Why ingest pricing matters
Every published TCO study that breaks out the data-ingestion line puts it between twenty and forty percent of total XDR spend for a typical mid-market deployment. The figure lands there because telemetry volume is hard to forecast, vendors bundle generously in year one, and environments almost always add telemetry sources in year two and three as the platform proves useful.
Finance teams are surprised by ingest cost because the initial quote rarely highlights it. The vendor quote shows a base license. The bundled ingest allowance looks generous. Six months in, the security team connects cloud audit logs, Kubernetes control plane logs, and a second identity provider. The allowance is exceeded. Overage billing kicks in at a per-GB rate that was mentioned once in the contract. The year-two invoice is materially larger than the year-one quote.
The three ingest pricing models
Per GB per day
The most common model. The vendor publishes a bundled daily allowance (often one to five GB per endpoint per day), and overage above that allowance is billed per GB per month at a tiered rate. Per-GB rewards environments with predictable, low-verbosity telemetry; it penalises environments with heavy cloud logging, packet capture, or verbose application audit trails. Overage rates commonly fall between $0.08 and $0.25 per GB per month on published reference lists.
Per source
The vendor charges a fixed fee per connected telemetry source, independent of the volume each source produces. Per-source suits environments with a stable, limited set of source types and unpredictable volumes inside each. It penalises environments with many low-volume sources; each connected system adds a predictable line item whether it generates one GB or one hundred GB per month. Less common than per-GB but appears in open-XDR contracts where the vendor optimises for integration count.
Bundled into the licence
The simplest model on paper, and also the most opaque. The vendor folds a telemetry allowance into the base licence (for example, five GB per endpoint per day of ingest included). Bundled pricing is predictable for environments that fit the allowance; it becomes expensive when the allowance is exceeded because the overage rate on bundled models tends to be less generous than on dedicated per-GB contracts. Always ask for the overage rate explicitly when the cover quote is bundled.
Hot vs cold retention mathematics
The curves illustrate the cost divergence over twenty-four months for a fifty GB per day environment at hypothetical per-GB-per-month storage rates of $0.12 hot and $0.03 cold. By month twenty-four, cumulative hot-tier storage reaches roughly $4,300 against roughly $1,100 for cold. The four-times differential is typical of XDR vendor pricing; some vendors run five-times.
Worked retention example
A five-hundred-endpoint environment generating fifty GB per day of telemetry, retained twelve months hot plus twenty-four months cold, works out approximately as follows at mid-range hypothetical rates.
| Line | Calculation | Amount |
|---|---|---|
| Annual telemetry volume | 50 × 365 = 18,250 GB | — |
| Avg hot storage | half of 18,250 GB = 9,125 GB | — |
| Hot annual cost | 9,125 × $0.12 × 12 | $13,140 |
| Avg cold storage | half of 36,500 GB = 18,250 GB | — |
| Cold annual cost | 18,250 × $0.03 × 12 | $6,570 |
| Retention annual total | $19,710 |
The calculation uses average stored volume because storage grows linearly over the retention window before reaching steady state. At steady state the hot tier holds approximately 18,250 GB (twelve months of daily ingest) and the cold tier holds 36,500 GB (twenty-four months). The averages matter for year-one budgeting; once steady state is reached, the annual cost stabilises at the full-stored-volume rate.
Compliance retention requirements
Compliance frameworks set minimum retention windows that the XDR platform must meet, either directly or via archival export to a SIEM or cold storage. The table below summarises the common frameworks; the linked portfolio sites work through the compliance cost in full.
| Framework | Minimum retention | Immediately available | Notes |
|---|---|---|---|
| PCI DSS 4.0 | 12 months | 90 days | See pcicompliancecost.com |
| HIPAA | 6 years | risk-driven | Audit logs for ePHI access |
| SOC 2 | 12+ months | typical | See soc2compliancecost.com |
| ISO 27001 | risk-driven | varies | See iso27001auditcost.com |
| GDPR | no explicit minimum | — | Breach-notification evidentiary retention implied |
| SOX | 7 years | — | Financial systems audit logs |
| FFIEC (banking) | 3–7 years | varies | Regulator-specific |
The practical pattern is hot retention for active investigation (commonly ninety days, driven by PCI) and cold or SIEM retention for the balance. XDR platforms that own both hot and cold tiers are a single-vendor answer; platforms that only cover hot retention require an external SIEM or object-storage archive for anything beyond their native window.
How to push back on overage clauses
Overage pricing is one of the most negotiable line items in an XDR contract. Five tactics carry real leverage, and each is worth asking for explicitly before the contract is signed.
- Annual true-up rather than monthly billing. Spikes that resolve within the year do not trigger overage charges under annual true-up; under monthly billing they do. Annual true-up is rarely offered but usually granted when requested.
- Committed ingest bands. Commit to a higher ingest volume than you currently use in exchange for a lower per-GB rate. Useful if you expect telemetry growth; risky if you do not.
- Prepaid data credits. Purchase a block of GB up front at a discount rather than pay-as-you-go. Commonly offered for committed-ingest customers.
- Year-over-year overage cap. A contractual cap on how much overage can grow between years. Protects against the second-year surprise when telemetry expands.
- Source-level exclusions. Negotiate to exclude particular high-volume, low-signal sources from the billable ingest count. Packet capture feeds are a common candidate.