We're a customer, partner, or reseller. We use QRadar on our own internal SOC. We are also a reseller of QRadar for some of the projects. So, we sell QRadar to customers, and we're also a partner because we have different models. We roll the product out to a customer as part of our service where we own it, but the customer is paying. We also do a full deployment that a customer owns. So, we are actually fulfilling all three roles.
IBM QRadar OverviewUNIXBusinessApplicationPrice:
IBM QRadar Buyer's Guide
Download the IBM QRadar Buyer's Guide including reviews and more. Updated: March 2023
What is IBM QRadar?
IBM Security QRadar is a security and analytics platform designed to defend against threats and scale security operations. This is done through integrated visibility, investigation, detection, and response. QRadar empowers security groups with actionable insights into high-priority threats by providing visibility into enterprise security data. Through centralized visibility, security teams and analysts can determine their security stance, which areas pose a potential threat, and which areas are critical. This will help streamline workflows by eliminating the need to pivot between tools.
IBM Security QRadar is built to address a wide range of security issues and can be easily scaled with minimal customization effort required. As data is ingested, QRadar administers automated, real-time security intelligence to swiftly and precisely discover and prioritize threats. The platform will issue alerts with actionable, rich context into developing threats. Security teams and analysts can then rapidly respond to minimize the attackers' strike. The solution will provide a complete view of activity in both cloud-based and on-premise environments as a large amount of data is ingested throughout the enterprise. Additionally, QRadar’s anomaly detection intelligence enables security teams to identify any user behavior changes that could be indicators of potential threats.
IBM QRadar Log Manager
To better help organizations protect themselves against potential security threats, attacks, and breaches, IBM QRadar Log Manager gathers, analyzes, preserves, and reports on security log events using QRadar Sense Analytics. All operating systems and applications, servers, devices, and applications are converted into searchable and actionable intelligent data. QRadar Log Manager then helps organizations meet compliance reporting and monitoring requirements, which can be further upgraded to QRadar SIEM for a more superior level of threat protection.
Some of QRadar Log Manager’s key features include:
- Data processing and capture on any security event
- Disaster recovery options and high availability
- Scalability for large enterprises
- SoftLayer cloud installation capability
- Advanced threat protection
Reviews from Real Users
IBM Security QRadar is a solution of choice among users because it provides a complete solution for security teams by integrating network analysis, log management, user behavior analytics, threat intelligence, and AI-powered investigations into a single solution. Users particularly like having a single window into their network and its ability to be used for larger enterprises.
Simon T., a cyber security services operations manager at an aerospace/defense firm, notes, "The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis."
A management executive at a security firm says, "What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value."
IBM QRadar was previously known as QRadar SIEM, QRadar UBA, QRadar on Cloud, QRadar.
IBM QRadar Customers
Clients across multiple industries, such as energy, financial, retail, healthcare, government, communications, and education use QRadar.
IBM QRadar Video
IBM QRadar Pricing Advice
What users are saying about IBM QRadar pricing:
IBM QRadar Reviews
Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
- Date
- Highest Rating
- Lowest Rating
- Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Cyber Security Services Operations Manager at a aerospace/defense firm with 501-1,000 employees
Provides a single window into your network, SIEM, network flows, and risk management of your assets
Pros and Cons
- "The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis."
- "I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that."
What is our primary use case?
What is most valuable?
The most valuable thing about QRadar is that you have a single window into your network, SIEM, network flows, and risk management of your assets. If you use Splunk, for instance, then you still need a full packet capture solution, whereas the full packet capture solution is integrated within QRadar. Its application ecosystem makes it very powerful in terms of doing analysis.
What needs improvement?
In terms of the GUI, they need to improve the consistency. It has been written by different teams at different times. So, when you go around the interface, you'll find a lot of inconsistencies in terms of the way it works.
I'd like them to improve the offense. When QRadar detects something, it creates what it calls offenses. So, it has a rudimentary ticketing system inside of it. This is the same interface that was there when I started using it 12 years ago. It just has not been improved. They do allow integration with IBM Resilient, but IBM Resilient is grotesquely expensive. The most effective integration that IBM offers today is with IBM Resilient, which is an instant response platform. It is a very good platform, but it is very expensive. They really should do something with the offense handling because it is very difficult to scale, and it has limitations. The maximum number of offenses that it can carry is 16K. After 16K, you have to flush your offenses out. So, it is all or nothing. You lose all your offenses up until that point in time, and you don't have any history within the offense list of older events. If you're dealing with multiple customers, this becomes problematic. That's why you need to use another product to do the actual ticketing. If you wanted the ticket existence, you would normally interface with ServiceNow, SolarWinds, or some other product like that.
Their support should also be improved. Their support is very slow, and it is very difficult to find knowledgeable people within IBM.
Its price and licensing should be improved. It is overly expensive and overly complex in terms of licensing.
For how long have I used the solution?
I have been using this solution for 12 years.
Buyer's Guide
IBM QRadar
March 2023

Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
688,083 professionals have used our research since 2012.
How are customer service and support?
Their support is very slow. it is very difficult to find knowledgeable people within IBM. I'm an expert in the use of QRadar, and I know the technical insights of QRadar very well, but it is sometimes very painful to deal with IBM's support and actually get them to do something. Their support is very difficult to work with for some customers.
Which solution did I use previously and why did I switch?
I work with Prelude, which is by a French company. It is a basic beginner's SIEM. If you never had a SIEM before and you wanted to experiment, this is where you would start, but it is probably that you would leave very quickly. I've also worked with ArcSight and Splunk.
My recommendation would depend upon your technical appetite or your technical capability. QRadar is essentially a Linux-based Red Hat appliance. Unfortunately, you still need some Linux knowledge to work with this effectively. Not everything is through the GUI.
Comparing it with Splunk, in terms of licensing, IBM's model is simpler than Splunk's model. Splunk has two models. One is volume metrics, so you pay for the number of bytes that are transmitted daily. The other one is based upon the number of events per second, which they introduced relatively recently. Splunk can be more expensive than QRadar when you start to get into adding what they call indexes. So, basically, you create specific indexes to hold, for instance, logs related to Cisco. This is implicit within QRadar, and it is designed that way, but within Splunk, if you want to get that performance and you have large volumes of logs, you need to create indexes. This is where the cost of Splunk can escalate.
How was the initial setup?
Installing QRadar is very simple. You insert a DVD, boot the system, and it runs the installation after asking you a few questions. It runs pretty much automatically, and then you're up and going. From an installation point of view, it is very easy.
The only thing that you have to get right before you do the installation is your architecture because it has event collectors, event processes, flow collectors, flow processes, and a number of other components. You need to understand where they should be placed. If you want more storage, then you need to place data nodes on the ends of the processes. All this is something that you need to have in mind when you design and deploy.
What's my experience with pricing, setup cost, and licensing?
It is overly expensive and overly complex in terms of licensing. They have many different appliances, which makes it extremely difficult to choose the technology. It is very difficult to choose the technology or QRadar components that you should be deploying.
They have improved some of it in the last few years. They have made it slightly easy with the fact that you can now buy virtual versions of all the appliances, which is good, but it is still very fragmented. For instance, on some of the smaller appliances, there is no upgrade path. So, if you exceed the capacity of the appliance, you have to buy a bigger appliance, which is not helpful because it is quite a major cost. If you want to add more disks to the system, they'll say that you can't. If they ship a disk with 2 terabytes that the older appliances have, and you say to them that you can commercially get 10 terabyte disks, they will say this is not possible, even though there is no technical reason why it cannot be done. So, they're not very flexible from that point of view. For IBM, it is good because you basically have to buy new appliances, but from a customer's point of view, it is a very expensive investment.
What other advice do I have?
Make sure that you have the buy-in from different teams in the company because you will need help from the network teams. You will potentially need help from IT.
You need to have a strategy of how you onboard logs into SIEM. Do you take a risk-based approach or do you onboard everything? You should take the time to understand the architecture and the implications of design choices. For instance, QRadar Components communicate with each other using SSH tunnels. The normal practice in security is that if I put a device in a DMZ, then communication between the device on the normal network, which is a higher security zone, and the DMZ, which is a lower security zone, will be initiated from the high-security zone. You would not expect the device in the DMZ to initiate communication back into the normal network. In the case of QRadar, if you put your processes in the DMZ, then it has to communicate with the console, which means that you have to allow the processor to communicate. This has consequences. If you have remote sites or you plan to use cloud-based processes, collectors, etc, and have an internal console, the same communication channels have to exist. So, it requires some careful planning. That's the main thing.
I would rate QRadar an eight out of 10 as compared to other products.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Management Executive at a security firm with 11-50 employees
User-friendly, easy to deploy with proper training and offers good coverage
Pros and Cons
- "What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value."
- "The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue."
What is our primary use case?
We primarily use the solution for breach management. We use it for identifying rogue IPs and picking up anomalies in terms of the network traffic coming in. We've seen a year of use cases in terms of breach management and incident management. We find IBM QRadar quite relevant in terms of protecting against potential malicious traffic coming into your organization.
Obviously, it is evolved, and where we're utilizing IBM QRadar is to do other analytical capabilities, which include identity and access management. We've got a unique way where we use the platform to generate a view of all your identities and access that is granted within your environment and so forth. We are able to map that using IBM QRadar, which is not a use case that is normally thought about, however, we found from an analytical point of view, this is what we can do because we get all the information we need here.
What is most valuable?
IBM QRadar is phenomenal as a SIEM SOC solution. In terms of its capability, in terms of its usability, in terms of the SOC solutions or SIEM solutions out there, we find QRadar the most user-friendly.
It gives you the right coverage as the analytical platform that's coupled with Watson is phenomenal.
From a deployment perspective, we found it very, very good.
What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.
It's easy to use if you go through the proper training. We find that the current IBM team in South Africa is not as good as the teams abroad, however, if you get the right support and the right training, which we have got, we find it very, very, very customizable and user-friendly.
What we have done is we do not use a lot of level-one analysts. We use a lot of developers, so we constantly evolve the rule-set. Most of the organizations that have employed QRadar, what they do is they stack it up with level-one and level-two analysts, as opposed to having more security developers who enhance the rule-set, due to the fact that all of the same technologies work on rule-sets. If you can dynamically change the rule-set on the fly, you're good. We have got a different model in terms of the way we operate a SOC, where we have more developers amending the rules, you will lessen the number of false positives that you encounter. The biggest problem with most of the SIEM technologies out there is that you get too many false positives, and again, it impacts your operational SOC. We don't have that issue here.
What needs improvement?
The only challenge with products like IBM is the EPS. You just have to be really on the events per second, as that's where the cost factor becomes a huge issue.
You do need proper training. Better training leads to better implementation. South Africa does not have the most knowledgeable technical support team. One challenge that you have in South Africa is the quality of the IBM resources. They're not up to the level companies need. I have to criticize IBM on that point - the skill level in South Africa and the South African franchise of IBM doesn't necessarily meet the quality of the product.
They can improve on the architecture. It's the way you deploy it. It's your enterprise architecture team that needs to understand it well. Again, due to our unique skillset on it, we deploy it in a very different way where we reduce the consumption of events per second, which reduces the overall cost of it. However, with the architecture, you need to get better guidance from IBM in terms of the way which the architecture is done.
What I will say about IBM is that if you deploy it stock standard, it can be a very expensive tool, especially with your events per second, and where the way you deploy it architecturally will determine how much it costs you to manage it, as your events per second can be reduced through proper architecture. It's critical to an IBM install that a user understands the architecture and the deployment strategy.
For how long have I used the solution?
I've been dealing with the solution for a very long time. It's likely been about six years or so at this point. I've used it for a while.
What do I think about the scalability of the solution?
We've got three customers on the solution currently.
How are customer service and technical support?
Technical support is lacking in South Africa and it doesn't meet the quality of the product. We're not quite satisfied with the level of service of knowledgeability on offer here.
They need to be faster and more knowledgeable. If you log a ticket to South Africa, they can be quicker and more knowledgeable about issues. It's a problem within South Africa where the skill level of the IBM local team is not to the level it should be. Whether it's training or support, there's a problem. It's not the greatest.
How was the initial setup?
The initial setup can be difficult if you don't have a good understanding of the product, for us, it's not too difficult.
To do a small deployment takes us about two weeks.
When we did the deployment for one of our clients recently it took us four engineers from our side and four engineers from the outside to deploy it within two weeks.
What about the implementation team?
We handle deployments for our clients. Occasionally we need outside assistance.
What was our ROI?
From a return on investment, the client sees in terms of its value from an IBM perspective, is a massive value from the deployment of QRadar.
What's my experience with pricing, setup cost, and licensing?
On-premises is pretty expensive as opposed to the cloud.
You do need to pay for a year subscription. You are charged at events per second as well.
What other advice do I have?
On QRadar, we look at the cloud-based uses as opposed to on-premise due to the cost factor.
In terms of SIEM technologies, in terms of what you can get, I would rate it an eight out of ten. The QRadar platform is phenomenal in terms of what it does.
If you want to get the best out of IBM, spend more time on the rules generation and the modification of the rules.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
IBM QRadar
March 2023

Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
688,083 professionals have used our research since 2012.
Senior IT Technical Support at a training & coaching company with 1,001-5,000 employees
User-friendly, offers easy integrations, and has a straightforward setup
Pros and Cons
- "Customer service is very good and very helpful."
- "The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix."
What is our primary use case?
The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats.
What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall. However, that's the lesser use case.
What is most valuable?
Inside IBM QRadar there are a lot of engines that actually work to help us to do the correlation and normalization as well for the logs that we're receiving from multiple devices. IBM is very powerful in that regard.
QRadar, as a solution, can integrate with a lot of other applications. You can write your own custom rules if you want to. We can ask it to detect whatever we want it to, even with the devices that are not supported to send logs. IBM QRadar can understand these types of commands and we can still integrate and write our own rules to help us to detect those logs that are coming from, for example, IoT devices or from other devices that usually we don't understand.
It can handle really a huge number of logs with fewer false positives. We can use the artificial intelligence and the rules that IBM is providing to make it really smart. The solution can help you predict even the false positives when we are alerting the admin or the security admin about some offenses that we have seen from the logs.
Their product is very user-friendly.
Customer service is very good and very helpful.
The initial setup is quite straightforward.
The solution can scale.
The solution is very stable.
What needs improvement?
As per Gartner, maybe the price makes it so that the customers are not going for IBM QRadar. It's a little bit pricey compared to other solutions in the market. More or less that's the area that needs to be improved. That's usually the main concern that we receive from the customers - that it's a little bit pricey. That's the only thing I can say.
The custom rules could be simplified more or it should be possible to use a different language, other than the ones that the solution is already using. They should add other languages into the mix. You need some advanced customers in order to use the custom rules or to use their rules in order to configure the IBM QRadar in a proper way. Usually, they find it very difficult, especially if they don't have the experience.
Sometimes it works and catches whatever we want, however, sometimes it doesn't work. That's in rare cases, however, that's one thing that they need to maybe enhance.
For how long have I used the solution?
I've been working with the solution for three years or so.
What do I think about the stability of the solution?
For stability, I'm not a customer who's using it on daily basis, however, from feedback that I'm getting from the customers who are attending to the solution, I've heard that this solution is stable. That's why it's in the leader area in Gartner. If you compare it to others in Gartner, it shows how their product is actually efficient. Whether I get QRadar, whether it's Splunk, whether it's LogRhythm, all of those products as a SIM are very good at that point. They're all quite reliable.
What do I think about the scalability of the solution?
The scalability is very good. The product is scalable. A company shouldn't have trouble expanding it if they need to.
We typically work with banks and bigger organizations.
How are customer service and technical support?
Technical support has been very good. They are helpful and responsive.
I've also learned a lot from the documentation, especially the online documentation. Due to the fact that I'm an official instructor for IBM, I have my other resources too, on the Learning Center from IBM. Documentation is not a problem. It's very helpful.
How was the initial setup?
The initial setup is very straightforward. It's not overly complex. It's quite easy.
The deployment takes time, definitely. You've got to prepare for your solution so that it's going to work in spanning all the other devices too. That doesn't mean it's a complex process, it just means it takes a bit.
What's my experience with pricing, setup cost, and licensing?
IBM QRadar is pricey, and therefore, usually small enterprises are not able to afford it. Usually, probably most of the customers are usually large enterprises.
What other advice do I have?
I'm actually teaching IBM and some services such as IBM QRadar, as part of my work. I'm familiar with Splunk, however, I'm not working with it on a daily basis. I'm teaching that technology to others. I'm not a customer. I'm using it for teaching purposes. I'm working in a training center. I'm not dealing with it on a daily basis, however, I understand how the product works. We do sometimes help integrate it and work as consultants occasionally as well.
While 7.4 is out, we're currently working with version 7.3.
Overall, I would rate the product at an eight out of ten. There's more to be done on it, however, we are mostly pleased with its capabilities.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator, consultant
Analyst at a tech services company with 501-1,000 employees
Easily monitors your environment with good user interface and plug-in integrations
Pros and Cons
- "One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like Scout, Carbon Black, and the rest."
- "I would like the rule creation interface to be much more user-friendly in the next release."
What is our primary use case?
We use IBM QRadar to monitor security logs across the network.
What is most valuable?
One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like ForeScout, Carbon Black, and the rest. Additionally, the ability of the agents to filter using XPath query to filter out the specific events you want to pick from, especially Windows log sources, is also very useful. That goes a long way in managing the EPS of the solution.
What needs improvement?
There are two ways you can pull logs: one way is where you can receive logs or send logs using the agents and previous transformation and the other way is where QRadar logs onto the servers using the admin account and then pulls the logs itself. The functionality that I would love to see with that remote pulling is to have the ability to also select what logs its pulling because when you use MSRPC now to receive loads from your log surface, it basically pulls all the events from that server. So even the noisy events that would overshoot your EPS, would also be pulled. So for particularly active or high servers that generate a whole lot of security events, let's say like your SFTP server that has a lot of devices on your network connecting to it, if you try to pull the logs remotely it would overshoot your EPS really quickly.
So if they could improve the functionality of the remote pull to also be able to select the logs that it is pulling from the log sources, that would be very, very effective. The reason for the pull is because the agents are not tamper-proof and any administrator can help shut down the service and uninstall the application and a whole lot of other things. Basically, your listening agent is at the mercy of the administrators, and for a security device or security software, that is a big vulnerability, because anybody can then go into the server, stop the agent, and then run any command or make any change they want to do, which would make your monitoring null and void. It would be good if the agent itself could be tamper-proof. And back to the first point, the reason why I prefer the remote pull is if there's no agent on the server and it's the console logging onto the server, your monitoring is much more secure. Regardless of what changes are being made on the server or what's going on the server, if the server is shut down and then a newer version is brought up with the same hostname and IP address, you would not need to go back in and re-install the agent. The console would just automatically connect back to that server once the IP address and the host are back up.
Additionally, I would like the rule creation interface to be much more user-friendly in the next release.
For how long have I used the solution?
I have been using IBM QRadar every day for the last 12 months.
What do I think about the stability of the solution?
In terms of stability, it is very stable. In the almost two years in the environment, there has been only one issue. It was a disc failure and that was replaced within a week by the OEM.
What do I think about the scalability of the solution?
Scalability might be an issue, but maybe it's because in our environment we do not use the application host. Since we use on-premise appliances we did notice that performance degraded a little when we added some plugins. So the recommendation was that we should have a separate application server that would host the application and then interface with the plugins and interface with the management console. But we do not have that within our environment so I can't speak to whether that would improve performance.
How are customer service and technical support?
IBM tech support has been responsive.
How was the initial setup?
I believe the initial setup was straightforward but I was not here for the setup, although I did not get any complaints.
What's my experience with pricing, setup cost, and licensing?
The license is a yearly one.
What other advice do I have?
I would recommend IBM QRadar. The user interface is really great and it simplifies the task of monitoring your environment.
On a scale of one to ten, I would give IBM QRadar an eight.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Tech Lead at a tech services company with 1,001-5,000 employees
Scalable and versatile with a lot of good features and good integration with AWS
Pros and Cons
- "There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson. It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS."
- "SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar. It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want."
What is our primary use case?
We are a product-based organization. We use this solution for a shared SOC service and security audits and compliance.
What is most valuable?
There are a lot of features in QRadar. App Exchange is the most valuable feature. User behavior analytics (UBA) is also a very good feature. Watson is also there, but we are not currently using Watson.
It is versatile and quite easy. It also has an all-in-one-box feature and good integration with AWS.
What needs improvement?
SOAR is what is expected the most from QRadar. They have something called SOAR Resilient, and it would be great if that gets induced in SIEM. IBM QRadar (as well as McAfee ESM) should have analytics platform integration. Currently, SIEMs don't have full-fledged integration with analytics where we are able to dump our data in SIEM, and the same data can be called from different analytics applications. We should be able to bring this data to a platform like Hadoop for big data and run the analytics there. Currently, people are seeing the past data and taking some actions in the present, but when it comes to analytics, there should be futuristic data where you can predict something out of your present and past data. Apart from that, I would like to see a full-fledged ITSM tool in QRadar.
It sometimes has some technical issues that need to be checked. It requires a dedicated QRadar engineer to completely manage it. It has different module sets, such as event collector and event processor, and some technical glitches come in between. It takes the log but doesn't exactly process it in the way we want.
If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment.
What do I think about the stability of the solution?
It is stable. There are no incidents when SIEM completely stopped.
What do I think about the scalability of the solution?
I have expanded it. It is very good in terms of scalability. Because it is on the cloud, it can be scaled anytime. If I want to increase my CPU's RAM, I can do it. At any point in time, if I want to get additional licenses, I can just call support, and they will provide that.
I have around six customers who are using QRadar in a shared model. We do have plans to increase its usage. We are looking after different customers, and when they're ready, we can integrate it.
How are customer service and technical support?
They are good and responsive. However, because of COVID, of late everyone is working from home, and sometimes, their response has been a little bit slow for incidents. They did apologize for that.
How was the initial setup?
It is straightforward. AWS has a feature called Marketplace in its environment. When we click it, we can load it directly. It doesn't take more than two to three days to completely deploy the infrastructure.
What's my experience with pricing, setup cost, and licensing?
They can give us some scalability and flexibility on pricing. If its pricing can be reduced, it would help a lot of customers in bringing in a new SIEM environment and grow business in the market. If I start a license today and take around 10,000 EPS, and after a month, there is an increase in the number of clients on my platform, I can increase the number of licenses. I can add 5,000 EPS on a yearly basis.
Which other solutions did I evaluate?
We chose QRadar over McAfee ESM.
What other advice do I have?
It has good integration with AWS. AWS has come up with a Marketplace click-in option that provides direct integration between your AWS and data centers or cloud solutions through a small VPN. It allows you to bring up small environments with 5,000 EPS or 6,000 EPS or even 3,500 EPS or 2,500 EPS very quickly. It is very flexible and not at all tough for a startup engineer to click and bring solutions inside. It is quite easy.
I would rate IBM QRadar an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
User
Stable, functional out of the box, and offers good integration capabilities
Pros and Cons
- "Technical support is good overall."
- "The reporting system could use some upgrading."
What is our primary use case?
We make some special demos that we sell to our customers. We work as a technical support L1/L2 for our customers in these cases as well.
The solution allows organizations to check people who work from home or in the office. It can help a company understand who is connected from home.
Sometimes people give a login and password to colleagues. The security can see the situation when someone logs in locally, and they can see a remote connection. They can see this is from the login and password. They'd be able to tell if something was shared and could dig deep to figure out if it is a breach or if it is something that has been properly shared.
What is most valuable?
The SOAR features are very good.
The product is able to handle special requests.
It can effectively search local files.
We are able to deploy in two or more different locations.
The solution is functional right out of the box and it's a pretty simple system with different kinds of solutions that address different types of problems.
The initial setup is pretty straightforward.
The solution is stable.
The product can scale.
Technical support is good overall.
Qradar has a lot of integration capabilities with different security products.
If we talk about functionality in general for SIEM systems, it's good.
What needs improvement?
In terms of the government sector, sometimes they do not have enough money to buy a full SIEM. That's why they ask about some parts of the SIEM system or core. It can be expensive.
It would be ideal if they offered a barebone setup alongside an appliance. It's very interesting for different kinds of customers. Most of them prefer the core appliance, yet some of them prefer barebone.
It would be ideal if the solution offered new connectors to other systems.
The reporting system could use some upgrading.
For how long have I used the solution?
We've been using the solution for at least the last 12 months or so.
What do I think about the stability of the solution?
The stability is good. there are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
The scalability of the product is very good. Sometimes we get requests for specific functionality and usually, we can accommodate that.
How are customer service and technical support?
Generally, we are happy with technical support. They are helpful and responsive.
How was the initial setup?
The initial setup is very simple for our customers due to the fact that the first step is a demo for a customer. We need about 5 to 15 working days to make this demo. We talk about making a core system. It's not difficult to make over the Qradar SIEM. After that, if the customer needs some special function for, for example, different parts of the organization, we can propose some separate parts of SIEM. That's about two or eight weeks away.
In general, for a SIEM project, you are looking at a deployment time of about two til eight months.
What about the implementation team?
As integrators, we can help advise clients and assist in the deployment process.
What's my experience with pricing, setup cost, and licensing?
IBM Qradar has an interesting scheme for payments. They have annual payments for customers who use subscriptions for some services. I can't see any problem with the current financial scheme for this product generally. It's okay.
What other advice do I have?
We are implementors. Our customers are the ones that use IBM Qradar.
We are an IBM partner.
We strongly recommend to our customers use the latest version of Qradar. It's important for security. We tend to use the latest in general.
Our customer is a government organization, including some ministries. Therefore, they use on-premise deployments only. However, they have some plans for hybrid clouds or private clouds in the next three or four years. That said, it's very hard to say exactly as the work at the ministry is about security. On-premise is deemed to be more secure.
I'd rate the solution at a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Founder at Halainfosec
Priced well and has good support, but it is resource intensive
Pros and Cons
- "The flexibility is good in terms of pulling log files."
- "It's resource-intensive."
What is our primary use case?
We are service providers, and we are always exploring tools to accompany existing tools. I am always searching for the best products to meet my clients' requirements. I always look to understand the technology first, learn what benefits we can get from the product, how competitive is it with other tools such as DarkTrace, and Palo Alto.
We are working with this solution, but it is being managed by another vendor.
We are service providers. We are providing SOC service and MSSP services for our clients.
We are working on various products, not one specific product. We can provide services for any product, in fact, any security solution.
What is most valuable?
There have been many advancements made in the most recent year. There are many add-ons included in the licenses that I have yet to explore.
There have been many improvements. When I worked with this solution at the core technical level, it was a SIEM solution. Many attributes have been added, such as threat intelligence, SO solutions, automation, and OT security. Many other platforms have been included as part of IBM QRadar.
The flexibility is good in terms of pulling log files.
What needs improvement?
Automation is an area that people are looking for. IBM does have the SO solutions platform, but it would be more useful if they could have predefined use cases rather than using more generic ones. It would be much better if they could customize their use cases.
It's resource-intensive.
The IBM QRadar team has to be proactive and they have to be informative about the product.
They don't want to spend too much money on the SIEM because it is obviously resource-intensive. But the SIEM is a very useful product when you have good resources and good software.
For large organizations, that want to integrate all of the log sources, the pricing will be too expensive. This is the main reason that clients are not interested in SIEM solutions.
For how long have I used the solution?
I have been working with IBM QRadar for approximately four years.
I moved into consulting, at the architectural level. I'm not working at the core level but I know the basics of QRadar and how exactly it functions.
How are customer service and technical support?
Technical support is good.
My personal experience was fantastic. They are always good and we have never had any problems.
There are a lot of online resources available.
What's my experience with pricing, setup cost, and licensing?
When compared with other SIEM solutions, QRadar is considerably less expensive. I would like to compare it with Elasticsearch because they have different pricing strategies.
QRadar is events per second, EPS-based, whereas Elasticsearch is resource-based. You have to estimate based on how many resources will be used in the infrastructure, irrespective of log resources and log volumes.
They are charging based on the resources.
Which other solutions did I evaluate?
I'm exploring the Elastic Stack Elasticsearch currently. Splunk is out of scope for us right now, we're not interested in that. Sentinel is one that we are interested in.
What other advice do I have?
There are many competitive tools that are emerging regarding XDR solutions or SO solutions, which are capabilities that QRadar offers.
The competition is very different from the geographical locations.
For the Indian market, locally, they are still working on the old SIEM structure. It is a very generic SIEM model. Western countries, especially North American clients, are advanced in terms of moving the infrastructure to the cloud. Some have OT security and they're also doing some Office 365 advancements and several advanced search engines for endpoint detection.
They are expecting that nothing is left behind without using any licenses. Microsoft provides part of the security services if you go with the EFI license.
As vendors, we need to counter with the important visibility areas, and the critical access, which needs to be monitored as part of security.
I would rate IBM QRadar a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
CS engineer at AYACOM
Comes with a lot of predefined connectors and good correlation rules, but needs better reporting and doesn't have a SOAR system by default
Pros and Cons
- "It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want."
- "It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar."
What is our primary use case?
We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.
What is most valuable?
QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use.
It has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want.
It supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.
What needs improvement?
It doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.
Its reporting can be improved.
For how long have I used the solution?
I have been using this solution for approximately three years.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
It is scalable. It works for small, medium, and large enterprises. You can have a huge SOC, and you can implement it in a big company.
Our company has more than 5,000 assets, and we are covering them all with the QRadar system.
Which solution did I use previously and why did I switch?
We are using Azure Sentinel for our cloud-based solutions. The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.
Azure Sentinel doesn't have many connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM.
If we start to collect all logs from our on-premise SIEM solutions, Azure Sentinel will cost much more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than QRadar.
What's my experience with pricing, setup cost, and licensing?
You have a one-time payment, and you also can purchase it for one year as a subscription. We have it on-premise, and we have a permanent license for it. We have to pay for the support on a yearly basis.
If you compare its cost with Sentinel for one year, QRadar would seem more expensive, but if you compare its cost over five or ten years, Azure Sentinel will be more expensive than QRadar.
What other advice do I have?
I would recommend purchasing a cloud-based license subscription because it doesn't have any limits on the license. You can easily install it in a cloud environment. This cloud pack can be integrated with different types of SIEM solutions. So, you can use one management console to query all of the SIEM systems that you are managing. It is like having one window to manage your SOC. For example, a SOC can operate, manage, or provide services for different types of companies, and all these companies can have different types of SIEM solutions. With the cloud subscription of QRadar, you can cover all companies, which is good in my opinion.
I would recommend both QRadar and Azure Sentinel. It depends on the use case of a customer and the environment that they are using.
I would rate QRadar a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner

Buyer's Guide
Download our free IBM QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2023
Buyer's Guide
Download our free IBM QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What SOC product do you recommend?
- Has anyone got experience in deployment of a SIEM solution?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What is your opinion of IBM QRadar?
- What are the biggest differences between Securonix UEBA, Exabeam, and IBM QRadar?
- Why do most companies prefer IBM QRadar?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?