Elastic's Licensing History: Why It's Complicated
Overpaying for Enterprise Software? We handle software and cloud contract negotiation on a 25% gainshare basis — you keep 75% of every dollar saved. No retainer. No risk.
Get a free Enterprise Software savings estimate →Elasticsearch began as open-source software under the Apache 2.0 licence. In 2021, Elastic changed the licence for Elasticsearch and Kibana from Apache 2.0 to the Elastic Licence 2.0 (ELv2) and Server Side Public Licence (SSPL) — a move that prevented cloud providers from offering Elasticsearch as a managed service without commercial agreements. AWS responded by forking Elasticsearch as OpenSearch, which remains Apache 2.0 licensed.
In 2024, Elastic partially reversed course and added the GNU AGPL v3 licence as an option alongside ELv2 — a significant development that gave enterprises more flexibility but further complicated the licensing landscape. For procurement purposes, the key question is not which open-source licence applies, but what the commercial subscription covers and what's available only through Elastic's paid tiers.
This licensing complexity makes Elastic contract negotiations particularly opaque. Many enterprises don't know precisely what their subscription covers versus what's available in the free or open-source tier — and Elastic's sales team does not volunteer that information. Independent analysis of your actual usage versus your licensed entitlements is essential before any renewal.
Elastic Subscription Tiers: What Each Includes
Elastic's commercial subscriptions are structured in three tiers — Standard, Gold, and Platinum — with a fourth Enterprise tier for the largest deployments. These tiers apply to both self-managed Elasticsearch deployments and Elastic Cloud (the managed SaaS offering):
| Tier | Core Features | Indicative Pricing (per node/year, self-managed) |
|---|---|---|
| Standard | Full Elasticsearch/Kibana, alerting, basic reporting, TLS, free trial of ML | ~$10K–$16K per node |
| Gold | + Cross-cluster replication, frozen tier, LDAP/SSO, alerting actions | ~$20K–$28K per node |
| Platinum | + ML features, anomaly detection, SIEM, security analytics, Graph | ~$40K–$55K per node |
| Enterprise | + Searchable snapshots, advanced ML, enterprise support SLA | Custom pricing; typically 10-20% above Platinum |
These are indicative self-managed deployment costs. Elastic Cloud pricing is capacity-based (GB of RAM-hours per month) rather than node-based, which makes direct comparison difficult but often results in 2-3x higher effective costs for equivalent capacity when compared to self-managed on your own cloud infrastructure.
For SIEM use cases specifically, Elastic Security requires at least Platinum tier — the native SIEM capabilities, detection rules, and ML anomaly detection are all Platinum-gated. Many enterprises purchasing Elastic for observability (log aggregation, APM) find themselves pulled toward Platinum when security teams want to consolidate SIEM workloads onto the existing Elastic deployment.
⚠️ The Observability Expansion Trap
Enterprises frequently start with Elastic for enterprise search or log management at Standard or Gold tier, then expand to observability and security use cases without renegotiating the commercial terms. By the time SIEM and ML features are in active use, the organisation is running Platinum-tier features on Gold-tier licenses. Elastic's compliance enforcement is relatively light-touch, but the gap surfaces at renewal — and Elastic's first position is always to back-bill for the feature usage.
Elastic Cloud vs Self-Managed: The Commercial Trade-off
Elastic Cloud (formerly Elastic Cloud Enterprise, or ECE) is Elastic's managed service, running on AWS, Azure, or GCP. The commercial model is consumption-based: you pay for the Elasticsearch cluster capacity you consume, measured in GB of RAM-hours, plus Elasticsearch Service surcharge on top of the underlying cloud provider compute cost.
The operational advantage of Elastic Cloud is significant — no infrastructure management, automatic upgrades, and tight SLA support. The commercial disadvantage is that the effective per-GB storage cost and per-RAM-hour compute cost is substantially higher than running equivalent infrastructure on your own AWS or Azure account. For large-scale SIEM deployments ingesting hundreds of GB per day, this cost difference is meaningful.
| Deployment Model | Operational Complexity | Flexibility | Indicative Cost vs Self-Managed |
|---|---|---|---|
| Elastic Cloud (Managed SaaS) | Low | Moderate | 2-3x higher at scale |
| Self-Managed on Cloud (AWS/Azure) | Medium | High | Lower base cost |
| Elastic Cloud Enterprise (ECE) On-Prem | High | Highest | Hardware cost + subscription |
| OpenSearch (AWS fork) | Medium | High | Lower — no Elastic subscription needed |
Elastic Renewal Coming Up? Know What You're Actually Paying For.
We analyse your Elastic deployment against subscription tier, usage patterns, and deployment model alternatives — and negotiate your contract on a gainshare basis. 25% of savings, or nothing.
Get Your Free Elastic AssessmentElastic Observability Pricing: APM, Logs, and Metrics
Elastic Observability bundles application performance monitoring (APM), log management, infrastructure metrics, uptime monitoring, and synthetic monitoring into a unified solution. The commercial model for Observability on Elastic Cloud is capacity-based with a specific Observability SKU that includes additional ingestion and retention capabilities:
- Log Ingestion: Priced per GB ingested per day. Enterprise log volumes of 100-500 GB/day create significant ongoing cost. Data tiers (hot, warm, cold, frozen) are important for cost management — not all data needs to be on hot SSD storage.
- APM Transactions: Priced per million transactions. High-throughput microservices architectures generate APM volume that surprises teams who sized the Elastic subscription based on initial estimates.
- Synthetic Monitoring: Per-check pricing for uptime monitoring. Often underestimated in the initial contract.
- ML-based anomaly detection: Requires Platinum tier; at Elastic Cloud, ML nodes are additional compute cost.
The critical optimisation lever for Observability is data lifecycle management. Organisations that push data from hot to warm to cold tier based on access frequency — instead of keeping everything on hot storage — routinely reduce Observability storage costs by 40-60%. Elastic's ILM (Index Lifecycle Management) handles this automatically once configured, but the default configuration often keeps more data on expensive tiers than necessary.
Elastic SIEM Pricing: Security Analytics at Scale
Elastic Security (formerly the Elastic SIEM) is a compelling proposition: a SIEM that runs on the same Elasticsearch infrastructure as the rest of your Elastic deployment, avoiding additional licensing for a standalone SIEM platform. The catch is that SIEM-grade capabilities — detection rules, ML-powered threat hunting, Endpoint Detection and Response (EDR) — require Platinum tier and generate significant data volumes.
A common enterprise architecture question is whether consolidating SIEM onto an existing Elastic Observability deployment saves money relative to running a standalone SIEM (Microsoft Sentinel, Splunk, IBM QRadar). The answer depends on the existing Elastic deployment size and tier:
- If you're already at Platinum for Observability, adding SIEM workloads to the same cluster is incremental capacity cost only — a significant advantage over a standalone SIEM licence.
- If you're at Gold for Observability, moving to Platinum to enable SIEM may cost more than an equivalent Microsoft Sentinel deployment at comparable log volumes.
- Elastic Security's Endpoint agent (formerly Endgame) requires separate per-endpoint licensing beyond the base Elastic subscription.
💡 The OpenSearch Alternative
For enterprises primarily using Elasticsearch for log aggregation and search — without ML, advanced security analytics, or Elastic Cloud managed services — OpenSearch is a credible alternative. AWS-managed OpenSearch (formerly Elasticsearch) is price-competitive with Elastic Cloud and carries no per-node subscription cost. The feature gap for basic search and observability use cases is narrow; for advanced ML and SIEM, Elastic's native capabilities remain superior. Running a functional comparison before any major Elastic renewal is worth the time.
Key Negotiation Levers for Elastic Contracts
1. Benchmark Your Tier Against Actual Feature Usage
Before any renewal, map which Platinum-tier features are actively configured and generating value versus which were enabled during initial setup and never used in production. If ML anomaly detection is running but no one is consuming the alerts, it's a Platinum-tier feature generating no business value. Right-sizing to Gold where ML is unused saves 30-40% per node.
2. Negotiate on Capacity Commitment, Not List Price
Elastic Cloud's most significant discounts come through committed use contracts — committing to a minimum monthly spend in exchange for a percentage discount off on-demand pricing. If your Elastic Cloud usage is predictable, a 12-month or 24-month commit can deliver 20-35% savings relative to on-demand. Elastic's sales team will present commit discounts as standard — ensure you're negotiating the discount percentage, not just accepting the first offer.
3. Negotiate Data Retention Terms
Elastic's default retention settings and the searchable snapshot (frozen tier) configuration directly impact storage costs. Negotiate retention terms explicitly in your contract: how long data must be retained in searchable format, versus cold archive, versus deletion. Regulatory compliance often requires only that data be retained, not that it be immediately searchable. Tiering data aggressively through ILM is commercially significant at scale.
4. Use OpenSearch as a Competitive Lever
Elastic's account teams know that OpenSearch is technically capable for basic use cases. The threat of migration — even if you don't intend to execute it — is a credible negotiating position for log management and search workloads. Present a migration analysis showing OpenSearch TCO; Elastic will typically respond with meaningful pricing flexibility to protect the account.
Elastic Contract Negotiation on Gainshare
Our SaaS negotiation practice covers Elastic alongside your full enterprise software stack. 25% of savings — or you pay nothing. Get a preliminary assessment of your Elastic spend.
Start Your Free AssessmentElastic vs Splunk vs OpenSearch vs Microsoft Sentinel
For enterprises choosing between observability and SIEM platforms, the competitive landscape has consolidated around four main options. Each has a different commercial model and different strengths:
| Platform | Primary Use Case | Pricing Model | Relative Cost (large scale) |
|---|---|---|---|
| Elastic | Search, observability, SIEM | Subscription (node or capacity-based) | Medium-High |
| Splunk | SIEM, observability, IT Ops | Ingest volume-based | High (often highest) |
| OpenSearch (AWS) | Log search, basic analytics | Compute/storage only, no licence | Lowest |
| Microsoft Sentinel | Cloud-native SIEM | Per-GB ingestion, free for M365 logs | Low-Medium (M365-heavy orgs) |
| Datadog | Observability, APM | Per-host + per-GB | High at large scale |
For Microsoft-heavy enterprises already paying for Microsoft Defender and E5, Microsoft Sentinel's free ingestion for Microsoft-sourced logs significantly reduces effective SIEM cost — making it a genuine alternative to Elastic Security for organisations where the majority of log volume is Microsoft-origin. This competitive dynamic is one of the strongest negotiating levers available against both Elastic and Splunk.
For enterprises considering a broader SaaS negotiation programme — covering Elastic alongside Microsoft, Splunk, Datadog, and other observability or security tools — our SaaS contract negotiation service covers the full stack on a single gainshare engagement.
Frequently Asked Questions: Elastic Licensing
Can we use Elastic with an open-source licence and avoid the subscription?
Basic Elasticsearch and Kibana functionality is available under the Elastic Licence 2.0 (free tier) or AGPL v3 without a commercial subscription. Free features include the core search engine, basic Kibana dashboards, alerting, and API access. Commercial subscriptions add: security features (TLS, RBAC, SSO), ML capabilities, cross-cluster replication, advanced reporting, and Elastic's support SLA. For enterprises running Elastic for anything beyond basic search or log aggregation, the free tier is typically insufficient — you'll need at least Standard subscription for production security controls.
How does Elastic's pricing change if we migrate from self-managed to Elastic Cloud?
Migration from self-managed to Elastic Cloud almost universally increases cost in the short term. On Elastic Cloud, you pay for: underlying compute and storage (at a premium to raw cloud provider rates), the Elastic Service surcharge (typically 20-40% above provider list), and the subscription tier (though this may be included in Cloud pricing). The operational savings — reduced infrastructure management overhead, automatic upgrades, built-in backup — need to be quantified in labour cost to determine whether the TCO is justified. For most enterprises with dedicated Ops teams, self-managed on their own cloud infrastructure remains cheaper at scale.
What's the right Elastic subscription tier for an enterprise observability deployment without SIEM?
For pure observability use cases — APM, log management, metrics, uptime — Gold tier is typically the right commercial tier. Gold adds cross-cluster replication (essential for disaster recovery), LDAP/Active Directory integration (required in most enterprise environments), and advanced reporting. If ML anomaly detection for IT Ops is not a primary use case, Platinum adds relatively little value for pure observability versus the significant price premium. The exception is if you anticipate adding security analytics within the contract term — in that case, starting at Platinum avoids a mid-term tier upgrade.