Decision guide · Security
SIEM platform and SOC build: a structured decision guide
SIEM and SOC decisions are too often run as a tool purchase and too rarely as a strategic architecture decision. The right structure separates three questions: which logs must be captured (scope)? Which analytics platform aggregates and alerts (SIEM)? Who responds 24/7 (SOC)? Each question has its own dealbreakers and stakeholders. Bundling them buys too much licence and too little response capability.
TL;DR
SIEM, SOC operations and log scope are three decisions, not one.
Who owns this decision
CISO as decision owner, SOC lead, IT operations, network lead, Data Protection Officer and CFO as co-decision-makers.
Key criteria to weight
Log scope and ingest volume
Identity, endpoint, perimeter, cloud, application. The realistic daily volume (GB/day) drives 40%+ of TCO.
Detection-engineering depth
Custom use cases vs. out-of-the-box rules. Anyone who does not build detections in-house pays for MSSP capability or lives with gaps.
Operating model: in-house, MSSP, MDR, hybrid
Cost structure, control, response time and liability differ fundamentally. The decision is not reversible without migration pain.
Integration depth with EDR and IAM
SIEM without deep EDR and identity integration is log aggregation, not threat detection. Check interfaces before licence.
Compliance evidence (NIS2, DORA, ISO 27001)
Log retention, access logging, incident-reporting data. Regulatory expectations drive the minimum architecture.
3-year TCO including staff
Licence is a fraction. Ingest/storage costs, 6 to 8 FTE for an internal SOC, tuning and use-case engineering dominate.
Step-by-step decision flow
- 1
Define log scope
Which sources are mandatory (NIS2 Art. 21, ISO 27001 A.8.15)? Which do we want (MDR/hunting)? Scope is a dealbreaker for platform choice.
- 2
Decide the operating model
Internal SOC, MSSP, MDR bundle or hybrid. Decide before platform — it determines architecture and license type.
- 3
Plan the use-case library
MITRE ATT&CK based. Which tactics matter for your threat profile? Use cases are the value of the SOC, not the platform.
- 4
SIEM shortlist and PoC
Test 3 to 4 platforms with real logs, measure ingest costs realistically, validate dashboards against real use cases.
- 5
Check integration and exit
EDR feed, IAM, ITSM, SOAR, cloud audit. Plus: data export, API breadth, migration to another platform — DORA Art. 28 expects an exit path.
- 6
Score, document, decide
Weighted scoring, evidence per cell, residual risks from log gaps documented. Decision memo becomes the entry document for NIS2 evidence.
Vendor market structure
Strukturvergleich der relevanten SIEM-Plattformen für DACH-Mid-Market und Enterprise.
| Vendor | Cloud-native | EU-Hosting | Ingest-Modell | SOAR enthalten | MSSP-DACH | Lizenzmodell |
|---|---|---|---|---|---|---|
| Splunk Enterprise Security ↗ | Splunk Cloud Platform plus On-Prem | EU-Region verfügbar | Volumen (GB/Tag) oder Workload | Splunk SOAR (separat) | Breite MSSP-Abdeckung | Subscription, Workload-basiert |
| Microsoft Sentinel ↗ | Azure-natives SIEM | EU-Region (Frankfurt, Niederlande) | Pay-per-GB plus Reservation | Native Playbooks (Logic Apps) | Breite MSSP-Abdeckung | Azure-Abrechnung, kein Min-Commit |
| Elastic Security ↗ | Elastic Cloud, Self-Managed möglich | EU-Region verfügbar | Resource-basiert (RAM/Storage) | Eingebaute Playbooks, begrenzt | Wachsende MSSP-Abdeckung | Subscription, Resource-basiert |
| IBM QRadar / QRadar Suite ↗ | QRadar SaaS plus On-Prem | EU-Region verfügbar | EPS-basiert | QRadar SOAR (Resilient) | Mature MSSP-Abdeckung in DACH | Subscription, EPS-Tier |
| Sumo Logic Cloud SIEM ↗ | Cloud-native | EU-Region verfügbar | Daily-GB-Modell mit Tiers | Cloud SOAR Modul | Begrenzte DACH-Abdeckung | Subscription |
| Wazuh ↗ | Self-managed oder Wazuh Cloud | Self-Managed in EU | Open-Source, kein Volumen-Lock-in | Keine native SOAR | Wachsende DACH-Partner | Open-Source, Support optional |
| LogPoint ↗ | SaaS und On-Prem | EU-only Hosting | Node-basiert | Native SOAR-Modul | Stark in DACH und Skandinavien | Subscription, Node-Modell |
Stand: 2026-04. Basierend auf öffentlich zugänglichen Vendor-Angaben. Stand April 2026. Eigene Validierung über DecisionOS-Profil empfohlen.
Anonymised memo excerpt
Klinikgruppe, 1500 Mitarbeiter, NIS2 in scope, mehrere Standorte
Readiness score
77
- Trigger
- BSI-Prüfung nach §75c SGB V plus NIS2 Art. 21 Logging-Pflichten. Bestehende Splunk-Lizenz ist auslaufende EOL-Variante.
- Top criteria (weights)
- Cloud-natives Hosting in EU20%
- Ingest-Kosten bei realistischem Volumen20%
- MSSP-Coverage in DACH 24/715%
- Detection-Engineering-Tiefe15%
- EDR-Integration (existierender Sophos-Stack)15%
- Compliance-Mapping NIS2/§75c15%
- Shortlist
- Microsoft Sentinel plus DACH-MSSP
- LogPoint SaaS plus eigener SOC-L1
- Splunk Cloud Migration plus Splunk SOAR
- Decision
- Microsoft Sentinel plus DACH-MSSP-Vertrag, Detection-Engineering inhouse aufgebaut, SOAR über native Logic Apps.
- Rationale
- Splunk-Migration war wirtschaftlich nicht darstellbar (Ingest-Kosten über Schwelle). LogPoint litt an MSSP-Coverage in DACH und 24/7-Reaktionszeit. Sentinel passt zu Entra/Intune-Stack, MSSP liefert die operative Tiefe.
- Residual risks
- Vendor-Konzentration auf Microsoft erhöht sich substanziell
- Eigenes Detection-Engineering muss in 9 Monaten Mindest-Reife erreichen
Compliance note
Under NIS2 Art. 21, logging is among the mandatory risk-management measures. The BSI recommends 12 months of retention for security-relevant logs. Under DORA Art. 11, financial entities face stricter requirements including incident reporting to the supervisor. ISO 27001:2022 controls A.8.15 (Logging), A.8.16 (Monitoring) and A.5.7 (Threat Intelligence) form the technical frame.
Common pitfalls
- !Choosing the platform before the operating model — leads to license mismatch.
- !Underestimating ingest costs — cloud audit logs and EDR telemetry explode quickly.
- !Engaging an MSSP without clear SLAs and escalation paths — liability stays with the operator (NIS2 Art. 21).
- !Not building detection engineering in-house — creates dependency on MSSP quality.
- !Building use cases only after go-live — the SOC runs 6 months without real value.
FAQ
Internal SOC, MSSP or MDR — which structure fits?
An internal SOC pays off above roughly 2,000 employees or for critical infrastructure with 24/7 regulatory pressure. MSSP for mid-market with stable runbooks. MDR when tooling and response should be bundled together. The decision is not a cost question — it is a control and liability question under NIS2 Art. 21.
Which SIEM architecture for NIS2-compliant logging?
NIS2 Art. 21 requires logging of security-relevant events with appropriate retention (BSI recommends 12 months). The SIEM must at minimum cover: identity logs (AD/Entra), endpoint telemetry (EDR feed), perimeter (FW/proxy) and cloud audit logs. Sovereign hosting and EU data residency are common dealbreakers.
What does a SOC really cost?
License is the smallest cost block. Realistic 3-year TCO: SIEM license 20%, ingest/storage 15%, 24/7 staff (6 to 8 FTE for a real internal SOC) 50%, tuning and use-case engineering 10%, integration 5%. The FTE question dominates, which is why many teams outsource to MSSP.
Related decision guides
Security
How to choose an EDR or XDR platform in 2026
Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
Compliance
ISO 27001:2022 recertification: a structured migration and renewal guide
Security
How to choose an IAM, IGA and PAM stack
Infrastructure
How to make a sovereign cloud migration decision
Related comparisons
DecisionOS vs. ChatGPT, Claude, Gemini & Co. für strukturierte Enterprise-Entscheidungen
Generische LLMs erforschen. DecisionOS entscheidet und dokumentiert auditfähig.
DecisionOS vs ServiceNow GRC
ServiceNow runs your GRC programme. DecisionOS runs the decisions inside it.
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
Relevant industries
Energieversorger
Energieversorger: KRITIS + IT-SiG 2.0 + NIS2 + branchenspezifische Sicherheit. Memo muss vor BSI und BNetzA bestehen.
Telekommunikation
Telko entscheidet unter NIS2 + TKG §165 + BSI-Sicherheitskatalog gleichzeitig. Ein Memo, das alle Prüfer akzeptieren.
Wasser- und Abwasserversorgung
Wasserversorger unter KRITIS + NIS2 + B3S Wasser. Entscheidungen müssen IT und OT sauber trennen und vor BSI bestehen.
Transport und Logistik
Logistik entscheidet unter NIS2 + KRITIS Transport + branchenspezifischen Standards. Ein Memo, das Betriebssicherheit und Compliance gleichzeitig abbildet.
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.