How to Size a Google SecOps SIEM Deployment
Sizing a Security Information and Event Management (SIEM) deployment correctly is one of the most critical steps before committing to a Google SecOps contract. Underestimate your daily ingestion volume and you risk hitting tier limits mid-contract; overestimate and you overpay for capacity you never use. This calculator helps you arrive at a defensible GB/day figure before you engage Google Cloud or a certified partner.
Google SecOps (formerly Google Security Operations / SIEM) is priced on a flat-rate, contract basis rather than per-GB ingestion — but the tier you land on (Standard, Enterprise, or Enterprise+) is determined by your expected daily ingestion volume and the threat intelligence capabilities you require. Getting the tier right at contract time avoids costly mid-term upgrades.
EPS to GB/day: How the Conversion Works
Most SIEM vendors quote capacity in Events Per Second (EPS), but Google SecOps is sized in GB/day of raw log ingestion. The conversion depends heavily on your average event size, which varies by log source type. The table below shows typical conversion factors used in Google SecOps pre-sales sizing exercises:
| Log Source Type | Avg Event Size | 100 EPS → GB/day | Typical EPS range |
|---|---|---|---|
| Windows Event Log (endpoint) | 500 B | 4.3 GB | 5–50 EPS/host |
| Firewall / NGFW | 800 B | 6.9 GB | 50–500 EPS |
| Cloud Audit Logs (GCP) | 2 KB | 17.3 GB | 10–200 EPS/project |
| Web / API server access log | 400 B | 3.5 GB | 100–5000 EPS |
| Identity / IAM (Okta, AD) | 1 KB | 8.6 GB | 5–100 EPS |
| Kubernetes audit log | 1.5 KB | 13 GB | 20–500 EPS/cluster |
Event sizes are averages based on Google SecOps pre-sales data. Actual sizes vary with verbosity configuration and log format. Verbose / debug logging typically adds 40–60% to base volume.
Google SecOps Tier Comparison: Standard vs Enterprise vs Enterprise+
Google SecOps is available in three tiers. The key differentiator is not storage capacity — all tiers offer petabyte-scale storage — but rather the threat intelligence and curated detection capabilities included. Here is a direct comparison:
SIEM + SOAR platform. No curated detections included — bring your own YARA-L rules and threat intel feeds (STIX/TAXII, CSV). Best for organisations with a mature detection engineering team.
- SecOps SIEM (petabyte-scale storage)
- SecOps SOAR (playbook automation)
- Custom YARA-L detection rules
- Bring-your-own threat intel (STIX/TAXII, CSV)
- UDM normalisation for 700+ log sources
Everything in Standard plus Google-curated detection rules and Google Threat Intelligence (formerly VirusTotal). Ideal for organisations wanting out-of-the-box detection coverage.
- Everything in Standard
- Google-curated detection rules (MITRE ATT&CK aligned)
- Google Threat Intelligence (formerly VirusTotal)
- Applied Threat Intelligence matching
- Threat actor & IOC enrichment
Everything in Enterprise plus Mandiant Threat Intelligence — the industry's most comprehensive adversary intelligence, including Mandiant Advantage and frontline IR insights.
- Everything in Enterprise
- Mandiant Threat Intelligence
- Mandiant Advantage adversary profiles
- Frontline IR intelligence from Mandiant
- Zero-day & vulnerability intelligence
SIEM Sizing Methodology: A Step-by-Step Approach
A reliable Google SecOps sizing exercise follows these steps. The calculator above automates steps 1–4; steps 5–6 require engagement with Google Cloud or a certified partner like CloudXero.
Inventory your log sources
List every log source you intend to ingest: endpoints, servers, cloud projects, network devices, SaaS applications, and identity providers. Missing a high-volume source (such as VPC flow logs) is the most common cause of sizing underestimates.
Estimate per-source volume
Apply per-source volume multipliers based on your infrastructure count. The calculator uses conservative defaults derived from Google SecOps pre-sales data. Adjust for your specific verbosity settings.
Apply a verbose logging buffer
If you enable verbose or debug logging on any source, add a 40–60% buffer to that source's volume. Debug-level Windows Event Log or Kubernetes audit logs can easily double your expected ingestion.
Calculate total GB/day and map to tier
Sum all source volumes to get your daily ingestion figure. Map this to the appropriate SecOps tier: Standard (up to ~100 GB/day), Enterprise (up to ~1 TB/day), Enterprise+ (above 1 TB/day or Mandiant intel required).
Validate with a proof-of-concept
Before signing a contract, run a 2–4 week PoC with a representative subset of your log sources. Measure actual ingestion rates in the SecOps ingestion dashboard and compare against your estimate.
Negotiate contract terms
Google SecOps contracts are typically annual with a committed ingestion volume. Work with your Google Cloud account team or a certified partner to negotiate burst allowances, overage terms, and multi-year discounts.
Frequently Asked Questions
Is Google SecOps priced per GB or per EPS?
Google SecOps uses a flat-rate, contract-based pricing model rather than per-GB or per-EPS metering. Your contract tier is determined by your expected daily ingestion volume and the threat intelligence capabilities you require. This differs from legacy SIEM vendors that charge per EPS or per GB ingested.
What counts as ingestion volume in Google SecOps?
Ingestion volume is measured as the raw uncompressed size of log data written to the SecOps platform. This includes all log sources: cloud audit logs, endpoint telemetry, network device logs, identity provider events, and any custom log sources you onboard via the Ingestion API or Pub/Sub.
Does Google SecOps compress logs before counting ingestion?
Google SecOps measures ingestion volume before compression. However, the platform stores logs in a compressed, columnar format internally, so your actual storage consumption is significantly lower than your raw ingestion volume. The sizing calculator uses raw uncompressed volume for tier selection.
How accurate is this SIEM sizing calculator?
The calculator uses volume multipliers derived from Google SecOps pre-sales sizing data and is accurate to within ±30% for typical enterprise environments. The most significant variables are logging verbosity configuration and the specific log types enabled per source. We recommend treating the output as a starting point and validating with a PoC before committing to a contract.
What is the difference between Google SecOps Standard and Enterprise?
The key difference is threat intelligence and curated detections. Standard includes the SIEM and SOAR platform with custom YARA-L rule support but no built-in curated detections or Google Threat Intelligence. Enterprise adds Google-curated detection rules (MITRE ATT&CK aligned) and Google Threat Intelligence (formerly VirusTotal). Enterprise+ further adds Mandiant Threat Intelligence.