XDR sizing worksheet: the inputs you need before any vendor call.

A vendor’s sizing calculator is built to size you toward their SKU. Ask three vendors to size the same environment and you get three different totals, each driven toward the vendor’s strongest axis. A neutral worksheet that captures the raw inputs changes the dynamic: you tell the vendor your numbers, and the conversation becomes about which part of your environment each vendor can cover well.

This worksheet takes around fifteen minutes to fill in if you have your configuration management database or asset inventory nearby. Inputs persist in browser storage so you can come back to the page later without losing your numbers. When you are finished the worksheet hands the inputs straight to the budget calculator.

How to estimate daily telemetry volume

Daily telemetry volume is the hardest input to guess because the answer depends on logging verbosity, cloud footprint, and packet-capture policy. Rule-of-thumb multipliers from published TCO studies:

• Endpoint telemetry: 0.5 to 2 GB per day per endpoint depending on logging verbosity. Server telemetry tends toward the upper bound; workstation telemetry toward the lower.
• Cloud workload telemetry: 1 to 5 GB per day per workload. Kubernetes and serverless push the upper bound because pod-level and function-level events are high cardinality.
• Email telemetry: 50 to 200 MB per day per mailbox typical. Email is a smaller telemetry stream than endpoint; it is the correlation value that matters, not the volume.
• Identity telemetry: 100 to 500 MB per day per directory. Federated identity logs, MFA events, and privileged access events make up most of the volume.
• Network telemetry: highly variable. Flow logs alone are typically 1 to 5 GB per day per gateway; full packet capture can be 100 GB per day for a single span port.

For a first-pass estimate, 1 GB per day per endpoint plus 2 GB per day per cloud workload is a defensible starting figure. Refine with real data from your SIEM or syslog server before signing a contract.

How to estimate retention requirements

Retention is compliance-driven in most regulated industries. The common frameworks set minimums that the XDR platform must either meet directly (at hot-tier cost) or meet via archive export to a SIEM or cold storage (at cold-tier cost). See the data ingestion cost page for the full retention-math worked example.

• PCI DSS: 12 months minimum for audit logs, with 90 days immediately available (queryable). See pcicompliancecost.com.
• HIPAA: 6 years for audit logs covering access to ePHI.
• SOC 2: typically 12 months minimum, driven by the organisation’s own control language. See soc2compliancecost.com.
• ISO 27001: retention is risk-assessment driven; 12 months is a common baseline. See iso27001auditcost.com.
• GDPR: no explicit log retention requirement, but records of processing and security-incident logs are commonly retained 12 to 24 months.
• Financial services: 3 to 7 years depending on jurisdiction and regulator.

The practical split for most organisations is 30 to 90 days of hot retention inside the XDR platform for active investigation, with the balance archived to cold storage or a SIEM for compliance. Sizing the hot tier larger than required is one of the most common cost leaks.