🩺 Vitals
- 📦 Version: v4.14.5 (Released 2026-04-23)
- 🚀 Velocity: Active (Last commit 2026-05-04)
- 🌟 Community: 15.5k Stars · 2.3k Forks
- 🐞 Backlog: 2837 Open Issues
🏗️ Profile
- Official: wazuh.com
- Source: github.com/wazuh/wazuh
- License: GPL-2.0
- Deployment: Docker | Kubernetes
- Data Model: Index-based (OpenSearch)
- Jurisdiction: USA 🇺🇸 (Wazuh, Inc. — Campbell, California)
- Compliance (SaaS): SOC 2 Type II | PCI DSS | GDPR Ready
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: High (4/5) - Distributed OpenSearch/Wazuh cluster; requires security engineering and DevOps maturity
- Maintenance: High (4/5) - Regular ruleset updates, index management, and agent lifecycle required
- Enterprise Ready: High (4/5) - Full RBAC, threat hunting, AI-assisted detection, and compliance mapping modules in GPL binary; infrastructure overhead is the primary cost driver
1. The Executive Summary
What is it? Wazuh is a unified, open-source XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) platform developed by Wazuh, Inc. (Campbell, California). Lightweight agents deployed to endpoints — servers, cloud instances, workstations — stream security telemetry to a centralised Wazuh cluster composed of three components: the Wazuh Indexer (OpenSearch), the Wazuh Server (Manager), and the Wazuh Dashboard. All functional capabilities — RBAC, AI-assisted threat hunting, File Integrity Monitoring, intrusion detection, and pre-built compliance mapping modules for PCI DSS, HIPAA, NIST 800-53, and TSC — are included in the GPL-2.0 binary at no cost. The only commercial offering is Wazuh Cloud: managed hosting billed per agent with no feature uplift.
The Strategic Verdict:
- 🔴 For Small Teams Without Security Engineering Capacity: Caution. Operating a distributed OpenSearch/Wazuh cluster at scale requires significant DevOps and security engineering investment. Teams without this capability should evaluate managed SIEM-as-a-Service options before committing to self-hosted Wazuh.
- 🟢 For Regulated Enterprises Requiring Full Telemetry Ownership: Strong Buy. Wazuh eliminates Splunk's data ingestion tax ($0.10–$0.30/GB) and CrowdStrike's per-endpoint recurring fees entirely. Security telemetry — the most sensitive operational data an enterprise produces — stays within your own infrastructure. Pre-built compliance modules mean audit evidence generation is a platform capability, not a custom integration project.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Splunk (SaaS) | Wazuh (Self-Hosted) |
|---|---|---|
| Data Ingestion | $0.10–$0.30/GB | $0 (owned OpenSearch storage) |
| Agent Fees | Recurring per-endpoint | $0 (unlimited agents) |
| Retention | Expensive indexing tier | Cost of disk / object storage |
| Compliance Modules | Custom content packs | PCI DSS, HIPAA, NIST 800-53 (built-in) |
| RBAC | Enterprise tier | Included (GPL binary) |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Architecture: Three-component distributed system — Wazuh Indexer (OpenSearch-based), Wazuh Server (alert correlation and rule engine), and Wazuh Dashboard (Kibana-based UI). Designed for horizontal scalability; large deployments require cluster planning across all three layers. Lightweight agents consume minimal endpoint CPU and RAM while streaming real-time telemetry via encrypted channels.
- Integrations: Native cloud platform integrations for AWS, Azure, and GCP log ingestion. Syslog ingestion supports firewalls, switches, and network appliances. Threat intelligence feeds (including MISP) can be ingested for IoC correlation across monitored endpoints.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & CLOUD Act (USA 🇺🇸): Wazuh, Inc. is incorporated in the United States (Campbell, California) — full CLOUD Act exposure for the managed Wazuh Cloud offering. For self-hosted deployments, the GPL-2.0 binary can be operated in fully air-gapped environments with no mandatory vendor telemetry or network connectivity; CLOUD Act exposure is limited to the corporate entity and the Cloud product. Self-hosted in an isolated network eliminates vendor data access entirely — a critical consideration given that Wazuh indexes sensitive security telemetry from every monitored endpoint across the infrastructure.
- The Compliance Shift: SOC 2 Type II, PCI DSS Level 1, and GDPR Ready are verified for Wazuh Cloud. Self-hosted deployments inherit none of these certifications, but Wazuh's architecture inverts the typical compliance burden: the platform provides the File Integrity Monitoring, intrusion detection rulesets, audit log collection, and pre-built compliance mapping modules for PCI DSS, HIPAA, NIST 800-53, and TSC that operators use to satisfy their own audit requirements. Compliance effort shifts to hardening the underlying infrastructure — OpenSearch cluster security, TLS configuration, index backup integrity, and access controls — rather than the security monitoring layer itself.
- License Risk (GPL-2.0 — Strong Copyleft; No Feature Gating): GPL-2.0 applies strong copyleft — any organisation modifying Wazuh source code and distributing it must open-source those modifications. Internal deployment as a security appliance does not trigger this clause; the risk applies only to external distribution of modified code. Wazuh has no open-core model: RBAC, threat hunting, AI-assisted detection, compliance mapping modules, and all operational capabilities are in the GPL-2.0 binary at no cost. The commercial tier sells managed cloud hosting and support SLAs — not unlocked software features. Infrastructure management of the distributed OpenSearch/Wazuh stack is the primary total cost driver for self-hosted deployments.
4. Market Landscape
🏢 Proprietary Incumbents
- Splunk: The SIEM incumbent for large enterprises — mature query language (SPL), extensive integration ecosystem, and strong threat intelligence tooling. Data ingestion pricing at $0.10–$0.30/GB creates a compounding operational tax that scales adversely with security telemetry volume; Wazuh eliminates this cost entirely for organisations willing to invest in cluster management.
- CrowdStrike: The dominant cloud-native EDR and XDR platform — AI-driven threat detection with minimal endpoint footprint and no infrastructure management overhead. Per-endpoint recurring licensing at enterprise scale is the primary driver for evaluating Wazuh; the trade-off is absorbing the infrastructure complexity that CrowdStrike's managed model eliminates.
🤝 Open Source Ecosystem
- TheHive: A Security Incident Response Platform (SIRP) — case management, investigation collaboration, and analyst workflow tooling. The standard complementary layer above Wazuh, converting Wazuh-generated alerts into structured incident investigations with audit trails and team assignment.
- MISP: The open-source Threat Intelligence Platform — shared IoC feeds, malware signatures, and threat actor attribution. Wazuh ingests MISP feeds natively to correlate known indicators of compromise against endpoint telemetry across the monitored infrastructure.