Elastic Is a Good Search Engine. It's a Complicated SIEM.

If you're evaluating SIEMs and Elastic is on your shortlist, you already know the pitch: open-source roots, a unified stack for logs, observability, and security, and the familiarity of a tool your engineering team has probably already used somewhere. It sounds compelling.

Elastic is a genuinely powerful technology. But there's a meaningful difference between a powerful general-purpose search platform and a purpose-built security platform. This post breaks down what that difference looks like in practice, especially when it comes to data pipelines, pricing predictability, AI capabilities, and total cost of ownership.

RunReveal vs. Elastic: At a glance

Pricing & total cost of ownership

Elastic doesn't publish simple, predictable list pricing, and there's a reason for that: the real cost of Elastic depends on too many variables to summarize in a single number. Ingestion rates, storage volume, retention periods, the number of compute nodes, data transfer and egress fees, snapshot storage, and your support tier all contribute to the final bill. Additional costs from data transfer, snapshot storage, and support surcharges can significantly affect baseline costs at scale.

There's also a feature-tiering issue; platinum is the minimum viable tier for SOC teams, unlocking ML anomaly detection and SSO integration. AI capabilities require Enterprise. Self-managed Enterprise subscriptions commonly start at $150,000 annually and can exceed $500,000 for large-scale deployments. The features you actually need for a functioning security program aren't available in lower tiers.

RunReveal prices on the data you store, not what you ingest. No compute billing. No egress fees. No node costs. No separate bill for AI. One number that doesn't scale with the number of infrastructure decisions you make along the way.

The logstash problem: Pipelines as an afterthought

Security environments generate enormous amounts of noisy, low-value log data. VPC flow logs, GCP audit logs, verbose endpoint telemetry: these sources can produce billions of events a day, most of which have no security relevance whatsoever. The ability to filter, enrich, and route that data before it's stored isn't just a nice feature; it's the difference between a manageable security program and one where you're spending a disproportionate chunk of your budget storing noise.

In the Elastic stack, data preprocessing runs through Logstash or Elastic's ingest pipelines. Logstash is a separate component that requires its own configuration, infrastructure management, and operational expertise. Ingest pipelines, Elastic's more lightweight alternative, run inside the Elasticsearch cluster and support enrichment, field manipulation, and conditional logic, but they're configured in JSON and require hands-on familiarity with Elastic's internals to use effectively. Either path adds engineering overhead before you've written your first detection rule.

RunReveal ships with Pipelines as a native, first-class platform capability. You can define rules to enrich incoming events with threat intel and asset context, normalize data across sources, filter low-value events before they're stored, and drop irrelevant data entirely, all without leaving the platform, and without paying extra. No separate component to operate and no pipeline configuration language to learn. And because RunReveal's pricing is storage-based, the team is actively incentivized to help you store less, not more.

Detection engineering: Multiple languages vs. SQL

Elastic's detection ecosystem is quite expansive. There's EQL (Event Query Language) for sequence-based detections, ES|QL for newer pipeline-style queries, YARA for file and malware analysis, and the original Query DSL for everything else. Each serves a different purpose and each has a different syntax. And the relationship between them reflects Elastic's evolution from search engine to SIEM, each layer added to solve a real problem, with the complexity accumulating over time.

For experienced security engineers who live in the Elastic stack, that breadth can be useful. For teams who need to onboard new analysts quickly, write detections under pressure, or give non-specialist engineers the ability to contribute, the learning curve is real.

RunReveal uses SQL for detections, which the vast majority of security analysts and engineers already know. You can write custom detections without learning a new query language, standing up a new environment, or working through documentation written for a different use case.

RunReveal also ships with native support for Sigma streaming detections, meaning community-maintained Sigma rules work out of the box without translation. Elastic requires Sigma detections to be converted to EQL or ES|QL, creating an extra step that adds friction when you're trying to respond quickly to a newly published detection.

What you're building vs. what you're buying

One of the underacknowledged costs of Elastic as a SIEM isn't on the invoice or contract; it's the engineering time required to turn a general-purpose search platform into a functioning security program. The ELK stack in its raw form is not a SIEM. Alerting, correlation rules, case management, and detection workflows require configuration, customization, and ongoing maintenance. Teams that go the self-managed route are, in effect, building a SIEM.

That's a legitimate choice for organizations with the engineering capacity and the desire for maximum control. But it's not the same as deploying a purpose-built security platform.

Even on Elastic Cloud, you're managing a general-purpose platform extended for security use cases. Shard tuning, cluster sizing, upgrade planning, pipeline configuration: these are recurring engineering concerns that don't go away just because you're on the managed offering.

RunReveal is purpose-built: there's no cluster to administer, no shard tuning, no upgrade planning.

Infrastructure & deployment

RunReveal's deployment model adapts to your environment, not the other way around. There are three primary paths:

RunReveal Cloud is the fastest way to get started. Fully managed SaaS with both multi-tenant and single-tenant options, so you get data isolation without operational overhead. No infrastructure to provision, no ClickHouse cluster to manage.

BYO-Cloud is for teams that want single-tenant isolation in their own cloud environment without running the infrastructure themselves. RunReveal handles the operational layer; you get data residency control. The middle path between fully managed and fully self-hosted.

RunReveal Kubernetes is the fully on-premises option, built for AWS-native or Kubernetes-native environments where data never leaves your infrastructure. The right fit for highly regulated industries, FedRAMP workloads, or organizations with compliance requirements that rule out cloud-hosted data. It requires a technically strong team to operate, but for the right organization it provides complete control with all of RunReveal's detection and pipeline capabilities intact.

Who should choose RunReveal

RunReveal is purpose-built for security teams at fast-growing companies that need a modern, AI-native SIEM without the operational overhead, query language complexity, or usage-based cost unpredictability of a general-purpose platform.

It's particularly well-suited for teams that:

• Want data pipelines without Logstash configuration, separate infrastructure, or extra cost
• Need SQL-native querying accessible to the whole team, not just Elastic-certified engineers
• Are scaling rapidly and can't afford a pricing model where costs scale with infrastructure decisions
• Want AI that does the investigation, included in the base plan, not locked behind an Enterprise tier
• Want BYO-LLM rather than being locked to a vendor's AI pricing model
• Are running lean without a full SOC, and need platform capabilities to carry more of the investigation load
• Value a vendor who is incentivized to help them store less and spend less, not more

Frequently asked questions

Is RunReveal a direct Elastic replacement? Yes. RunReveal covers the full SIEM use case: log ingestion, normalization, detection, pipelines, alerting, and AI investigation. It can replace Elastic Security for any team currently evaluating or using it. RunReveal also offers hands-on migration support, including help translating detection logic from EQL or ES|QL.

How does pricing compare? Elastic's pricing is usage-based and varies with ingestion rates, storage, compute, data transfer, and retention. Real-world mid-market deployments on the Enterprise tier commonly run $6,000 to $50,000 per month, before professional services or pipeline tooling costs. Self-managed Enterprise starts at $150,000 annually. RunReveal's storage-based pricing starts at $24,000 per year at 1TB/month for a multi-tenant SaaS deployment, AI and pipelines included, with no separate infrastructure bill.

Do I need Logstash or ingest pipelines with RunReveal? No. RunReveal ships with native pipelines that let you filter, enrich, normalize, and drop data before it's stored. There's no Logstash configuration, no separate pipeline component to operate, and no extra cost.

What query language does RunReveal use? Standard SQL. If your team knows SQL, they can run investigations in RunReveal from day one. No EQL, no ES|QL, no Query DSL.

Is RunReveal's AI included, or is it a tier upgrade? Included. The Autonomous SOC Agent is part of every RunReveal plan. There's no Enterprise gate required to access AI investigation capabilities.

Can I bring my own LLM or AI keys with RunReveal? Yes. RunReveal supports BYO-LLM, so you can connect your own model provider and API keys. This gives you control over your AI costs and lets you use any existing enterprise agreements with model providers. Elastic also supports BYO model, but only at the Enterprise tier.

How long does it take to get up and running? Most teams are live with RunReveal in days, not weeks. There's no cluster configuration, no shard tuning, no deeply technical pipeline setup. Connect your sources and RunReveal handles the rest.

Getting started

The best way to understand whether RunReveal is the right fit is to see it with your actual data.

Book a demo with the RunReveal team and they'll walk you through the platform tailored to your environment and use cases, and can answer specific questions about migration from Elastic or any other platform.

If you're actively evaluating Elastic alongside RunReveal, bring your real data questions. The differences in pipeline architecture, pricing, and AI capabilities are most apparent when you're working through your actual detection and investigation workflows.