Field notes · Security

Wazuh as your SIEM in 2026: what free really costs, and when managed beats both.

Commercial SIEM pricing punishes the thing security needs most: collecting your logs. Wazuh removes the licence and the per-gigabyte meter, and replaces them with a different bill, paid in engineering and attention. Here is what the platform genuinely does, where the money in SIEM really goes, a calculator for your own volumes, and the honest decision between running it yourself, buying commercial, or having it run for you.

Published 9 June 2026 · Argus Root security practice · ~24 min read

Talk to our security practice Run the cost calculator →

Wazuh is a free, open-source security platform that unifies SIEM and XDR: agents on your endpoints collect logs, watch file integrity, assess configurations and detect vulnerabilities, while a central server correlates everything against detection rules and a dashboard turns the result into alerts and compliance evidence. There is no licence fee, no per-gigabyte ingestion charge and no agent limit, which is exactly the cost structure that the commercial SIEM market has made painful. The catch is equally simple: the software being free does not make the capability free, because a SIEM is only as good as its tuning and the people watching it. This note covers what Wazuh does well and where it falls short, what commercial alternatives genuinely cost in 2026, how the platform connects to the NIS2 detection duty we wrote about separately, and a sober way to choose between self-run, commercial, and managed.

What Wazuh is, and where it came from.

Knowing the platform's lineage explains both its strengths and its rough edges, because Wazuh did not start life as a log search engine. It started on the host.

Wazuh began in 2015 as a fork of OSSEC, the venerable host-based intrusion detection system, with the aim of modernising it into a unified security monitoring platform. That heritage shows in the architecture: a lightweight agent installs on each monitored system, Windows, Linux, macOS, containers, cloud workloads, and does far more than forward logs. It watches files for unauthorised changes, inventories the software and checks it against vulnerability feeds, assesses the host's configuration against hardening benchmarks, hunts for rootkits and anomalies, and can take active responses such as blocking an address when a rule fires. Systems that cannot run an agent, firewalls, switches, appliances, are covered agentlessly over syslog, SSH or APIs, and cloud platforms feed in through their own integrations, including tenant-level sources such as Microsoft 365.

Behind the agents sits the server, which decodes incoming events and runs them through a correlation rule set several thousand rules deep, raising alerts that an indexer stores and a web dashboard visualises. The stack is modular and scales from a single-node install on one Ubuntu box to clustered deployments handling large estates. Development is active and versioned in the open: the 4.14 line shipped in October 2025 and has taken regular point releases into 2026, and the project's repository, rules and roadmap are public. The result is a genuine SIEM with an endpoint-strong personality: where a search-first platform begins with logs and adds endpoint sense later, Wazuh began on the host and grew the log pipeline around it, which is why its file integrity monitoring, configuration assessment and vulnerability detection are the features that veterans of the platform praise first.

What "free" means here, and what it does not.

The licence price of Wazuh is zero. Treating that as the cost of the project is the single most common mistake made with it, in both directions.

What is genuinely free is significant: the full platform, every capability, unlimited agents and unlimited ingestion, under an open-source licence with no tiering that holds the useful parts hostage. There is no meter running on your log volume, which inverts the core economic problem of commercial SIEM, where the price of visibility scales with the amount of it you want. With Wazuh, collecting more telemetry costs you storage and compute, not licence money, and that difference compounds as estates and log volumes grow year over year.

What is not free divides into three bills. The first is infrastructure: servers, storage and bandwidth for the manager, indexer and dashboard, modest for small estates and a real line item at scale, with retention policy as the main driver because keeping months of indexed events is what consumes disk. The second is the build: deploying the stack is straightforward, but turning default rules into a quiet, trustworthy alert stream for your specific environment is weeks of skilled tuning, and skipping it produces the noisy dashboard that gets ignored within a month. The third, and the one that decides most projects, is sustained attention: rules maintained as the environment changes, the stack upgraded, and above all the alerts read by someone able to act on them, at whatever hours your risk does not keep. The fair summary is that Wazuh converts licence spend into engineering spend. For an organisation that has the engineering, that conversion is heavily favourable. For one that does not, the zero on the licence line just relocates the cost to a place where it is paid in missed alerts instead of invoices.

Two middle options soften the picture without changing its logic. The vendor offers Wazuh Cloud, the same platform run as a hosted, scalable service with a free trial, which removes the infrastructure and upgrade bills while leaving the tuning and the watching with you, and it sells professional support for self-hosted deployments, which converts the community-only safety net into a contract. Both are legitimate ways to buy back specific pieces of the work. Neither buys back the piece that decides outcomes, the sustained attention of someone who knows your environment, which is why the three-way comparison later in this note is framed around operating models rather than products: the question that matters is never which logo is on the stack, but who is awake when it fires.

Where the money in commercial SIEM really goes.

To judge the open-source trade you need the commercial numbers, and in 2026 they are better documented than the vendors would prefer.

Most commercial SIEM pricing is built on ingestion: you pay for every gigabyte of telemetry you send, which means the bill grows with your visibility rather than your headcount or your risk. Microsoft Sentinel is one of the few vendors that publishes numbers, listing pay-as-you-go rates of roughly $2.46 to $5.22 per gigabyte depending on region, with commitment tiers that bring committed volumes down toward $1.10 to $1.23 per gigabyte at the largest sizes and an archive tier for cold data. Splunk does not publish list prices; analyst estimates put its ingestion economics in the $2 to $4 per gigabyte range with annual renewal escalations, and a mature enterprise SOC moving a terabyte a day is benchmarked at several hundred thousand to a few million dollars a year depending on platform and discipline. For the mid-market, the honest middle is $150,000 to $500,000 a year for an organisation ingesting 25 to 100 gigabytes a day, counting licensing, storage and a small analyst team, and the industry's own rule of thumb is that total cost of ownership lands at two to three times the headline licence once staffing and integration are counted.

Two consequences follow from that structure. The first is a perverse incentive the whole industry now openly discusses: when visibility is metered, teams economise on it, filtering and dropping telemetry not because it lacks security value but because it costs too much to look at, and an entire sub-market of pipeline tools exists to shrink SIEM bills by thinning the data before it is priced. The second is that the licence is never the whole bill, because someone still has to watch the platform; the analyst staffing that commercial TCO models price in applies identically to every option, which is the part of the comparison that the licence-versus-free framing hides. The right comparison is therefore not Wazuh-at-zero against Sentinel-at-list. It is three operating models, each with a different mix of licence, infrastructure and people, which is what the calculator below puts side by side.

siem economics 2026 · published and estimated figures

Published and analyst-estimated SIEM cost figures in 2026.
Platform / model	Pricing basis	2026 figure
Microsoft Sentinel	Per-GB ingest, PAYG by region	~$2.46–$5.22 / GB
Sentinel commitment tiers	Committed daily volume	down to ~$1.10–$1.23 / GB
Splunk	Ingest / workload, unpublished	est. ~$2–$4 / GB + escalation
Mid-market all-in	25–100 GB/day, licence+storage+team	~$150K–$500K / year
TCO rule of thumb	Staffing + integration on top of licence	2–3× headline price
Wazuh	Open source	$0 licence · infra + people

Model the three options for your own volumes.

Set your daily ingest and how you would staff the watching, and compare a commercial per-GB platform, self-run Wazuh, and a managed open-source service. List prices and public benchmarks; negotiated deals and your real salaries will move the bars.

Daily ingest (GB/day) Commercial rate ($/GB) Monitoring coverage Managed service (€/month)

annual cost model · licence + infra + people

Modelled annual cost of the three SIEM operating models.
Operating model	Composition	Modelled annual cost

A model, not a quote. Assumptions: commercial = ingest × rate + 25% platform overhead + your chosen staffing; self-run Wazuh = $0 licence + infrastructure scaled to ingest + one-off tuning amortised + the same staffing; managed = the monthly fee you set, with monitoring included. Analyst cost modelled at ~$140K/FTE fully loaded. Negotiated discounts of 20–40% on commercial list are routine; demand them.

What Wazuh does well.

The platform's strengths cluster around the host, the rules, and the audit trail, and they are the reasons it shows up in regulated environments and MSSP stacks across Europe.

On the endpoint, the agent is the product's spine. File integrity monitoring catches changes to the files and registries that matter, with enough context to tell a patch from a tamper. Security configuration assessment checks each host against hardening benchmarks and reports the drift, which quietly satisfies a slice of every compliance framework at once. Vulnerability detection cross-references the installed software inventory against CVE feeds continuously rather than waiting for a quarterly scan, and the malware and rootkit checks add a behavioural layer beneath the log stream. Active response closes the loop on the host itself: when a rule fires, the agent can block an address, kill a process or run a script, on-device remediation that does not wait for a human to open a ticket.

On the analysis side, the rule engine correlates events across sources in real time, and because the rules are readable text rather than a proprietary black box, you can see precisely why an alert fired and change the logic when it is wrong, which is the property that makes deep tuning possible at all. The compliance machinery is built on the same mechanism: rules carry group tags that map events to PCI DSS, GDPR, HIPAA, NIST 800-53 and SOC 2 trust criteria, and the dashboard ships dedicated modules per framework, so audit evidence accumulates as a side effect of monitoring rather than as a separate project. Around all of it sits the property that money cannot buy in a commercial platform: openness. The code is inspectable, the community is large and active, integrations such as SOAR tooling bolt on through documented interfaces, and nothing about your detection logic or your stored events is hostage to a vendor's pricing decisions. For a security tool, being able to verify what the tooling itself does is not a nicety; it is the same instinct that makes you log everything else.

Where it falls short, said plainly.

An honest recommendation requires the unflattering paragraphs, and Wazuh has earned a few. None is disqualifying; each is a cost the licence price of commercial tools partly pays to avoid.

The tuning burden is the headline. Out of the box, Wazuh is noisy: thousands of generic rules firing against your specific environment produce a wall of low-value alerts, and the work of suppressing the noise, raising the signal and writing the custom rules your estate needs is measured in weeks and never entirely finishes. A commercial platform's curated detections and managed content reduce that burden, which is part of what the subscription buys. Second, scale is engineering: the indexer that stores and searches your events needs genuine capacity planning as volumes climb, and a deployment that was comfortable at ten gigabytes a day needs architectural attention well before a hundred. Third, orchestration is thin: active response covers on-host actions, but the deeper playbook automation that the SOAR category provides means integrating an external tool, with Shuffle being the common open-source pairing, rather than finding it built in.

There are softer edges too. The investigation experience, pivoting through an incident, hunting across history, is serviceable rather than slick, and analysts arriving from the polished commercial consoles feel the difference. Support is the community unless you purchase it from the vendor, which is fine until the night it is not. And one specific gap matters for this site's readers: despite the platform's own writing on the subject, there is no dedicated NIS2 compliance module the way there is for PCI DSS or GDPR, a gap users have formally requested, so mapping Wazuh's evidence to the directive's measures is configuration work you or your provider must do deliberately. The pattern across all of these is consistent: the platform supplies the capability and leaves the operating discipline to you, which is exactly the deal the price tag advertises.

The NIS2 connection: paying off the detection problem.

We argued in our NIS2 note that the directive is a detection problem before it is a paperwork problem. This is where that argument lands on concrete tooling.

Recall the shape of the obligation. NIS2's Article 21 requires, among its ten measures, incident handling, logging, monitoring, business continuity and policies that verify your controls work; Article 23 starts a clock at the moment you become aware of a significant incident, with an early warning due to your authority within 24 hours and a fuller notification at 72. Every one of those duties silently assumes a capability: telemetry collected from the systems that matter, rules that turn raw events into a recognised incident, and a record complete enough to characterise severity under time pressure. That capability is precisely what a SIEM is, and for the tens of thousands of newly covered entities doing this maths for the first time, the question is not whether to have one but how to afford one, which is how a directive about critical infrastructure became, in practice, a SIEM procurement wave.

Wazuh fits that wave unusually well, and European practice shows it: managed providers across the region have built NIS2-oriented services on it, citing the data-sovereignty argument, customer telemetry staying on infrastructure the customer can point to, alongside the absence of per-gigabyte pricing that would otherwise punish the very logging the directive demands. The platform's file integrity monitoring, configuration assessment, log collection and alerting map naturally onto the technical measures, and its evidence trail feeds the reporting duties. Two honest caveats keep the claim accurate. The mapping to NIS2 is yours to build, because no dedicated module ships for it, and a tool cannot perform governance: registration with your authority, supply-chain management, board accountability and the response process around the alerts are organisational work no software provides. Wazuh can be the detection layer NIS2 assumes. It becomes that layer only when tuned, mapped and watched, which is the difference between owning a smoke detector and having one with a battery in it, mounted where the fire would start.

Self-run, commercial, or managed: an honest decision frame.

Strip away the vendor noise and the choice reduces to two scarce resources, engineering time and budget, and how much of each you genuinely have.

Self-run Wazuh is the right answer when you have security-minded engineers with real time to give it. The profile is recognisable: a technical organisation, often already running its own infrastructure, where someone can own the deployment, write the rules, and fold alert review into an on-call rotation that exists anyway. For that organisation, Wazuh is close to strictly dominant below enterprise scale: the capability of a commercial platform's core, none of the metered pricing, full control over data and logic. The failure mode is equally recognisable: the same organisation eighteen months later, after the engineer who built it left, with an untuned dashboard nobody reads, paying nothing and getting it.

The commercial route earns its price in specific circumstances: a large SOC with analysts who live in the console all day and extract value from the advanced analytics and investigation depth; an estate so Microsoft-centric that Sentinel's free ingestion of Microsoft 365 and Defender telemetry rewrites the economics; or a compliance environment that demands vendor SLAs and certified support. What the commercial route never removes is the staffing: the platform still needs watchers, and the TCO models that put true cost at a multiple of licence are counting exactly that. The managed open-source route is the answer for the organisation in between, which is most of them: real obligations, no spare engineers, and a budget that the commercial bill would strain. A provider runs a dedicated Wazuh stack per customer, tunes it to the environment, watches it around the clock, and escalates what matters; the customer gets the capability at a fraction of in-house 24/7 staffing, keeps the open platform and the data, and retains the exit that open source uniquely preserves, because a Wazuh stack can be taken in-house or handed to another operator without rebuilding the detection layer from nothing. That reversibility deserves more weight than it gets in procurement: every other path in this market deepens a dependency, and this one is the only model where the provider has to keep earning the contract.

choosing the operating model

Decision frame for self-run, commercial and managed SIEM.
Your situation	Honest fit	Why
Engineers with time, technical culture	Self-run Wazuh	Cheapest serious option
Large SOC, analytics-heavy, MS-centric	Commercial platform	Depth and SLAs are worth it
Real obligations, no spare engineers	Managed Wazuh	Capability without the staffing
NIS2-covered, building from zero	Managed, then reassess	Fastest route to watched detection

The sovereignty argument, which is not decoration.

Security telemetry is among the most sensitive data an organisation produces, and where it sits is a question European buyers have learned to ask first.

A SIEM ingests the confessions of your whole estate: who logged in from where, what failed, what changed, which systems are vulnerable and how your detection logic works. Hand that stream to a hyperscale platform and it lives on infrastructure governed by the provider's jurisdiction, reachable by whatever legal process applies there, an arrangement that sits uneasily with the sovereignty posture European regulation keeps pushing toward. The open-source route changes the geometry: a Wazuh stack runs wherever you decide, on your premises, in an EU data centre, on a provider's infrastructure you can name and visit, and the European MSSPs that built their services on it lead with exactly this point, keeping data sovereignty fully with the customer, often with a dedicated instance per client so that no two customers' telemetry shares a tenancy. For organisations inside NIS2's perimeter, or handling personal data at GDPR's standards, that geometry is not a preference; it is the same architecture-first reading of compliance that runs through our compliance and sovereignty work and our reading of the AI Act: the document means little if the infrastructure contradicts it.

Running it properly: what the work looks like.

For the organisation that chooses Wazuh, in either the self-run or managed form, here is the shape of doing it well, from the side of people who operate it.

The build starts with sizing and scope rather than installation. Decide which sources matter first, identity and authentication logs, endpoint agents on the systems an incident would touch, firewall and VPN, cloud control planes, and size the indexer for the retention you genuinely need, because storage is the cost that compounds and ingest beyond your tuning capacity is noise you pay to keep. Deploy the stack, enrol the agents, and then begin the work that decides everything: tuning. Suppress the rules that will never matter in your environment, raise the severity of the ones that would, and write the custom rules your specific risks demand, the login from a country you do not operate in, the change to the file that should never change, the service account behaving like a person. Tuning is iterative and never quite finishes, because the environment keeps changing under it; the steady state is a weekly cadence of reviewing what fired, what should have fired, and what fired for nothing.

Then comes the part that no architecture diagram shows: the watching. Alerts that nobody reads are a liability dressed as a control, and the 24-hour clocks in modern regulation have turned that from a proverb into a compliance fact. Decide honestly who reads the stream and when, what severity wakes someone, and what the escalation path is from alert to action, and write it down so it survives the person who built it. Pair the platform with response muscle, whether that is an integrated SOAR for the mechanical steps or simply a rehearsed runbook for the human ones. And revisit the stack itself on a schedule: upgrades applied, rules updated against the current threat picture, storage and performance reviewed before they become incidents of their own. None of this is exotic, and all of it is the difference between owning Wazuh and being protected by it. It is also, candidly, the work most organisations underestimate, which is why the managed model exists and why we built ours the way we did: dedicated stack per customer on EU infrastructure, rules tuned to the environment, humans watching around the clock, and reporting mapped to the frameworks the customer answers to.

There is also a way to know whether any of this is working, and it is worth measuring from the first month. A healthy SIEM shows up in a handful of numbers. The share of alerts that turn out to be worth a human's time should climb steadily as tuning matures; a stream where nine in ten alerts are noise is a stream that trains people to stop reading. The time from an event occurring to an alert being raised, and from the alert to a person acknowledging it, are the two intervals that the 24-hour regulatory clocks silently depend on, and both are measurable from the platform's own records. Coverage deserves a number too: the proportion of your estate with an agent enrolled and reporting, and the list of log sources that have gone quiet, because a source that stopped sending is invisible in exactly the way an attacker would arrange. And once a quarter, test the whole chain deliberately, generate a benign event that should fire a rule, and time how long it takes for a human to react. If the answer is hours, you have learned something cheaply that an incident would have taught expensively. These metrics are unglamorous, and they are the difference between believing the SIEM works and knowing it does.

That discipline of measurement is, candidly, the work most organisations underestimate, and it connects directly to the detection capability that NIS2 quietly assumes every covered entity already has. Where it helps to have the stack built, tuned, watched and measured by people who do it for a living, that is the work our managed security practice exists to do.

Questions organisations are asking in 2026.

What is Wazuh, in one paragraph?

Wazuh is a free, open-source security platform that combines SIEM and XDR in a single agent-and-server architecture. Agents on your endpoints collect logs, watch file integrity, assess configurations and detect vulnerabilities; the server correlates everything against a rule set and raises alerts; an indexer and dashboard store and visualise them. It began as a fork of OSSEC in 2015 and has grown into one of the most widely deployed open-source security tools, with the 4.14 line current through early 2026.

Is Wazuh really free?

The software is, with no license cost, no per-GB ingestion fee and no agent count limit. What is not free is everything around it: the servers and storage it runs on, the weeks of tuning that turn default rules into useful alerts, and above all the people who watch it. The realistic framing is that Wazuh moves your spending from licences to engineering, which is a good trade for some organisations and a poor one for others.

Is Wazuh a real SIEM or just an endpoint tool?

It is a real SIEM with an endpoint-strong heritage. It collects and correlates logs from agents and from agentless sources such as firewalls and cloud APIs, applies detection rules, and provides dashboards, alerting and compliance reporting. Its file integrity monitoring, configuration assessment and vulnerability detection come from its host-based roots and remain among its strongest features. Where it trails the commercial leaders is in analytics depth, built-in orchestration and the polish of the investigation experience.

How much does a commercial SIEM cost in 2026?

The honest middle for a mid-market organisation ingesting 25 to 100 GB a day is roughly $150,000 to $500,000 a year all-in, counting licensing, storage and a small analyst capability. Microsoft Sentinel publishes pay-as-you-go rates around $2.46 to $5.22 per GB depending on region, with commitment tiers bringing large volumes down toward $1.10 to $1.23 per GB. Splunk does not publish list prices; analyst estimates put ingestion in the $2 to $4 per GB range, with enterprise deployments commonly landing in the high six figures. Total cost of ownership reliably runs two to three times the headline licence once staffing and integration are counted.

What does running Wazuh yourself really cost?

Budget three things: infrastructure, tuning and people. Infrastructure for a small-to-mid deployment is modest, a few hundred euros a month of servers and storage. The initial deployment and tuning is weeks of skilled work, because default rules generate noise until they are shaped to your environment. The recurring cost is attention: someone has to read the alerts, maintain the rules, upgrade the stack and respond when something fires at 03:00. If you cannot staff that attention, the software being free does not make the project cheap; it makes it incomplete.

Does Wazuh help with NIS2 compliance?

It covers a meaningful part of the technical baseline. NIS2's Article 21 measures include incident handling, logging, monitoring and policies to verify your controls work, and its Article 23 clock requires detecting a significant incident fast enough to warn your authority within 24 hours. Wazuh provides the detection, log collection, file integrity and configuration assessment that those duties assume. What it does not do is make you compliant by existing: NIS2 also demands governance, registration, supply-chain management and board accountability that no tool provides, and Wazuh ships compliance dashboards for PCI DSS, GDPR, HIPAA, NIST 800-53 and SOC 2 criteria but no dedicated NIS2 module, so mapping to the directive is configuration work.

Can Wazuh replace Splunk or Microsoft Sentinel?

For many mid-sized environments, yes, functionally: log collection, correlation, alerting, compliance reporting and endpoint telemetry are all there without the ingestion bill. For a large SOC built around advanced analytics, machine-learning detections, deep investigation tooling and vendor-backed SLAs, the commercial platforms still offer things Wazuh does not, and the migration cost is real. The truthful comparison is not feature-by-feature but operating-model-by-operating-model: Wazuh trades licence spend for engineering effort, and whether that trade wins depends on whether you have, or hire, the engineering.

What are Wazuh's honest weaknesses?

Tuning burden is the big one: out of the box it is noisy, and turning it into a quiet, trustworthy alert stream takes sustained work. Scaling the indexer for high ingest volumes needs real capacity planning. There is no deep built-in SOAR, so automated response beyond its active-response scripts means integrating an external tool. The investigation workflow is serviceable rather than slick, and support is community unless you buy it. None of these is disqualifying; all of them are work that the licence price of commercial tools partly pays to avoid.

What is Wazuh Cloud, and does it change the calculus?

Wazuh Cloud is the vendor's hosted offering: the same platform run for you as a managed, scalable service, with a free trial. It removes the infrastructure and upgrade burden while keeping the platform's openness, and it is a reasonable middle path for teams that want Wazuh without owning servers. It does not remove the tuning and watching, and for European organisations the usual questions apply to any hosted service: where the data sits, who can reach it, and whether that placement fits your sovereignty requirements.

How many people does it take to watch a SIEM properly?

Around-the-clock coverage in-house is the number that surprises people: covering 24/7 with employed analysts takes several people once shifts, holidays and turnover are counted, which is why a serious in-house SOC starts at multiple six figures a year in salary before any software. This is the arithmetic that makes managed detection economically rational for most organisations below enterprise size: one provider's team watches many environments, and each customer buys a slice of a capability none of them could staff alone.

What is a managed Wazuh service?

A provider deploys and operates Wazuh for you: sizing and building the stack, writing and tuning the detection rules for your environment, watching the alerts around the clock, and escalating to you when something real happens, with the platform itself remaining open source and your data remaining yours. European MSSPs have built exactly this model on Wazuh, often with a dedicated instance per customer for data separation, because it pairs the economics of open source with the sovereignty argument: nothing about your security telemetry has to leave infrastructure you can point to.

Self-run, managed, or commercial — how do I choose?

Three questions settle most cases. Do you have engineers with time and skill to deploy, tune and maintain a security stack? If yes, self-run Wazuh is the cheapest serious option. If no, can your budget carry a commercial platform's ingestion pricing plus the people to watch it? If yes, the commercial route buys polish and support. If neither, a managed open-source service is usually the honest answer: lower cost than commercial licensing, none of the staffing problem, and no vendor lock-in on the platform itself.

Does Wazuh lock me in?

Less than almost anything else in the category. The platform is open source, the rules are readable text, the data is in an open indexer, and if you leave a managed provider you can take the whole stack and run it yourself or hand it to another operator. Compare that with leaving a commercial SIEM, where the detections, dashboards and stored data are all expressed in a proprietary system and the exit cost is a migration project. Reversibility is one of the quiet, underpriced arguments for the open-source route.

What data should I send to a SIEM first?

Start with the sources that answer the questions an incident asks: authentication logs from your identity provider and servers, endpoint telemetry from the Wazuh agents, firewall and VPN logs, and the audit trails of your cloud control planes. Resist the instinct to ship everything on day one; in per-GB-priced platforms that instinct is expensive, and in Wazuh it buries the signal in volume you have not tuned for. Grow the sources as the rules mature.

How does Wazuh handle compliance reporting?

Through rule tagging and dedicated dashboards. Detection rules carry group tags that map events to PCI DSS, GDPR, HIPAA, NIST 800-53 and SOC 2 trust criteria, and the dashboard ships modules that filter and report by each standard, which gives auditors evidence with little extra work. For frameworks without a built-in module, NIS2 among them, the same mechanism works but you do the mapping: tag the rules to the measures, build the views, and the evidence follows.

Is open source safe enough for security tooling?

The transparency argument runs in its favour: the code is inspectable, the detection logic is readable rather than a black box, and a global community finds and fixes issues in the open. Thousands of organisations, including regulated ones, run Wazuh in production, and several European providers build managed security businesses on it precisely because customers can verify what the tooling does. The risk to manage is not the openness; it is running any security platform, open or commercial, without the attention it needs.

Can Wazuh do the 24-hour NIS2 incident detection?

It can provide the detection layer the deadline assumes, with two conditions. The rules have to be tuned so a significant incident produces a clear alert rather than drowning in noise, and someone has to be watching when it fires, because the Article 23 clock starts when you become aware and an unwatched dashboard makes you aware of nothing. Tool plus tuning plus eyes is the unit of capability; the tool alone satisfies a procurement checklist, not the directive.

What does Argus Root's managed Wazuh look like?

A dedicated Wazuh stack per customer on EU infrastructure, sized and built for your volumes; detection rules written and tuned to your environment rather than left at defaults; around-the-clock monitoring with a defined escalation path; and reporting mapped to the frameworks you answer to, NIS2 included. The platform stays open source and the data stays yours, on infrastructure you can point to, which is the arrangement we would want if we were the customer.

Managed security

The platform is free. The protection is the watching.

We build and run dedicated Wazuh stacks on EU infrastructure: sized for your volumes, tuned to your environment, watched around the clock, and mapped to the frameworks you answer to, NIS2 included. You get commercial-grade detection without the per-gigabyte meter or the four-person night shift, on an open platform you could take in-house tomorrow, which is precisely why we have to keep earning it.

Talk to our security practice More field notes →

Open platform, no lock-in Your data on EU infrastructure Tuned, watched, escalated