What is Wazuh and what is it used for?

Wazuh is an open source security platform that combines SIEM (Security Information and Event Management) and XDR (Extended Detection and Response). It collects logs and events from servers, endpoints and applications, analyses them in real time, detects threats, monitors file integrity, scans for CVE vulnerabilities and enables automated response. It is the most mature free alternative to commercial SIEM products such as Splunk or QRadar.

What is the difference between Wazuh and Splunk?

Wazuh is open source with zero licence cost, whereas Splunk Enterprise charges per GB ingested per day and can easily run into six figures per year at mid-sized organisations. Wazuh ships XDR, FIM and CVE scanning out of the box, while in Splunk these are paid add-on modules. Splunk has a broader app ecosystem and a very powerful SPL search language, but for most security use cases Wazuh covers 100% of the requirements without recurring fees.

How much does a Wazuh deployment with SIXE cost?

The Wazuh software itself is free. Project cost depends on scale (number of endpoints), architecture (single-node, high availability, multi-tenant), the scope of rule tuning and the required integrations. After the initial technical session we provide a concrete proposal. Typical SME projects run from a few weeks to several months depending on complexity.

Can Wazuh help us comply with PCI DSS, NIS2, SOC 2 or ISO 27001?

Yes. Wazuh ships with dashboards and rules mapped to the main regulatory frameworks: PCI DSS v4.0, NIS2, ISO 27001, SOC 2, GDPR, HIPAA and NIST 800-53. We generate automated reports ready for the auditor. SIXE configures the specific controls according to the regulations that apply to your organisation.

Can you migrate our existing Splunk or QRadar deployment to Wazuh?

Yes. SIXE migrates existing SIEM clusters (Splunk Enterprise, IBM QRadar, pure ELK) to Wazuh without interrupting SOC operations. We port rules, dashboards, integrations and historical data, running both platforms in parallel during the cutover until the new one is validated. The usual objective is to eliminate recurring billing by GB ingested or EPS.

Wazuh SIEM · XDR · Open Source

SOC running 24/7

Deployment · Integration · Support

Wazuh, in production. No surprises.

The most powerful open source SIEM on the market, deployed and tuned by people who have spent years on mission-critical security projects. You get real visibility, alerts that actually matter and regulatory compliance — without the annual Splunk or QRadar invoice. From the first wazuh-agent installed to the executive dashboard in production.

Talk to SIXE ./see-architecture.sh

Wazuh SIEM XDR dashboard — real-time alerts and events

Wazuh dashboard

Events / s 12.4K

Active rules 3.2K

Avg. MTTR 4min

Native open source stack

Wazuh 4.x OpenSearch Filebeat Suricata YARA MITRE ATT&CK VirusTotal

What Wazuh detects

End-to-end visibility.
From agent to SIEM.

Wazuh is not just a log collector. It is active detection on every endpoint, file integrity monitoring, configuration assessment, vulnerability scanning and automated response. This is what it watches for you, on every server we protect.

XDR · Endpoint

Endpoint threat detection Real-time log analysis, event correlation, anomaly detection and matching against the MITRE ATT&CK framework. Every agent is a sensor reporting to the central manager.

Brute force, port scan, lateral movement Rootkits and hidden processes Suspicious data exfiltration Signature detection with YARA + VirusTotal

FIM

File integrity monitoring Any change in /etc, the Windows registry or sensitive files triggers an alert. Before the attacker touches your binaries, you know about it.

Vulnerability scan

CVE vulnerability scanning Wazuh cross-checks your installed package inventory against up-to-date CVE databases. You know which machines need patching and what the priority is — without paying for Tenable.

SCA

Hardening & CIS Continuous auditing against CIS Benchmarks and your internal policies. Reports ready for the auditor.

Compliance

PCI DSS · NIS2 · SOC 2 Dashboards mapped to regulatory controls. Painless audit season.

Active response

Automated response IP blocking, process kill, host isolation. Hands off the keyboard.

Architecture

How we plug
your infrastructure into Wazuh.

A scalable design that grows with you. From 10 agents to 50,000 endpoints. Multi-tenant, high availability, separation of concerns. Every component can run on-premise, hybrid or air-gapped.

Agents linux · win · mac · docker

Manager analysis · rules · response

Indexer opensearch cluster

Dashboard visualisation · reporting

Alerting slack · pagerduty · email

SOAR shuffle · n8n · scripts

What you will see in production A dashboard your CISO understands at first glance. Pre-configured views for SOC analysts and for the board. MITRE ATT&CK mappings, event correlation, drill-down to the original log. And monthly reports that generate themselves.

Wazuh SIEM dashboard — security events visualisation in production

How we work

From zero to SIEM
in production in weeks.

We do not sell PowerPoint decks. We show up, assess, deploy and hand over. This is what happens when you start a Wazuh project with SIXE.

Initial audit & sizing Technical session with your team: how many endpoints, which OS, what workloads, which regulations apply, what integrations you need. We walk out with a concrete design and a capacity estimate.

discovery sizing architecture

Wazuh cluster deployment Manager installation (with HA where needed), OpenSearch indexer cluster, dashboard, certificates, Active Directory integration and backup. Everything automated with Ansible — reproducible, versioned, auditable.

ansible opensearch tls ldap/ad

Agent onboarding & rules Mass agent deployment on Linux, Windows, macOS, containers. Ruleset tuning (Wazuh ships with 3,000+ rules and almost nobody tunes them), custom decoders for your internal apps, CTI feed integration.

decoders custom rules misp virustotal

Compliance & executive dashboards Mapping to PCI DSS, NIS2, ISO 27001, SOC 2, HIPAA and GDPR depending on what applies. Dashboards for SOC analysts and for the board. Monthly report templates ready to send to your CISO or external auditor.

pci dss nis2 soc 2 iso 27001

Continuous support & evolution When something breaks at 3 AM, you call the people who designed your platform. No tickets, no escalation queues. And every quarter we review together which new rules to apply, which threats to watch and what to optimise.

24/7 sre threat hunting

Wazuh vs. the alternatives

Wazuh vs.
Splunk, QRadar & pure ELK.

Why more and more enterprises — and public administrations — are migrating from commercial SIEM to Wazuh. And it is not just about the invoice.

	Wazuh	Splunk Enterprise	IBM QRadar	ELK puro
License cost	✓ Free (open source)	$$$$ per GB ingested	$$$$ per EPS	Free
Native endpoint agent	✓ Multi-OS, lightweight	Universal Forwarder	WinCollect / DSM	Filebeat / Logstash only
Built-in XDR detection	✓ Out of the box	Add-on (extra cost)	✓	You build it yourself
FIM (file integrity monitoring)	✓ Native	Paid add-on	Limited	Not included
CVE vulnerability scanning	✓ Native	External (Tenable, Qualys)	Vulnerability Manager	No
Automated active response	✓ Built-in	Splunk SOAR (extra)	QRadar SOAR (extra)	Custom scripts
MITRE ATT&CK mapping	✓ Out of the box	✓ Separate app	✓	Manual
Air-gapped / fully on-premise	✓ No restrictions	✓ (with licence)	✓ (appliance)	✓
Community & release cadence	✓ Active, monthly	Commercial	Commercial, slow	✓ Very active

# Comparison based on standard enterprise editions as of 2026

Technical session

Let's talk
about your SIEM.

30-minute technical session, no commitment. You tell us about your infrastructure, which regulations apply and what keeps you up at night. We walk out of the call with an architecture sketch, an effort estimate and the next steps. No generic quotes, no sales pitch.

Book a technical session ./whatsapp

Europe +34 91 198 02 43

Hours Mon–Fri 8:30–16:30 GMT+1

Languages EN · ES · FR

What we cover in the session What we will go through together:

✓ Current inventory: how many endpoints, which OS, what logs you already have
✓ Compliance: PCI DSS, NIS2, SOC 2, ISO 27001 — what your auditor demands
✓ Proposed architecture: HA, multi-tenant or single-node, real sizing
✓ Integrations: Slack, PagerDuty, Jira, MISP, VirusTotal, your SOAR
✓ Migration from Splunk / QRadar / ELK if applicable
✓ Deployment roadmap, milestones and effort estimate

Wazuh, in production. No surprises.

End-to-end visibility.
From agent to SIEM.

How we plug
your infrastructure into Wazuh.

From zero to SIEM
in production in weeks.

Wazuh vs.
Splunk, QRadar & pure ELK.

Let's talk
about your SIEM.

Blog!

Contact us!

Partners

Our mission

Wazuh, in production. No surprises.

End-to-end visibility.From agent to SIEM.

How we plugyour infrastructure into Wazuh.

From zero to SIEMin production in weeks.

Wazuh vs.Splunk, QRadar & pure ELK.

Let's talkabout your SIEM.

Blog!

Contact us!

Partners

Our mission

End-to-end visibility.
From agent to SIEM.

How we plug
your infrastructure into Wazuh.

From zero to SIEM
in production in weeks.

Wazuh vs.
Splunk, QRadar & pure ELK.

Let's talk
about your SIEM.