Model Assumptions
Every number in this calculator is grounded in publicly available industry data and MSSP-scale pricing research. All defaults are starting points โ you can override any figure directly in the calculator.
Customer Size Tiers (EPS)
We measure customer size by Events Per Second (EPS) โ the volume of log data a customer's environment generates. This is the standard unit SIEM vendors use to price their licenses, so it directly drives cost.
| Tier | EPS Range | Typical Customer Profile |
|---|---|---|
| Small | Up to 2,500 EPS | Small business, branch office, or light-log environment |
| Medium | 2,500 โ 10,000 EPS | Mid-market or regional enterprise โ most MSSP customers |
| Large | 10,000+ EPS | Large enterprise, high-volume, complex environment |
All cost defaults are editable. Click the pencil icon on any line in the SIEM Platforms section to enter your prospect's actual figures.
SIEM Licensing, Support & Infrastructure
Default costs reflect MSSP-scale volume discounts โ not list price. Large MSSPs with multiple customer deployments negotiate 35โ55% off vendor list depending on platform and commitment level. Each customer's annual SIEM cost has three components:
| Platform | Discount vs. List | Small (Total/yr) | Medium (Total/yr) | Large (Total/yr) |
|---|---|---|---|---|
| IBM QRadar | ~50% MSSP | $45,625 | $91,250 | $181,500 |
| Splunk | ~45% MSSP | $62,275 | $123,550 | $247,100 |
| FortiSIEM | ~35% MSSP | $36,163 | $72,325 | $144,650 |
| Microsoft Sentinel | ~25% CSP | $40,500 | $81,000 | $162,000 |
| Other / Custom | ~30% MSSP | $42,200 | $84,400 | $168,800 |
Totals = License + Support + Infrastructure per customer per year at default discount rates.
Migration Timing โ The 45-Day Rule
Customers don't abandon their SIEM license mid-term โ they migrate at or near license expiration. The model assumes migration happens within 45 days of the license renewal date, which means in the year a customer migrates, they pay approximately 12.5% of their annual SIEM cost as a stub period (45 รท 365 days). After the migration year, their legacy SIEM cost drops to zero.
SOC Headcount โ Legacy Staffing
Legacy headcount is calculated from industry MSSP staffing benchmarks. Tier 1 and Tier 2 analysts require a 3.5ร shift multiplier for 24/7 coverage (4 shifts ร 0.875 to account for PTO and training). Engineering and management roles work standard business hours.
| Role | FTEs per Small Customer | FTEs per Medium | FTEs per Large | 24/7 Multiplier |
|---|---|---|---|---|
| SOC Analyst (Tier 1) | 0.30 | 0.60 | 1.20 | 3.5ร |
| SOC Analyst (Tier 2) | 0.10 | 0.20 | 0.40 | 3.5ร |
| Senior Analyst (Tier 3) | 0.04 | 0.08 | 0.15 | 1.0ร |
| Detection Engineer | 0.02 | 0.04 | 0.08 | 1.0ร |
| Threat Hunter | 0.02 | 0.04 | 0.08 | 1.0ร |
| Incident Responder | 0.02 | 0.04 | 0.06 | 1.0ร |
| SIEM Admin | 0.04 | 0.06 | 0.10 | 1.0ร |
| SOC Manager | 0.02 | 0.03 | 0.05 | 1.0ร |
All headcount values are editable. Use the "Calculate Legacy Staffing" button as a starting point, then adjust to match your prospect's actual team.
SOC Headcount โ Post-Cyrebro Staffing
Cyrebro's AI handles 88โ92% of all SOC work autonomously. The human team shrinks dramatically:
Salary Benchmarks
Default salaries are national MSSP medians drawn from cybersecjobs.com, Glassdoor, ZipRecruiter, and Vectra AI's 2026 compensation guides. A 30% benefits burden is applied to all roles (health insurance, 401k match, payroll taxes, and PTO accrual). Use the geography preset dropdown to apply regional salary adjustments.
| Role | Default Salary | Range | Benefits (30%) | Total Cost/FTE |
|---|---|---|---|---|
| SOC Analyst (Tier 1) | $72,000 | $55Kโ$78K | $21,600 | $93,600 |
| SOC Analyst (Tier 2) | $95,000 | $80Kโ$110K | $28,500 | $123,500 |
| Senior Analyst (Tier 3) | $125,000 | $75Kโ$145K | $37,500 | $162,500 |
| Detection Engineer | $138,000 | $130Kโ$155K | $41,400 | $179,400 |
| Threat Hunter | $142,000 | $130Kโ$160K | $42,600 | $184,600 |
| Incident Responder | $128,000 | $95Kโ$130K | $38,400 | $166,400 |
| SIEM Admin | $118,000 | $110Kโ$130K | $35,400 | $153,400 |
| SOC Manager | $148,000 | $120Kโ$155K | $44,400 | $192,400 |
| Director / VP | $200,000 | $175Kโ$230K | $60,000 | $260,000 |
Overhead & Tooling
Four overhead categories are included. Each has a default annual cost and a post-Cyrebro reduction percentage that applies proportionally as customers migrate.
| Category | Default Annual Cost | Post-Cyrebro Reduction | Basis |
|---|---|---|---|
| Training & Certifications | $200,000 | 70% | $4K/analyst/yr ร ~50 analysts; QRadar/Splunk certs eliminated |
| Recruiting & Turnover | $280,000 | 60% | 28% SOC turnover ร 14 hires/yr ร $20K cost-per-hire |
| SOAR / Threat Intel / Ticketing | $500,000 | 75% | XSOAR $150โ300K + threat intel $100โ200K + ticketing $50โ100K |
| Facilities & Shift Overhead | $300,000 | 50% | 30 analysts on rotating shifts ร 20% shift premium; remote-first adjustment |
Personnel Cost โ Linear Reduction
Personnel costs blend linearly from legacy staffing levels to post-Cyrebro staffing levels as migration progresses. If 40% of customers have migrated by the end of Year 2, the model assumes 40% of the personnel savings have been realized. This is a conservative assumption โ in practice, headcount reductions often happen in discrete steps (e.g., not replacing departing Tier 1 analysts once Cyrebro is live). The linear model avoids overstating early-year savings.
Model version 3.0 ยท Built by GoTeneo for Cyrebro sales engineering.