The structural problem
MSPs bill clients on flat-rate models, typically $150 to $250 per user per month with security included. Meanwhile, SIEM and observability vendors charge usage-based pricing: per-GB, per-EPS, or per-host. When client data volumes spike, the MSP absorbs the cost difference.
Average MSP profit margins sit at 8-12 percent. They should be 30-35 percent. Eighteen percent of MSPs operated at a loss in Q4 2024, up from 14 percent the prior quarter. Tool licensing costs inflate at roughly 23 percent annually while MSP billing rates stay flat.
Why data volume keeps growing
Log volumes grow approximately 50 percent year over year. That is a 5x increase over the past three years. Cloud platforms generate verbose logs by default. Compliance mandates force more data collection. Endpoint detection tools produce telemetry at scale. Every new client adds volume, and every renewal carries the accumulated growth.
The math is simple: if your SIEM cost scales with data volume and your revenue does not, your margins compress with every client you add. This is the margin trap.
What a pipeline architecture changes
A Cribl-based routing layer sits between your data sources and your SIEM. It inspects every event in flight and routes based on value. High-priority security events go to your SIEM at full fidelity. Routine noise, like firewall allow logs that represent 60-70 percent of most volumes, routes to S3 at pennies per gigabyte.
The SIEM sees less volume. The renewal uplift applies to a smaller base. Your compliance archive stays complete in low-cost storage. And your margins stop eroding with every new client.
The numbers
A 100 GB per day SIEM deployment costs approximately $150,000 per year in platform licensing. Splunk compounds at 9 percent annually, turning a $100K contract into $140K in four years without adding a single data source. At 500 GB per day, Splunk TCO reaches $1.17M to $1.27M annually.
Organizations deploying Cribl-based routing typically see 20-40 percent ingest reduction, with some environments achieving 40-70 percent depending on data composition. That is the difference between margin erosion and margin recovery.