STRATEGY & MSSP · 9 MIN

Flat-Rate MDR vs Per-EPS SIEM: Why the Pricing Model Decides Your Security Outcome

Per-EPS pricing punishes visibility. Flat-rate MDR aligns vendor incentives with detection. Here's how to compare honestly — and why most CISOs are quietly switching.

QMasters SOC Team· Strategy & Operations· 2026-01-20
TL;DR

Is flat-rate MDR cheaper than per-EPS SIEM pricing?

Flat-rate MDR is usually cheaper at scale and structurally aligned with better security outcomes. Per-EPS pricing creates a perverse incentive — the customer pays more for every additional log source, so log sources get cut, visibility drops, and detections silently fail. Flat-rate MDR pricing is independent of log volume, which means the customer can log everything that matters without budget penalty, and the vendor's only cost lever is detection efficiency. For mid-market and enterprise customers with 5,000+ EPS, flat-rate MDR typically lands 20–40% below total cost of ownership for an equivalent per-EPS SIEM-plus-SOC stack — and produces materially better detection coverage.

Side-by-side comparison of per-EPS SIEM pricing vs flat-rate MDR cost model showing inverse incentives
Side-by-side comparison of per-EPS SIEM pricing vs flat-rate MDR cost model showing inverse incentives

Flat-Rate MDR vs Per-EPS SIEM: Why the Pricing Model Decides Your Security Outcome

Most security buyers compare detection capabilities. Almost nobody compares pricing models with the same rigor — even though the pricing model is what decides, year after year, what gets logged, what gets detected, and what slips through.

This is the conversation we have with most CISOs in the first call. Per-EPS pricing punishes the behavior security teams need most: complete visibility. Flat-rate MDR removes that penalty. Once you see the incentive math, you can't unsee it.

The structural problem with per-EPS pricing

Per-EPS pricing was designed for a different era — when log volumes were modest, log sources were few, and SIEM was sold as a compliance check rather than a detection engine.

In 2026, the environment looks like this:

  • Cloud audit logs (CloudTrail, Activity Log, Audit Logs) generating 1–5K EPS in any non-trivial environment
  • SaaS audit logs (Microsoft 365 Unified Audit, Google Workspace, Okta, GitHub) — another 500–3K EPS each
  • Modern EDR (CrowdStrike, SentinelOne, MS Defender) — telemetry-rich, easily 5–20K EPS
  • Identity logs (Entra ID sign-in and audit) — high-fidelity, high-volume
  • DNS query logs at full enterprise scale — thousands of EPS

A complete log-source posture for a mid-market enterprise easily reaches 30–80K sustained EPS. At per-EPS pricing, that's a budget item that scares CFOs.

So the conversation in the security team becomes:

  • "Do we really need DNS logs?" (Yes, but they got cut.)
  • "Can we sample CloudTrail?" (You shouldn't, but it gets done.)
  • "Do we need verbose Defender telemetry, or just the alerts?" (Verbose telemetry catches things alerts don't, but it gets dropped.)

Every one of these decisions is a detection sacrifice driven by pricing model, not by security strategy. The pricing model is making the security architecture decisions.

What flat-rate MDR changes

Flat-rate MDR pricing — typically per asset, per user, or per environment scope — removes the per-event penalty.

The customer can log everything that matters. The MDR provider absorbs the ingestion cost, which means:

  • Vendor cost lever shifts from "charge more for more data" to "detect efficiently"
  • Customer security architecture is no longer constrained by event volume
  • Detection coverage gets to be the actual conversation in QBRs, instead of "what can we afford to log"

It also realigns vendor incentives. Per-EPS vendors make more money when customers log more — but the customer cuts log sources to manage cost. Flat-rate vendors make money when detection works and customers stay. Renewals become outcome-driven.

How to compare honestly

The headline price never tells the story. The honest comparison requires line items.

Per-EPS SIEM-plus-SOC stack — fully loaded annual cost includes:

  • SIEM platform license (per-EPS or per-GB tier)
  • SIEM infrastructure (on-prem hardware, cloud compute, storage)
  • SIEM operations (admin, content engineering, tuning)
  • SOC analysts (24×7 coverage = ~6 FTE minimum for a real shift schedule)
  • SOAR or automation tooling
  • Threat intelligence subscriptions
  • Incident response retainer
  • Tooling churn (apps, add-ons, integrations)

Flat-rate MDR — fully loaded annual cost includes:

  • MDR subscription (asset/user/environment-based)
  • Whatever logs the customer keeps in-scope are included
  • 24×7 SOC operations included
  • Threat intelligence included (or itemized)
  • Incident response — verify whether included or separate retainer
  • Custom content development — verify scope
  • Reporting and QBR cadence — verify what's included

A serious comparison maps both stacks to the same three-year horizon, with the same scope of log sources, same response action expectations, and same SLA targets.

Across 240+ customers we've onboarded into QMasters StrongHold MCSS, the typical pattern is: flat-rate MDR lands 20–40% below the equivalent fully-loaded per-EPS stack at the same coverage level. The bigger driver isn't the headline subscription difference — it's the recovery of internal FTE cost and the elimination of "do we log this" sacrifices.

See StrongHold MCSS pricing model

What flat-rate is not

Flat-rate doesn't mean unlimited everything. The honest version of flat-rate MDR has explicit scope:

  • Asset count or user count — adding 5,000 endpoints changes the price
  • Service tier — alert-only, contain-on-confirmation, full-response-included
  • Hours coverage — 24×7 vs business-hours
  • Custom content scope — how many custom rules per quarter, what gets developed in-scope vs as a project

A flat-rate MDR vendor that won't write the scope down clearly is selling you the marketing line. Push for specifics.

The questions to ask any MDR provider

A short list that separates the operationally serious from the operationally vague:

  1. What's your detection coverage map? Show me the ATT&CK matrix, color-coded for what you detect and how.
  2. What's your time-to-acknowledge and time-to-investigate SLA? With penalties for breach.
  3. Can you contain — kill processes, isolate hosts, disable accounts — or only alert? Containment-included is non-negotiable for serious MDR.
  4. What threat intelligence do you produce vs consume? Resold vendor TI vs internally curated IOCs are different products.
  5. Who is the analyst that will work on my account, what's their tenure, and what's the analyst-to-customer ratio?
  6. Show me a real customer report (redacted). Not a marketing dashboard — a real monthly summary.
  7. What does my year-2 renewal price assume? Indexed how, with what overage triggers?

The vendors who answer these clearly are the ones worth shortlisting.

What QMasters runs

For context — our own approach:

  • Flat-rate StrongHold MCSS — predictable per-asset / per-user model
  • Logs in scope without per-event penalty — log everything that matters
  • 24×7 SOC — 16 analysts, not a marketing claim
  • Critical alert SLA — 15 minutes
  • Containment-included — we contain on confirmation, you don't escalate to your team to act
  • DailyIOC threat intelligence — internally curated, fed back into customer detection content
  • Outcome-aligned QBRs — coverage map, dwell time, MTTC/MTTR, not screenshots of a dashboard

The pricing model isn't a marketing positioning. It's the operating model. We can run flat-rate because the SOC is built to detect efficiently, not to charge for ingestion.

Beyond this piece, learn more about QMasters as a company, or explore our take on SIEM sizing calculator.

Frequently asked questions

Is flat-rate MDR always cheaper than per-EPS SIEM?

Not always — at very small scales (sub-2K EPS, single-digit asset counts) the math can favor per-EPS. At mid-market and enterprise scale, flat-rate MDR is typically 20–40% cheaper at equivalent coverage and produces better detection outcomes.

Are there hidden costs in flat-rate MDR?

There can be — incident response retainer scope, custom content limits, response action authority. The honest comparison reads the contract line by line.

What's the right pricing model for a small business?

For sub-2K EPS environments, an EDR-led MDR (built around CrowdStrike, SentinelOne, MS Defender) often beats both per-EPS SIEM and full flat-rate SIEM-MDR on cost and outcome. We architect for environment, not for product.

Does flat-rate mean QMasters loses money on heavy-logging customers?

The pricing assumes a reasonable distribution of log volumes per asset class. Outliers are addressed during scoping — and the SOC operating model means efficient detection, not cost padding.

---

Want a side-by-side TCO model for your environment?

We'll build a year-three cost comparison — your current stack vs StrongHold MCSS — using your actual log volumes, asset counts, and FTE costs. Request a TCO model →

FAQ

Frequently asked questions.

  • Per-EPS (events per second) pricing charges the customer based on the volume of log events ingested. It is the dominant pricing model for traditional SIEM platforms (QRadar, Splunk, ArcSight) and many MSSP services that resell those platforms. Higher visibility = higher cost.

ABOUT THE AUTHOR

QMasters SOC Team
Strategy & Operations

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

BUILDING OR REBUILDING A SOC?

Skip the 18-month build. Get an MDR partner.

Talk to a SOC strategy lead about flat-rate MDR, SIEM operations, and what to keep in-house versus outsource.

Explore Managed Cyber Security Services

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.