IBM QRadar Cost 2026: EPS Pricing, On-Prem vs Cloud

QRadar prices on events-per-second (EPS) rather than GB ingested, which changes how you model TCO against Splunk and Sentinel. Here is the full picture including Cloud Pak for Security bundling and the on-prem vs BYOC vs SaaS trade-off.

Quick Answer

QRadar starts around $10K-$25K/year for sub-2,500 EPS deployments, scaling to $500K-$2M+ at enterprise 50,000+ EPS scale.

$10K - $25K

Entry (under 2,500 EPS)

$80K - $250K

Mid-market (5K-15K EPS)

$500K - $2M+

Enterprise (50K+ EPS)

EPS-to-GB conversion math

QRadar's events-per-second pricing measures the rate of log records processed, not the data volume. To compare QRadar to GB-based SIEMs (Splunk, Sentinel, Elastic), use this approximation:

Short syslog / firewall logs (200-500 bytes): ~200-300 EPS per GB/day
Web proxy / DNS logs (500-1,000 bytes): ~120-200 EPS per GB/day
Windows Event Logs / Sysmon (1,000-2,000 bytes): ~80-150 EPS per GB/day
Cloud audit logs (2,000-4,000 bytes): ~40-80 EPS per GB/day

Worked example: a SOC ingesting 50 GB/day of Windows Event Logs at 100 EPS/GB equals 5,000 EPS sustained. At QRadar mid-market pricing this lands in the $80K-$150K/year range. The same 50 GB/day on Splunk ingest-based at $150/GB would be ~$2.7M annually at list, on Sentinel at $5.22/GB consumption ~$95K (or much less if a significant share is free M365 logs). EPS-vs-GB pricing creates very different rank ordering depending on log mix.

Deployment model comparison

Deployment	License premium	FTE burden	Best fit
On-premises	Baseline	High (full appliance / VM operations)	Regulated, data-residency-constrained
BYOC (AWS / Azure / IBM Cloud)	+5-10%	Medium (cloud infra + QRadar ops)	Cloud-native SOC keeping data in own account
QRadar on Cloud (SaaS)	+20-30%	Low (IBM manages infrastructure)	Mid-market wanting minimal infra burden
Cloud Pak for Security bundle	Bundle discount	Medium (bundled XDR / SOAR / EDR ops)	Multi-IBM-product SOC consolidating spend

When QRadar is the right call

QRadar wins when

Existing IBM enterprise relationship and EA discount
High-event-rate, low-byte log mix where EPS pricing beats per-GB
Regulated industry (finance, healthcare, government) wanting QRadar's compliance-feature depth
Multi-product Cloud Pak for Security consolidation (SIEM + SOAR + EDR bundle)
Existing QRadar-skill team where re-platforming cost is significant

Look elsewhere when

Microsoft-shop estate where Sentinel free M365 ingestion is structurally cheaper
Cloud-native AWS or GCP estate where Datadog Cloud SIEM integrates more naturally
High-byte verbose log mix where per-GB pricing models beat EPS
SMB scale where QRadar entry pricing carries IBM enterprise-vendor overhead
SOC team without QRadar skills facing 6-12 month onboarding curve

Related cost references

SIEM Cost Comparison

All vendors

Splunk Cost

$150+/GB ingest

Microsoft Sentinel Cost

$5.22/GB consumption

SOC Cost Calculator

Full TCO model

Frequently Asked Questions

How much does IBM QRadar cost?

QRadar is priced on events-per-second (EPS) rather than GB ingested, which makes direct apples-to-apples comparison with Splunk and Sentinel harder. Entry-level QRadar SIEM starts around $10K-$25K/year for low-EPS deployments (sub-2,500 EPS). Mid-market deployments at 5,000-15,000 EPS typically land at $80K-$250K/year. Large enterprise deployments at 50,000+ EPS reach $500K-$2M+ annually. EPS-to-GB conversion is roughly 100-300 EPS per GB/day depending on log type and verbosity.

What is QRadar EPS pricing and how does it compare to GB-based pricing?

EPS (events per second) pricing meters the rate of log records processed rather than the data volume ingested. A typical event is 200-500 bytes, so 1 EPS sustained equals ~17-43 MB/day. The conversion to GB/day depends on log verbosity: short syslog records 200-300 EPS/GB; verbose Windows Event Logs or proxy logs 80-150 EPS/GB. SOCs comparing QRadar to Splunk (per-GB) or Sentinel (per-GB) need to do this conversion before TCO modelling. EPS pricing benefits SOCs ingesting high-event-rate but low-byte-volume logs; GB pricing benefits SOCs ingesting low-rate but verbose logs.

What is IBM Cloud Pak for Security and does it change QRadar pricing?

Cloud Pak for Security bundles QRadar SIEM with IBM's wider security portfolio: QRadar XDR (formerly QRadar SOAR / Resilient), QRadar EDR (formerly ReaQta), data security (Guardium), and threat intelligence (X-Force). Pricing moves to a consumption metric called CP4S Capacity Units (CPUs) that abstracts across the bundle. Cloud Pak for Security typically delivers 20-30 percent better TCO than buying QRadar SIEM, SOAR, and EDR separately, but only if the SOC actually uses the bundled components. For SIEM-only deployments, standalone QRadar remains the cleaner buy.

Should I deploy QRadar on-premises or on cloud?

QRadar can be deployed on-premises (customer-managed appliances or VMs), in customer cloud accounts (BYOC on AWS, Azure, or IBM Cloud), or as IBM QRadar on Cloud (fully-managed SaaS). On-prem suits regulated industries with data-residency requirements that exclude SaaS. BYOC suits cloud-native SOCs wanting QRadar but on their own AWS / Azure account. QRadar on Cloud removes operational burden but typically prices 20-30 percent above the equivalent BYOC deployment. For new QRadar buyers in 2026, QRadar on Cloud or BYOC is the typical recommendation; on-prem is reserved for regulated or data-residency-constrained estates.

What is the total cost of ownership of QRadar including FTE time?

QRadar licensing is typically 55-70 percent of total QRadar TCO. The rest is QRadar-engineer FTE time: log source onboarding (QRadar DSM / Universal DSM development), rule and offense tuning to keep false-positive rate manageable, version upgrades (QRadar major versions are significant operational work), and capacity / EPS planning. Mid-market SOCs typically need 0.5-1.5 FTE of dedicated QRadar operations; large enterprise SOCs need 3-6 FTEs in a QRadar engineering team. At $130K-$160K blended cost per QRadar engineer, that adds $65K-$960K of FTE on top of license cost.

QRadar pricing references cite IBM public product pages and IBM Cloud Pak for Security documentation. Tier bands triangulated from customer write-ups on G2 / TrustRadius. No per-customer EA-discounted pricing cited. SecurityOperationsCost.com has no commercial relationship with IBM.