For Italian SMEs, the Wazuh vs commercial SIEM decision is not mainly about license price. It is about operating capacity, evidence quality, response accountability, and total cost of ownership. Open source can be the right answer, but only when the organization can operate it.
Sources: Wazuh installation guide, Wazuh architecture, ACN baseline obligations determination, ENISA NIS2 guidance.
Key takeaways
- Wazuh reduces license dependency but does not remove operational workload.
- Commercial SIEMs may offer stronger support, integrations, and managed content, but cost and complexity vary.
- The non-negotiable NIS 2 criteria are coverage, retention, alert handling, evidence, and incident escalation.
- A managed model can be safer when the internal team cannot run daily detection operations.
Why SMEs explore open-source SIEM
Many SMEs subject to NIS 2 need better monitoring but cannot absorb enterprise SIEM pricing or a large SOC organization. Wazuh offers a practical entry point. It gives visibility, log collection, and detection without the classic commercial SIEM license model.
Costs: license vs deployment vs people
| Cost area | Wazuh | Commercial SIEM |
|---|---|---|
| License | Lower software license cost for the open-source stack. | Subscription or ingestion model. |
| Infrastructure | Storage, compute, backup, and high availability owned by the organization. | May be SaaS or managed infrastructure. |
| People | Internal engineering and security operations are essential. | Can be reduced through vendor, MSSP, or managed service. |
| Compliance evidence | Must be designed and maintained. | Often easier to export, but still must be governed. |
Feature comparison
Wazuh covers many SIEM and XDR use cases, including agent telemetry, log collection, rules, vulnerability visibility, and dashboards. Commercial SIEMs may add broader native integrations, advanced analytics, managed detection content, long-term archival options, and vendor support. The right comparison must be based on actual use cases, not brand names.
Implementation and learning curve
Wazuh rewards teams that understand Linux, indexes, certificates, networking, rules, and security operations. Commercial SIEMs can reduce some setup burden, but they still need source onboarding, alert governance, and response workflow design.
Support and SLA
Open source does not mean unsupported, but the support model differs. For a regulated SME, the real question is: who responds when ingestion breaks, storage fills, detection fails, or an alert requires escalation outside working hours?
NIS 2 non-negotiable criteria
- Are critical systems covered?
- Are identity, network, endpoint, and cloud logs collected?
- Is retention defined and protected?
- Are alerts reviewed and escalated?
- Can management receive usable reporting?
- Can evidence survive an audit or incident review?
When a managed service is the better choice
If the internal team cannot provide daily triage, rule tuning, escalation, and evidence packaging, a managed service is usually safer than a tool-only deployment. Aegister’s vCISO service and Cyber Console connect controls, telemetry, governance, and board reporting.
Decision tree: six questions
| Question | If yes | If no |
|---|---|---|
| Do we have SIEM engineering capacity? | Wazuh is realistic. | Consider managed SIEM. |
| Can we monitor alerts daily? | Proceed with internal model. | Use managed triage. |
| Do we need vendor SLA? | Commercial or managed model. | Open-source model may fit. |
| Are evidence packs required soon? | Prioritize governance and reporting. | Start with controlled pilot. |
Decision matrix by maturity level
| Maturity | Recommended model | Reason |
|---|---|---|
| Low cyber operations capacity | Managed SIEM or managed Wazuh | The main gap is people and process, not tooling. |
| Good IT operations, limited SOC | Wazuh with managed triage | Internal team can run infrastructure, external support handles detection workload. |
| Internal SOC or strong security engineering | Wazuh or commercial SIEM | Decision can be based on integrations, scale, support, and cost. |
| Complex enterprise environment | Commercial SIEM or hybrid | Scale, data lake, support, and integrations may dominate. |
Procurement questions for any SIEM
- Which log sources are included in the initial scope?
- What retention is included and what costs increase with data volume?
- Who tunes rules after deployment?
- Who reviews alerts daily and outside business hours?
- What evidence can be exported for audit and management reporting?
- What happens if the SIEM is unavailable during an incident?
- How are supplier responsibilities documented contractually?
Migration path for SMEs
A pragmatic path is to start with a pilot on identity systems, VPN, firewalls, and critical servers. After the pilot, decide whether to expand Wazuh internally, add managed triage, or move to a commercial SIEM. The pilot should produce evidence, not only dashboards.
Red flags during selection
- The proposal focuses only on licensing and ignores who will operate the system.
- No one can explain the incident-escalation workflow.
- Retention is described vaguely or only as a storage number.
- Detection content is treated as complete without local tuning.
- Board reporting is an afterthought.
Weighted scoring model
SMEs can make the decision more objective by scoring each option. A simple model weights operating capacity at 30%, compliance evidence at 25%, total cost at 20%, integration coverage at 15%, and support/SLA at 10%. The exact weights can change, but the exercise forces the team to discuss tradeoffs openly.
| Criterion | Weight | Question |
|---|---|---|
| Operating capacity | 30% | Can we operate this every day? |
| Evidence quality | 25% | Can we prove controls and response? |
| Total cost | 20% | What is the 24-month cost, including people? |
| Integration coverage | 15% | Can it ingest our critical sources? |
| Support/SLA | 10% | Who helps when it fails? |
Selection workshop agenda
- Confirm NIS 2 scope and critical services.
- List mandatory log sources and retention needs.
- Compare Wazuh, commercial SIEM, and managed options against the scoring model.
- Identify staffing and out-of-hours gaps.
- Define evidence outputs expected by management.
- Choose pilot scope and decision date.
Contract clauses to check
For commercial or managed options, check incident notification timing, data location, access to raw logs, export rights, retention, subcontractors, service availability, support hours, and responsibility for rule tuning. For open-source self-managed deployment, convert the same topics into internal policies and runbooks.
Exit strategy
SIEM choices should not lock the organization into evidence it cannot export. Require a clear exit path for configurations, indexes, dashboards, detection logic, and audit exports. This matters for both open-source and commercial models because compliance evidence must survive platform changes.
Series navigation
- introduction to Wazuh
- Wazuh deployment step-by-step
- Wazuh log management for NIS 2
- NIS2 detection and monitoring
- operational registers and logs
FAQ
Is Wazuh cheaper than commercial SIEM?
Software entry cost is lower, but total cost includes deployment, storage, tuning, monitoring, backup, and evidence work.
Can an SME run Wazuh alone?
Yes, if it has the right technical and operational ownership. Otherwise, a managed model is safer.
Which option is best for NIS 2?
The best option is the one that produces reliable coverage, response, and evidence. Tool choice is secondary to operating maturity.