IBM QRadar SIEM Licensing:
EPS/FPS Metrics, On-Prem vs Cloud & Cost Optimisation

How IBM QRadar SIEM Licensing Works: EPS, FPS, and Deployment Models

IBM QRadar SIEM licensing is built around two primary consumption metrics: Events Per Second (EPS) and Flows Per Minute (FPM). EPS measures how many log events the system ingests each second — syslog entries, Windows Event IDs, application alerts — while FPM captures network communications flowing through your environment. Both metrics are licensed in capacity tiers, and exceeding either triggers throttling or, depending on your contract, overage charges. For most large enterprises, EPS is the dominant cost driver; network-heavy environments with significant east-west traffic will find FPM equally important to size correctly.

The entry-level on-premises QRadar deployment starts at approximately $10,700 per year for a 100 EPS tier, including 12 months of support. Production environments at financial services firms, healthcare organisations, and global manufacturers typically run at 2,000–10,000 EPS, with licensing costs scaling proportionately. IBM licences flow capacity in blocks of 25,000–50,000 FPM for NDR components, which applies if you have deployed QRadar Network Insights or bundled network detection.

There are three primary deployment models. The on-premises appliance model gives you full data residency control and supports both perpetual and subscription licensing. Perpetual licensing locks in your entitlement indefinitely but commits you to annual support costs at roughly 20% of licence value. The software deployment model runs QRadar on your own hardware — often on IBM Power or x86 — at similar cost structures to the appliance. The QRadar on Cloud (SaaS) model, which started at $800 per month on annual commitment terms, requires a separate conversation since May 2024: IBM sold its QRadar SaaS assets to Palo Alto Networks. Organisations evaluating cloud SIEM deployments must now clarify with IBM what support roadmap applies and whether Palo Alto's XSIAM platform becomes the long-term destination for cloud workloads.

For IBM's IBM assessment tools, which can help quantify your SIEM risk exposure and current EPS consumption patterns, it is worth running a baselining exercise before any renewal negotiation. The data you generate will be your strongest leverage in the conversation.

QRadar SIEM vs QRadar Suite (XDR): What the 2024 Rename Means for Your Licensing

In January 2024, IBM consolidated its security portfolio under a new naming structure. IBM Security QRadar XDR became IBM Security QRadar Suite Software, bundling SIEM, NDR, SOAR, and XDR Connect into a single entitlement framework. Standalone SIEM retained the QRadar SIEM name but is now positioned as one component within the broader suite. This matters commercially because IBM's sales motion is increasingly to push customers towards the full Suite rather than renewing standalone SIEM licences.

The Suite Software uses two licensing metrics depending on which component you are deploying. SIEM is measured by EPS, while the NDR component is measured by FPM. When you purchase entitlements in the Suite model, these entitlements can theoretically be redeployed across products using defined conversion ratios — but the terms governing this redeployment are contractually complex. Enterprises that purchase QRadar Suite without carefully auditing which metric applies to each workload regularly find they have over-licensed one component and under-licensed another, creating both cost waste and compliance gaps simultaneously.

IBM's Enterprise Model for SIEM uses a different metric altogether: Managed Virtual Servers (MVS). This creates a third metric to track for organisations running SIEM in managed or co-managed configurations. Our IBM licensing advisory team routinely encounters clients with three different licence metrics active across their QRadar estate, none of which has been reconciled against actual deployment in the past 12 months. The result is either significant overspend or undisclosed audit exposure — sometimes both.

The Cost Overrun Scenarios IBM Does Not Warn You About

IBM QRadar SIEM licensing is deceptively stable under normal conditions — until it is not. Three scenarios generate the majority of unbudgeted cost overruns in enterprise environments. The first is EPS spikes during security incidents. When a major incident occurs — a ransomware detection, a DDoS event, a large-scale phishing campaign — your log sources generate events at multiples of their normal rate. If your licensed EPS tier cannot absorb the spike, QRadar either throttles event ingestion (meaning you lose forensic data precisely when you need it most) or you face an immediate capacity upgrade requirement. The better contracts include burst allowances; most standard agreements do not.

The second overrun scenario is improper log source scoping. Many organisations add new infrastructure, cloud workloads, or SaaS applications to QRadar without re-evaluating their EPS tier. Each new log source — whether it is a set of Azure AD logs, a cloud WAF, or a new EDR platform — adds to the aggregate event rate. We have seen enterprises running at 40% over their licensed EPS tier for six months before the renewal conversation surfaced the issue. IBM's commercial response at that point is rarely sympathetic.

The third scenario is the SaaS acquisition transition risk. Organisations that deployed QRadar on Cloud prior to May 2024 now sit in a state of strategic ambiguity. IBM continues to support these deployments, but the long-term roadmap involves migration towards Palo Alto XSIAM or alternative cloud SIEM platforms. Enterprises with QRadar on Cloud should, at minimum, demand a written support timeline from IBM covering the next 36 months. For an in-depth view of how IBM audit exposure interacts with licensing metrics, our IBM audit defence landing page covers the response frameworks used across 500+ IBM engagement clients.

IBM QRadar Renewal Negotiation: What Actually Moves the Number

IBM QRadar is not a commodity purchase and IBM does not negotiate it like one. However, there are four levers that consistently produce 10–25% reductions in renewal cost when applied correctly. The first is competitive benchmarking against Microsoft Sentinel. Microsoft Sentinel prices on a consumption basis at approximately $5.22 per GB on pay-as-you-go, dropping to $3.43 per GB at the 100 GB/day commitment tier. When you can demonstrate that your QRadar EPS tier maps to a specific Sentinel cost and that Sentinel is materially cheaper for your ingestion profile, IBM's account team gains internal justification to discount. This is not a bluff — it is a documented commercial analysis, and it works.

The second lever is multi-year commitment with price lock. IBM will accept 3-year QRadar commitments in exchange for discounted annual rates and price lock protection. For organisations with stable SIEM requirements and no planned cloud migration, a 3-year term at a 15–20% discount against list is achievable. The third lever is ELA bundling. If your organisation holds or is renewing other IBM products — ILMT, Maximo, IBM i, or IBM watsonx — bundling QRadar into a broader IBM Enterprise Licence Agreement creates cross-product discount dynamics that standalone SIEM renewal does not. As we have outlined in our IBM ELA renewal negotiation guide, getting the ELA structure right before committing to any individual product renewal is essential.

The fourth lever is timing. IBM's fiscal year runs January to December. Q4 (October–December) and Q2 close (late June) represent peak quota pressure periods. Renewals timed to these windows consistently outperform those handled in Q1 or Q3, all else being equal. To book a confidential call with our IBM advisory team, use the link and we can assess your specific QRadar licensing position within 48 hours.

The related challenge facing many IBM customers is that QRadar sits alongside IBM ILMT sub-capacity compliance requirements and PVU-based licensing for other IBM software. Managing QRadar in isolation, without visibility into the broader IBM estate, consistently produces missed optimisation opportunities. See also our guides on IBM sub-capacity PVU licensing and IBM Maximo Application Suite licensing for context on how IBM manages its total commercial relationship with enterprise accounts.