fee model, your security data is stored in a database that you own and operate, priced at normal cloud database rates rather than security software rates. You still pay to store data, because storage is never truly free, but you pay database economics instead of a markup measured in security vendor units.

The second is the SIEM. The detection, correlation, and investigation layer is priced on the value it delivers, not on the raw volume of bytes flowing through it. You are paying for intelligence and outcomes, not for the privilege of feeding the machine.

This is often described as a Bring Your Own Database, or BYODb, approach. The SIEM runs on top of your database rather than locking your data inside its own.

How the model works in practice

A SIEM without ingestion fees follows a straightforward flow.

Your logs are collected from across the environment and normalized into a common schema. Vigilense uses the Open Cybersecurity Schema Framework (OCSF) so that data from different tools is consistent and searchable.

The normalized data is written into a managed database that lives in your own cloud account. In many Vigilense deployments this is ClickHouse Cloud, chosen for its speed on large analytical workloads. Because the database is yours, you set retention and you control access.

Detection runs against that data in place. There is no duplicate copy sitting in a vendor silo racking up ingestion charges. Rules, correlation, and threat intelligence matching all execute against the data where it already lives.

When something fires, an AI SOC analyst investigates it. The system pulls context, traces the activity across sources, and hands your team a reasoned conclusion rather than a raw, unexplained alert.

The experience for the analyst is a full SIEM. The experience for the budget owner is a bill that does not balloon every time the company adds a data source.

What you actually save

The savings show up in a few distinct places.

  • You stop paying ingestion markups. The single largest line item in many SIEM contracts simply goes away, replaced by cloud storage pricing that is typically a fraction of the cost.
  • You stop dropping data to save money. When full coverage no longer triggers a budget penalty, you can keep all of your relevant sources online. Better coverage means better detection, which is the entire reason you bought a SIEM.
  • You stop fearing retention requirements. Holding twelve or twenty-four months of logs for compliance becomes a storage decision rather than a contract renegotiation. Long retention at database prices is affordable in a way that long retention at SIEM ingestion prices rarely is.
  • You stop budgeting around your own growth. As the business scales and generates more data, your costs grow along a gentle storage curve instead of a steep ingestion curve.

What to watch for when evaluating a no ingestion fee SIEM

Not every claim of low cost holds up, so evaluate carefully.

Check where the data actually lives. A true no ingestion fee model stores data in a database you own. If the data still ends up in the vendor's proprietary store, the ingestion cost has usually just been renamed.

Check the detection quality. Cost savings mean nothing if detection suffers. Look for a mature detection engine, broad log source support, and an investigation layer that reduces analyst workload rather than adding to it.

Check the query experience. Your team should be able to work in query languages they already know. Vigilense supports SQL, SPL, KQL, PPL, and more, which shortens the learning curve considerably.

Check total cost of ownership, not just the headline. Add up storage, the SIEM license, and the operational effort. A good no ingestion fee SIEM wins on the full picture, not just on one line.

Common questions

If there are no ingestion fees, is storage free?

No. Storage is never free, but in this model you pay normal cloud database rates for it rather than a security vendor markup. The difference for high-volume data can be substantial.

Does removing ingestion fees reduce detection quality?

No. Detection quality comes from the rules and the investigation logic, not from where the data is billed. A well-built no ingestion fee SIEM delivers the same detection while changing how storage is priced.

Will this work for high data volumes?

Yes, and high volume is exactly where it helps most. The more data you generate, the more an ingestion-based model costs you, and the more a storage-based model saves you.

Is this just a discount, or a different architecture?

It is a different architecture. By decoupling storage from analytics and letting you own the database, the model changes the cost structure at its root rather than offering a temporary price break.

The bottom line

Ingestion fees have quietly shaped how security teams behave, pushing them to collect less, retain less, and see less, all in the name of controlling cost. A SIEM without ingestion fees flips that logic. By storing data in a database you own and pricing the SIEM on the intelligence it provides, the model lets you keep full visibility without the runaway bill.

If your current SIEM makes you choose between coverage and budget, that is a sign the pricing model, not your team, is the problem.

Vigilense AI is a SIEM with no ingestion fees and a built-in AI SOC analyst, built for mid-market security teams and MSSP partners who want complete visibility without volume-based pricing. See it run on your own data.

Related: Zero ingestion fee MDR TCO guide | Top AI-powered MDR providers | Compare options

See how zero-ingestion SIEM works on your data.

Book a Demo
BS

Bal Singh

Co-founder & CTO
15+ years designing and operating enterprise SOC infrastructure, leading SIEM architecture and automated detection pipelines.