Managed SIEM
A SIEM that nobody reads is a compliance bill, not a security control. We run a right-sized Security Information & Event Management platform for your environment, tune the alerts so they mean something, retain 90 days of searchable logs, and export audit-ready evidence when HIPAA, SOC 2, PCI DSS, or CMMC asks. Managed SIEM lives in our Complete tier, from $55 per user per month.
Definition
SIEM stands for Security Information & Event Management — software that collects security logs from every tool in your environment, retains them, and surfaces patterns a human should investigate. Managed SIEM means the platform is operated for you: a practitioner connects the log sources, tunes the detections, reviews the alerts, retains the data, and produces evidence on demand. You see a monthly summary, not a console.
Source: NIST SP 800-92, Guide to Computer Security Log Management. csrc.nist.gov/pubs/sp/800/92/final
TL;DR
We connect your firewall, endpoint agents, identity provider, Microsoft 365 audit logs, cloud accounts, DNS filtering, MFA platform, and mail security to a SIEM we operate. Detections are tuned to your environment. Logs are searchable for 90 days.
When an auditor, insurer, or client asks for evidence, we export the package in a format they accept — mapped to HIPAA 164.312(b), SOC 2 CC7, PCI DSS Requirement 10, or your CMMC AU controls.
Pricing starts at $55 per user per month with log sources scoped on top. We do not promise unlimited ingestion, because nobody who has run a SIEM honestly does.
What's included
We connect your firewall, endpoint agents, identity provider (Entra ID or Google Workspace), Microsoft 365 audit logs, cloud accounts (AWS, Azure), DNS filtering, MFA platform, and mail security to the SIEM. Onboarding is scoped — we tell you which sources matter for your compliance posture and which are noise.
A SIEM that forwards every event to your inbox is worse than no SIEM. We tune detection rules to your environment, suppress known-good noise, and only surface alerts a human should act on. Tuning continues for the life of the engagement.
Security logs are stored for 90 days in a searchable index. Older records can be archived for longer compliance windows when your framework requires it — HIPAA, for example, expects six years of documentation retention for related policies and procedures.
When an auditor asks for proof, we export the evidence package in a format they accept: access logs, authentication events, firewall rule changes, privileged-account activity, and exception reports. Mapped to the control your auditor is testing.
One page, plain English: what we watched, what we investigated, what was tuned, what needs a decision from you. Built for a leadership team that has fifteen minutes, not for a security analyst who has all day.
We don't sell you one SIEM vendor. We choose what fits your environment — Microsoft Sentinel for M365-heavy clients, Wazuh where cost matters most, Blumira for plug-and-play, or another platform if your stack demands it. You own the configuration; we operate it.
Log sources & what they prove
Below is the short version of what we typically ingest, what each source proves, and which control most auditors will map it to. The full integration list lives on the integrations page.
| Log source | What it proves | Common control mapping |
|---|---|---|
| Firewall / edge | Traffic blocks, rule changes, VPN access | PCI DSS 4.0 Req 10.2 / 10.5 |
| Endpoint (EDR) | Process execution, isolation events, malware containment | HIPAA 164.312(b) audit controls |
| Identity (Entra ID / Workspace) | Sign-ins, MFA prompts, conditional access, role changes | SOC 2 CC6.1 / CC7.2 |
| Cloud (M365, AWS, Azure) | Admin actions, data access, configuration changes | SOC 2 CC7.2 / CC7.3 |
| DNS filtering | Blocked domains, policy bypass attempts | NIST 800-53 SC-7 / AC-4 (inferred) |
| Mail security | Quarantined messages, impersonation attempts | HIPAA 164.308(a)(1)(ii)(D) |
Mappings are practitioner-level shorthand and are not a substitute for your auditor's interpretation. Sources cited: PCI DSS v4.0 Requirement 10, HIPAA Security Rule 164.312(b), and AICPA Trust Services Criteria (CC6, CC7).
Compare honestly
Three legitimate ways to handle security logs at SMB scale. Which one is right depends on how many hours per week your IT lead has, and how soon someone will ask for evidence.
| Question | DIY syslog / open-source | Cloud SIEM, self-served | Managed SIEM service |
|---|---|---|---|
| Up-front cost | Free server, your time | Per-GB ingestion, often surprising | Per-user base + scoped log sources |
| Who tunes alerts | You, weekends | You, in the vendor console | We tune; you read the summary |
| Audit-evidence export | Build it yourself | Possible — if you wrote the queries | Built and mapped to the control |
| Retention policy | Whatever the disk holds | Tiered, easy to misconfigure | 90 days searchable, archive on request |
| Honest fit | One IT lead, no compliance | In-house security analyst | SMB or lean team with audits incoming |
Most lean teams land on managed SIEM because DIY assumes hours nobody has, and a self-served cloud SIEM assumes an analyst who can write the queries. Managed SIEM is the middle path: real coverage, plain language, a practitioner who picks up the phone.
Compliance posture
Sources: HHS HIPAA Security Rule, AICPA SOC 2 Trust Services Criteria, PCI Security Standards Council, DoD CIO CMMC, NIST SP 800-92.
What the log view looks like
A simplified view of the kind of correlated record we keep on hand — an identity event tied to the device it ran on, the network destination, and the response action.
Real consoles look more crowded than this. The point of managed SIEM is that you do not have to look at one — we do, and we export the picture above when an auditor or insurer asks for it.
Pricing
Foundation and Protected are real tiers worth comparing — but managed SIEM is only included at Complete. Log sources are priced separately because ingestion volume varies. We do not promise unlimited ingestion.
Prices in USD · per agent or per user
Tier 01 · Foundation
Month-to-month · no minimum
EDR-only coverage. Endpoint activity is watched 24/7, but logs from your firewall, identity, cloud, and other tools are not collected or retained here.
What's included
Replaces or complements
Tier 02 · Protected
Annual term · billed monthly
Adds identity threat detection and security awareness training. Strong baseline for most teams — but managed SIEM is not included yet. Upgrade to Complete for centralized logging.
What's included
Replaces or complements
Tier 03 · Complete
Scoped · log sources priced separately
Managed SIEM lives here. Centralized logs from firewall, endpoint, identity, cloud, DNS, and mail security. 90-day retention. Monthly executive summary. Audit-evidence export.
Everything in Protected, plus
Replaces or complements
Replaces or complements
What it does notreplace: enterprise SIEM deployments like Splunk Enterprise or Elastic running with a dedicated detection-engineering team. If that is where you are, you do not need us — and we will tell you on the triage call.
Honest fit check
Managed SIEM is the right fit for small and lean teams who feel real compliance weight or who have already been burned by an incident with no logs to investigate. It is not the right fit if:
If any of those describe you, we tell you on the triage call. We tell you when you don't need us.
What happens after you reach out
A direct call with the practitioner. We confirm your compliance posture, the log sources that actually matter, and whether managed SIEM is the right next step. If Foundation or Protected covers you, we say that.
Within one business day after the briefing you get a fixed-fee proposal: per-user Complete pricing, per-source line items, retention scope, and timeline. No metered surprises in the contract.
Log source connectors, detection tuning to your environment, alert routing, and the first audit-evidence template. We sequence sources by compliance priority so the most important records are flowing first.
A one-page executive summary at the end of each month. Audit-evidence exports whenever you (or your auditor) ask. Quarterly tabletop in the Complete tier so the first time you use the runbook is not during a real incident.
FAQ
Probably not — and we will tell you that on the triage call. A SIEM earns its keep when you have to prove what happened to an outsider: an auditor, an insurer, a client doing diligence, or your own board after an incident. If none of those apply, Foundation or Protected covers most small businesses well. The most common SMB triggers for adding managed SIEM are an upcoming SOC 2 Type II, a HIPAA covered-entity relationship, PCI DSS scope, a CMMC contract, or a cyber-insurance renewal asking for centralized log retention.
MDR watches your endpoints (and, with our Protected tier, identity) and responds when something is wrong. Managed SIEM collects logs from every other security tool you run — firewall, cloud, DNS, mail security — into one searchable place, retains them, and produces evidence on demand. MDR is about response. SIEM is about visibility and proof. Most teams need both, which is why managed SIEM is bundled into our Complete tier rather than sold as a standalone.
HIPAA's Security Rule does not name a specific retention period for audit logs themselves — it requires covered entities to implement audit controls under 164.312(b) and retain documentation of related policies, procedures, and actions for six years under 164.316(b)(2). In practice, most HIPAA-aligned programs retain searchable security logs for at least one year and archive longer for incident-related evidence. We default to 90 days searchable and extend archive retention when your specific compliance posture asks for it. Source: HHS Security Rule, 45 CFR 164.312(b) and 164.316(b)(2). https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/
Usually yes for the security-relevant sources. If you already run a general-purpose log aggregator (Graylog, ELK, a syslog box), we can either ingest from it as an upstream source or replace it for the security use case — your choice. We do not try to be your application performance monitoring tool. The scope is security logs that support investigation, detection, and audit evidence. Your dev team's app logs can stay where they are.
One page. Top of the page: what we watched (sources online, ingestion volume, retention status). Middle: what we investigated, including any alerts that became incidents, and what we tuned to reduce future noise. Bottom: items that need a decision from leadership — a policy gap, a vendor question, an account that should be deprovisioned. It is meant to be read in five minutes by a non-technical owner or director. Auditors get a different export, formatted for control evidence.
Managed SIEM lives inside our Complete tier, which starts at $55 per user per month. On top of that, log sources are scoped separately because ingestion volume varies wildly between a 20-person law firm and a 200-person clinic — we do not promise unlimited ingestion. After the briefing, you get a fixed proposal with the base per-user fee plus a per-source line for what you actually connect. No metered surprises mid-month.
We are platform-agnostic and choose what fits your environment. Microsoft Sentinel for organizations already centered on Microsoft 365 and Entra ID, because the native connectors and KQL tooling cut onboarding time. Wazuh where cost matters most and you want an open-source-based stack. Blumira when plug-and-play onboarding and out-of-the-box detections outweigh deep customization. We will tell you which platform we recommend on the briefing call and why, and you own the configuration so you are never locked in.
It covers the parts most SMB merchants struggle with: centralized log collection across the in-scope components, daily review (we do the review), and retention. PCI DSS 4.0 Requirement 10 asks for logs that record user activity, administrator activity, access to cardholder data, and changes to identification and authentication mechanisms — all of which are in scope for the log sources we ingest. We do not perform your formal PCI audit; we produce evidence the QSA will accept. Source: PCI DSS v4.0 Requirement 10. https://www.pcisecuritystandards.org/document_library/
Related
Next step
Briefings are free and we tell you when you don't need us. 30 minutes, real answers, no follow-up sales sequence.
