IBM QRadar SIEM Licensing: EPS, Flows, Cost Optimisation and the SaaS Transition

QRadar Licensing Models: The Full Landscape

IBM QRadar SIEM is available in three core deployment and licensing configurations: on-premises perpetual licences, on-premises subscription (Committed Term Licensing), and cloud-hosted QRadar on Cloud (QRoC). Each configuration has distinct pricing mechanics, flexibility levels, and commercial implications for enterprise security teams.

On-Premises Perpetual Licensing

The perpetual licensing model allows a one-time purchase of QRadar capacity for a defined EPS and FPM tier. Perpetual licences cover the software indefinitely but require an annual Software Subscription and Support (S&S) renewal — typically 20 to 25 percent of the original licence value per year — to receive software updates, new features, and technical support. Organisations that let S&S lapse effectively freeze their QRadar version and lose access to IBM support.

Perpetual QRadar licences are transferred to organisations on a named account basis through Passport Advantage. The perpetual model suits organisations with stable log volumes, established IBM relationships, and a preference for capitalising software costs. However, the EPS capacity purchased at inception can become a constraint as log volumes grow — and EPS expansions require additional perpetual licence purchases.

On-Premises Subscription (Committed Term Licensing)

IBM's Committed Term Licensing (CTL) model distributes QRadar cost across annual payments that include both the software licence and support. CTL terms have a minimum 12-month commitment and cannot be cancelled during the term. IBM's 2023 Passport Advantage Agreement changes made the non-cancellation provision for subscription licences explicit — organisations should not enter CTL agreements for EPS capacities above their actual projected need, as rightsizing after the fact requires waiting for term expiry.

The CTL model provides price protection for the committed term and offers flexibility to adjust capacity at renewal. For organisations with growing or variable log volumes, CTL may be preferable to perpetual licensing because capacity adjustments are easier at term renewal than managing perpetual licence stacking.

QRadar on Cloud (QRoC)

IBM's hosted QRadar service — QRadar on Cloud — offered a SaaS delivery model where IBM managed the infrastructure while customers retained control of their security operations. QRoC was sold on subscription terms measured by EPS capacity. However, in May 2024, IBM and Palo Alto Networks announced a strategic partnership that included Palo Alto Networks acquiring IBM's QRadar SaaS business assets. Existing QRoC customers need to understand how this transition affects their current agreements and what their migration path to Palo Alto's security operations platform entails.

EPS and FPM: Sizing QRadar Correctly

Events Per Second (EPS)

Events Per Second is the primary metric for QRadar licence sizing. EPS represents the number of log events the QRadar system can ingest and process each second. A QRadar licence at 5,000 EPS can process up to 5,000 log events per second from all data sources combined. Enterprise deployments typically range from 2,500 EPS for smaller environments to 50,000 EPS or more for large global organisations with extensive log source coverage.

Sizing EPS accurately requires baselining your actual log volumes across all intended data sources — firewalls, endpoints, servers, cloud services, security tools, and applications. Many organisations over-size EPS at initial deployment because they include aspirational log sources that are never actually connected. A realistic deployment sizing exercise that maps actual data sources to expected EPS per source type avoids paying for capacity that will never be used.

Flows Per Minute (FPM)

Flows Per Minute measures network flow records that QRadar ingests for network activity monitoring and threat detection. Flow data — derived from NetFlow, sFlow, IPFIX, and similar protocols — provides network visibility that complements log-based detection. FPM sizing depends on the scale of network infrastructure included in QRadar's monitoring scope. Not all QRadar deployments actively use flow analysis — organisations focused primarily on log-based SIEM use cases may not need to size FPM aggressively.

The Enterprise Model: Managed Virtual Servers

IBM also offers a QRadar Enterprise licensing model based on Managed Virtual Servers (MVS) rather than EPS and FPM. Under the Enterprise model, the licence cost is determined by the number of servers in the monitored environment, with unlimited event data permitted within that server footprint. For organisations with a large, well-defined server estate generating steady, high-volume event streams, the Enterprise model can be more economical than EPS-based licensing. The break-even point between EPS-based and MVS-based licensing depends on the average EPS per monitored server — organisations generating 30 to 50+ EPS per server typically find Enterprise model pricing more favourable.

The Palo Alto Networks / IBM QRadar Partnership: What It Means for Customers

In May 2024, IBM and Palo Alto Networks announced a broad strategic partnership that included Palo Alto Networks acquiring IBM's QRadar Software as a Service (SaaS) assets. This transaction represents a material change for QRoC customers and signals IBM's direction for the broader QRadar product portfolio.

For QRoC customers, the acquisition means their hosted SIEM environment is now under Palo Alto Networks' management roadmap. Palo Alto Networks has indicated that the intention is to migrate QRoC customers to its Cortex XSIAM security operations platform over time, rather than maintaining QRadar as a separate SaaS product indefinitely. Customers approaching QRoC contract renewals should seek clarity on the migration timeline, data portability options, and what contractual protections apply during the transition period.

For on-premises QRadar perpetual and CTL customers, the immediate impact is more limited — IBM continues to own and develop the on-premises QRadar software product. However, the strategic direction is clearly moving toward deeper integration between IBM's security consulting capabilities and Palo Alto Networks' product portfolio. Organisations locked into long-term QRadar perpetual licences should model the total cost of QRadar including annual S&S renewals against the cost of migrating to competitive platforms such as Microsoft Sentinel, Splunk, or Elastic SIEM when their support periods reach natural renewal points.

QRadar Cost Optimisation Strategies

Right-Size EPS at Contract Renewal

The single most impactful cost optimisation action for QRadar customers is ensuring that licensed EPS capacity reflects actual deployment rather than projected maximum capacity. IBM's EPS tiers are often quoted and purchased at multiples of actual log volume to provide "headroom" — but if that headroom represents 50 percent of the licensed capacity, the organisation is paying for shelfware. A log volume baseline exercise before each renewal, comparing actual 90th-percentile EPS against licensed capacity, identifies downsize opportunities that IBM will not volunteer.

Optimise Log Source Coverage

Many QRadar deployments include log sources that generate high event volumes but low-value security data. Log source optimisation — filtering or aggregating high-volume, low-signal sources such as authentication success events, routine DNS queries, and application health checks — can meaningfully reduce effective EPS without reducing security coverage. EPS saved through log source optimisation translates directly to reduced licence requirements at renewal.

Evaluate Model Fit at Each Renewal

Whether the EPS/FPM Usage model or the Managed Virtual Server Enterprise model is more economical depends on how the monitored environment has evolved since the last licence evaluation. If the organisation has added servers while keeping log volume controlled, the Enterprise model may now be cheaper. If server count has declined (through consolidation or cloud migration) while EPS has grown, the Usage model may be more appropriate. A model comparison analysis should be part of every QRadar renewal cycle.

IBM Fiscal Year Timing

IBM's fiscal year ends on 31 December. QRadar S&S renewals and CTL term renewals negotiated in the fourth quarter — October through December — typically receive better commercial terms than mid-year negotiations. IBM's security division has its own revenue targets aligned with IBM's December year-end, creating end-of-period pricing flexibility. Planning QRadar contract events to coincide with IBM's fourth quarter is a straightforward timing lever that consistently delivers improvement.

Alternatives to IBM QRadar: A Brief Market Context

The SIEM market has become significantly more competitive since QRadar's peak dominance. Microsoft Sentinel's consumption-based pricing model and native integration with Microsoft 365 environments make it an attractive option for Microsoft-centric enterprises — though Sentinel's consumption costs can be unpredictable without careful log volume management. Splunk Cloud remains a leading alternative for organisations requiring powerful search and analytics capabilities, with pricing based on data ingestion volume. Elastic SIEM provides an open-source based option with flexible pricing for organisations with strong engineering teams. Google Chronicle offers a cloud-native SIEM with flat-rate pricing that removes the EPS-based cost model entirely.

Evaluating QRadar renewal against alternatives requires modelling both the direct licence cost and the migration cost — including infrastructure, integration re-engineering, and SOC process change. For organisations deeply invested in QRadar use cases, custom rules, and analyst workflows, migration costs are substantial. But for organisations approaching large QRadar perpetual licence renewals with growing S&S obligations, the business case for platform migration can be compelling.