
Overview
Threats are increasing in volume and sophistication at a staggering pace. Real-time monitoring and visibility are required to detect threats like ransomware, insider threats, and cloud attacks before they cause disruption.
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-strained security teams work more effectively across core technologies.
IBM Security QRadar SIEM (Classic): Market-leading Security Information and Event Management (SIEM) solution enables you to run your business in the cloud and on premises with visibility and security analytics built to rapidly investigate and prioritize critical threats.
IBM Security QRadar SOAR: Recent winner of a Red Dot Design Award for interface and user experience, QRadar SOAR helps organizations automate and orchestrate incident response workflows and ensure their specific processes are followed in a consistent, optimized and measurable way.
For more information, visit https://www.ibm.com/qradarÂ
For customized QRadar SIEM (Classic) / QRadar SOAR pricing or if you are interested in additional product capabilities such as Threat Intelligence, Data Explorer, or EDR - contact your IBM Sales Representative or email us at SecurityOrdersAWS@wwpdl.vnet.ibm.com .
Highlights
- Find the right size for your solution and estimate your IBM QRadar SIEM (Classic Software) price: https://www.ibm.com/qradar/security-qradar-siem/pricing?mpid=aws
- Gain centralized visibility across AWS and hybrid cloud environments via a single pane of glass. Leverage deep integrations with AWS security services including AWS Security Hub, CloudTrail, GuardDuty, Network Firewall, WAF, Amazon Detective, CloudWatch, VPC Flow Logs and more.
- Correlate data across users, networks, and AWS native services to gain deep insights into key threats including cloud misconfigurations, policy changes and suspicious user activity. Connect related events to ensure teams only receive a single alert for an incident.
Details
Unlock automation with AI agent solutions

Features and programs
Buyer guide

Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/12 months |
---|---|---|
QRadar SIEM | 500 Events Per Second, 10000 Flows Per Minute | $12,074.40 |
QRadar SOAR | 2 Authorized Users | $22,704.00 |
Vendor refund policy
All orders are non-cancellable and all fees and other amounts that you pay are non-refundable. If you have purchased a multi-year subscription, you agree to pay the annual fees due for each year of the multi-year subscription term.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
Vendor support
For Sales Inquiries Contact: SecurityOrdersAWS@wwpdl.vnet.ibm.com To contact IBM Security QRadar Suite Software support:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Standard contract
Customer reviews
Has supported threat monitoring and data collection but needs to improve usability and feature growth
What is our primary use case?
We use IBM Security QRadar to monitor, and it's our main source of information. It's our main SIEM platform for our SOC, and we've collected everything on that platform.
We don't use IBM Security QRadar 's Risk Manager; mainly, it was our main tool to collect information and conduct some analytics on logs and events. That's the primary use case we've been utilizing.
What is most valuable?
The best features of IBM Security QRadar are that it's pervasive. You can have IBM Security QRadar in the dust quite easily, and almost everybody knows the platform. Almost nobody's going to say you bought the wrong SIEMÂ if you buy IBM Security QRadar.
The integration of third-party technologies with IBM Security QRadar is one of the high points they have. They integrate with almost anybody, anywhere. There's an integrator tool for almost anything. Everybody talks with IBM Security QRadar because they were the SIEM name of the game, at least in this country. So the integration part is one of their key advantages.
Long ago, IBM Security QRadar enabled us to have some analytics pre-thought for us. When we started with our SOC, we used some log collectors and other tools, and IBM Security QRadar gave us the advantage of having some analytics pre-considered for us. However, that was long ago. It has become just a log and events collector and our main repository of security events.
What needs improvement?
As far as reliability, security, and how it operates, I think it's because they hit first on the market, and then they built upon that, our name alongside the IBM name. Those are the reasons. It's quite awkward to use the platform; it's not intuitive, the learning curve is quite deep, and I really don't understand why it was so pervasive. However, if you have to sell managed security services to some people that use a SIEM, more than half the time you end up with an IBM Security QRadar platform on the other side. The other half you end up with WSO2, at least in Latin America.
I haven't tried IBM Security QRadar's AI and machine learning capabilities for threat detection and response fully enough to evaluate them yet.
We've been building our SOARÂ capabilities with other tools, and we haven't used IBM Security QRadar's Analytics Engine for automating SOC tasks.
We are not using it as we used to, and I think that advantage is fading out, particularly after the selling of the product to Palo Alto. We are considering some roadmaps to get out of IBM Security QRadar right now; that's the truth.
For how long have I used the solution?
We have been using IBM Security QRadar since pre-pandemic; I think maybe 10 to 12 years right now.
How are customer service and support?
I find IBM support to be nice. However, as a former IBMer, I may have had some advantages in getting support because I had some contacts. The support information is correct; you get to the information and access the technical documents you need because the information is there, and they used to care about their product. I don't know how it's going to be once the program is fully under Palo Alto's management.
For the support team, I would rate IBM support an eight, a solid eight. With the support we used to have within IBM, it was good.
How would you rate customer service and support?
Positive
How was the initial setup?
Setting up IBM Security QRadar is difficult; it has a deep learning curve for the analysts, and there are several hurdles to handle to get IBM Security QRadar running on your infrastructures. On the other hand, once you connect the dots, they keep sending the information, and you can continue getting those events.
What's my experience with pricing, setup cost, and licensing?
The pricing, setup cost, or licensing with IBM Security QRadar was costly. It was costly mainly for the things we used to use it for. The customers used to pay the price, but it was one of the problems to onboard some people with IBM Security QRadar. It was costly mainly because of the value you can get right now compared to other solutions.
What other advice do I have?
We are thinking about moving outside of IBM Security QRadar ecosystem due to cost and the belief that some functionalities of new SIEM platforms are surpassing IBM Security QRadar. We think they are not keeping pace with SIEM, which makes it harder for them to differentiate their product or compete against others that are cheaper and easier to deploy.
If you had asked me this question five or seven years ago, I would have given it a solid 10, maybe a nine, but today I believe they are losing track of that. The overall rating for IBM Security QRadar is seven out of ten.
We were partners when they were under IBM. We've been in an IBM program of MSSPÂ for Latin America, so we were partners of IBM Security QRadar when it was within IBM. However, with the selling to Palo Alto this year, we lost that partnership and are now just customers of a reseller.
We operate the platform for our customers. We don't have IBM Security QRadar for our own use.
User-friendly interface facilitates quick adaptation and effective threat response
What is our primary use case?
For incident investigating, IBM Security QRadar is used for logs and management. We get all the traffic from there, which gets logged in our system, and then we investigate it.
What is most valuable?
There are many things I appreciate about IBM Security QRadar . I haven't used any other SIEM before IBM Security QRadar, so for me, it is perfect. Sometimes it takes time to load queries, but other than that, it performs excellently.
I would assess IBM Security QRadar's AI and machine learning capabilities as very helpful for threat detection and response. You have to fine-tune it sometimes with your own investigation, as sometimes they give false alerts about our system.
You have to put your own exceptions inside it, and then they won't give you another ticket about those false incidents.
What needs improvement?
Sometimes it takes time to load queries, but other than that, it performs excellently.
For how long have I used the solution?
Personally, I have been using IBM Security QRadar for four months, but my company has been using it for three years.
How are customer service and support?
I would rate their support an 8.5 with IBM. The support is really good; for instance, if a critical ticket is submitted, you will get paged right away as it gets logged, and their analyst will look into it, letting you know as soon as possible so you can work on it. If there is something bad going on or something faulty with IBM Security QRadar, when you reach out to them, they reply in 10 to 20 minutes.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I haven't used any other SIEMÂ before IBM Security QRadar.
What other advice do I have?
I deal with products such as IBM or Elastic solutions. I have experience with IBM Security QRadar, but not with Elastic; however, we are trying to get into Elastic.
We use many different cloud providers as our main cloud provider. AWS is one of those. We did not purchase the IBM Security QRadar product through AWS Marketplace ; that's handled by our IT team.
I work in a dealership industry, specifically in home hardware. It is easy to use; I wasn't familiar with it, but after getting one-on-one training with my senior, I was able to use it very efficiently and learned it quickly.
We use IBM Security QRadar's Risk Manager, but I don't use it directly as it's related to my senior. I investigate it, but those procedures are based on my senior's decisions. I have not used IBM Security QRadar's analytics engine for automating SOC tasks.
The integration of third-party technologies with IBM Security QRadar's open architecture is good; it integrates with other solutions efficiently. I have used it with many different platforms such as SentinelOne and ExtraHop, and it integrates effectively.
My company are customers with IBM. The overall rating for IBM Security QRadar is 9 out of 10.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Reliable installation and diverse use cases provide strong value
What is our primary use case?
Most of the use cases are based on MITRE ATT&CK, such as phishing email, DDoS attack, privilege escalation, all MITRE ATT&CKs with scanning the environments, using suspicious activity internal to our network. We have thousands of use cases covering different domains at network levels.
We have use cases covering security controls and firewalls. We also have use cases that cover Active Directory, server events, and Citrix. Because we are working in a telecom company, we are covering 5G and 4G logs.
What is most valuable?
The aggregations are valuable when creating use cases with aggregations, which is beneficial for us.
For automation, we are using multi-platform solutions. We have FortiSOAR and IBM Resilient for IBM Security QRadar orchestration. We integrate with both IBM Security QRadar and ArcSight, as we are working with customers who use both systems.
What needs improvement?
IBM Security QRadar has some areas for improvement. We have missed some DSM components. We need to customize logs where there is no DSM or connector for certain products.
We can integrate but we have missed the DSM, which is the connector to pass logs coming from different applications. For example, with a university customer, we tried onboarding Canvas service. IBM Security QRadar does not support Canvas, so we had to create custom scripts and workarounds to pull logs from Canvas.
For how long have I used the solution?
We have been using the solution for around five years.
What was my experience with deployment of the solution?
The deployment is straightforward and easy for both installation types: standalone console, all-in-one, or in distribution modes.
What do I think about the stability of the solution?
Currently, it is very stable.
What do I think about the scalability of the solution?
For EPS license, if you increase or exceed the EPS license, you cannot receive events and IBM Security QRadar comes with this server. This issue existed previously when exceeding the limit for EPS license.
How are customer service and support?
The customer service experience is mixed. For critical issues, they provide L1 support rather than expert support initially. The L1 support follows standard steps before escalating to the development team or expertise team. In critical situations, this process can be problematic. Support needs to understand the issue first, then escalate it to the engineering team. The engineering team then sends an appointment meeting about the issue. This process can result in outages lasting three to four hours.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have been in the cybersecurity field since 2012. I have experience with many cybersecurity products including IBM Security QRadar, Splunk, SOAR , IBM Resilient SOAR , Phantom , and various security controls and products.
What was our ROI?
ROI calculation is more applicable when using SOAR rather than SIM. In SIM, you don't have functions or enrichment to check if an IP is malicious or different reputations or websites. With SOAR, you can calculate ROI. For example, when an analyst receives alerts on IBM Security QRadar Offense, they would typically take 10 to 15 minutes to check an IP in VirusTotal , AbuseIPDB, TotalVirus, and other sources. With SOAR, the workflow takes one minute or less to complete the analysis.
What's my experience with pricing, setup cost, and licensing?
When comparing with Splunk, IBM Security QRadar's cost is reasonable. Splunk is more expensive than IBM Security QRadar.
Which other solutions did I evaluate?
We have machine learning for User Behavior Analytics (UBA ), but IBM Security QRadar does not have AI connectors or integration with ChatGPT . Some SOARs are working with AI, such as FortiSOAR , which has chatbot and AI integration with ChatGPT to create playbooks, assist analysts in exporting reports, and provide recommendations for alert responses.
What other advice do I have?
This implementation process receives a rating of six. In UAE, we have strict restrictions regarding compliance, particularly NIST compliance. Most companies should have local LLM, not public. Most SIM solutions or SOAR don't have the capability to build or need custom connectors for using AI with internal LLM, rather than cloud-based solutions ChatGPT or Gemini. Overall, I would rate IBM Security QRadar an eight out of ten.
Uses robust rulesets to enhance compliance audits and prevention
What is our primary use case?
What is most valuable?
What needs improvement?
For how long have I used the solution?
What was my experience with deployment of the solution?
How are customer service and support?
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
How was the initial setup?
What's my experience with pricing, setup cost, and licensing?
What other advice do I have?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Real-time incident detection and user-friendly dashboard benefit daily operations
What is our primary use case?
I use it daily because it's shared as a log alert, and we have a security operations center. Every now and then, and almost every day, there are some alerts. I utilize it every day, twenty-four by seven, as you can see.
What is most valuable?
Actually, the dashboard is very good. The dashboard is easy to use and easy to understand what's going on and what the alerts mean. It's very user-friendly, I would say. So far, it's very good. Recently, I faced an incident, a cyber incident, and it was detected in real time. It correlates well with other solutions. I have EDR, vulnerability, and IPS, and it shows useful findings for root cause analysis.
What needs improvement?
There are many types of AI, and this AI is very limited in SQL and features. There may be potential for improvement. So far, it seems very limited. It shows some good features in the correlation part, but I think there is room for improvement. For instance, when creating rules, it can suggest more rules, reducing the effort needed. If AI-related support can suggest rules and integrate with existing security devices like MD, IPS, this SIM can create more relevant rules. Sometimes logs I receive don't mean anything, and I need technical stakeholders to share or forward logs, but these are sometimes inadequate. Keywords can help identify insufficient logs. I often lack time to verify logs. Sharing false positive results could be reduced to help my team.
For how long have I used the solution?
I have been working with the product for the last four months.
What do I think about the stability of the solution?
The product has been stable so far. I didn’t face any issues after deployment. I haven't encountered any software deployment issues, although I have only used it for four or five months. I might face issues after a year, two years, or with a major release or software update.
What do I think about the scalability of the solution?
I am satisfied with the scalability. It depends on my budget. How much I spend on licensing size is up to me.
How are customer service and support?
I received very good support, possibly due to a good relationship with IBM. I don't know about other companies, but I am happy with the support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Previously, I had another SIM before IBM brought it up, but I couldn't correlate with different solutions. Now it saves me at least one hour, sometimes up to three hours. I used Micro Focus, which I think was acquired by another company, possibly OpenText. The ownership changed. I am very satisfied with Qradar compared to OpenText. It's superior. I am not sure which one is best, but so far it is. My people had good training and needed to invest time to get good results.
How was the initial setup?
The initial setup was very difficult. I needed help from the local partner and expert users. Without expert users, it's challenging to deploy.
What about the implementation team?
Assistance from the support system is always needed.
What was our ROI?
It's still very early, but I have saved significant damage. Investing this amount was very much worth it for my organization.
What's my experience with pricing, setup cost, and licensing?
The cost depends. The price I negotiated varies by region and relationship with the OEM. Cost is not shared due to another procurement team handling negotiations, but it was reasonable as far as I know.
What other advice do I have?
My advice is to understand your infrastructure first. Assess the size before sending any protocol requests or RFPs to adjust licensing costs. You may procure licenses less or more than needed, impacting finances. Analyzing your infrastructure is crucial, considering the logs and security issues you will set. Trained personnel are necessary. Without them, usage is challenging. Overall, the product rating is eight out of ten.