Forrester Finds Over 200% ROI in Azure Sentinel After Three Years 1

Forrester Finds Over 200% ROI in Azure Sentinel After Three Years

A Forrester Total Economic Impact™ (TEI) study published this month analyzed the financial effects for companies using Microsoft’s Azure Sentinel. Forrester interviewed customers who previously used on-premises SIEM solutions and have now switched to the cloud-based Azure Sentinel. The organizations participating in the study specialized in IT services, big data, financial services, and e-commerce on global scales. Based on these interviews, Forrester found that Azure Sentinel simplifies management, improves efficiency, and reduces costs.

What is Azure Sentinel?

Diagram shows tasks of Azure Sentinel: Collect, Detect, Investigate and Respond.


Azure Sentinel is a powerful SIEM + SOAR solution that collects data, investigates threats, and responds to them quickly. With the use of Machine Learning, it identifies threats and anomalies faster than solutions were able to in the past. It compares data with dozens of threat possibilities from multiple sources, using Python libraries to investigate queries. Then it provides streamlined, automated responses to incidents with actions and playbooks. Security administrators can view all of this in dashboards with helpful workbooks and graphs.

Forrester’s Finding on How Azure Sentinel Delivers

The point of a TEI study at Forrester is to assess all the ways that a particular investment impacts companies economically. These are the key findings that Forrester published in this study, based on aggregated data fron the companies interviewed:

  • Investment paid back in less than six months
  • Return on investment (ROI) of 201% after three years
  • 67% decrease in deployment time, compared to legacy on-premises SIEMs
  • 79% reduction in false positive alerts
  • 80% reduction in the amount of labor needed to follow up with investigations
  • 48% reduction in costs

Improvements in Ease & Efficiency

Image of a neat desk suggests ease and efficiency.


Participants in the study reported that with their prior legacy SIEM solutions, single events would trigger multiple other ones, creating a cluster of false positive security alerts that were time consuming for security administrators to resolve. Azure Sentinel provided more intelligent analytics that reduced these false positives. (Now, Sentinel can be provide even better threat intelligence when paired with External Attack Surface Management.) It also allowed security teams to view logs, alerts, and incidents easily in one place. Every customer interviewed said that deployment was also easier and faster than with their traditional legacy solutions. With these improvements, Forrester assessed that overall management efforts were reduced by 56%.

Cost Savings

Image shows a plant growing out of coins.


The return on investment comes from a number of different expenses reduced after companies switched to Azure Sentinel. Organizations no longer needed their legacy SIEM vendors, so they saw reduced licensing costs. They also eliminated expensive on-premises infrastructure by switching to the cloud-native option. Here’s what companies saved because of these reductions and improvements in efficiency:

  • $1.2 million savings from management efficiencies
  • $602K savings from time saved in deployment
  • An overall savings of $4.9 million after moving from legacy SIEM to Sentinel (a 48% decrease in costs)

Another nice difference was that customers were no longer restricted by storage and data ingestion limits, which meant they didn’t have to pay for exceeding those limits like they would with other vendors.

Azure Sentinel: a Wise Choice

With Forrester’s report, it’s clear that legacy SIEM solutions can’t compete economically with the more modern Azure Sentinel. And that’s to say nothing about the additional strength of the security itself. If you’re still using legacy solutions and are interested in giving Azure Sentinel a try, Microsoft offers a trial as well as a special offer through May 1, 2021 that gives customers credits for up to 100MB of data ingestion per user per month. Or, for a more comprehensive and guided exploration, we offer a free Azure Sentinel proof of concept that includes an Azure trial, a credentialed vulnerability scan, Microsoft Defender ATP, and email monitoring with DMARC policies. Contact us today to modernize your SOC and start saving money!

More Forrester research:

Leave a Comment