SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Flux result e3bb5821 ae1a 407c b14f e01675ae60e4
#
SIEM
#
Cloud Security
#
Advanced Persistent Threat Protection

Expel launches managed SIEM service for Sentinel & Splunk

Wed, 25th Mar 2026
Author image
By Catherine Knowles, News Editor

Expel has launched a managed SIEM service for customers using Microsoft Sentinel and Splunk Enterprise Security. The service is available as an add-on for Expel MDR customers.

The offering places Expel detection engineers inside a customer's existing SIEM environment in a co-managed model. It covers detection strategy, custom rule writing and tuning, data ingestion reviews, and routing SIEM alerts into Expel's managed detection and response workflows.

Expel is targeting security teams that already run a SIEM but struggle with the operational work needed to keep detections effective and costs under control. Rather than asking customers to move to a different platform, the service works with existing Microsoft Sentinel and Splunk deployments.

Two Offers

Expel has split the service into two parts. Detection Engineering is a subscription service focused on ongoing reviews of detection rules, coverage against threat scenarios, and reducing alert noise.

A second tier, called Performance Engineering, adds a more hands-on model. Under this arrangement, Expel works alongside customer teams to monitor SIEM health, develop automation, and review spending on data ingestion and retention.

The launch reflects a wider issue in the security market. Companies often invest heavily in security information and event management platforms, then face the labour-intensive task of maintaining rules, investigating false positives, and managing storage costs. Expel argues that many internal security teams end up spending more time on SIEM administration than threat detection.

It also contrasts its approach with service providers whose revenue rises with customer data volumes. Expel said its model does not depend on increasing ingestion and instead recommends ways to control data use while maintaining security coverage.

That point may resonate with buyers at a time when SIEM spending is under scrutiny. Data ingestion and retention costs can rise quickly as organisations expand cloud services, software-as-a-service usage, and hybrid infrastructure, while security teams remain under pressure to show value from the tools they already own.

Customer Control

Transparency is a central part of the pitch. Customers retain ownership of the detections Expel creates and can see every rule, filter, and tuning change in real time.

That matters because some managed security arrangements have been criticised for locking customers into proprietary content or requiring them to adopt additional tools. Expel said its service does not require customers to buy their SIEM through the company or migrate platforms.

The service also includes ongoing management of log source changes as customer environments evolve, along with quarterly reviews intended to show detection effectiveness. Expel said the model is designed to support internal teams rather than replace them, leaving security engineers free to focus on strategic work.

Justin Bajko, chief strategy officer at Expel, said the launch is intended to address the gap between what organisations expect from a SIEM and the day-to-day effort needed to run it.

"Organisations didn't spend millions on SIEMs to waste endless hours administering them; they bought them to detect threats and protect the business," Bajko said.

He added: "Too many teams are consumed by the day-to-day grind of keeping their SIEM running instead of using it to actually secure their organization. Our Managed SIEM service takes that tedious management out of the hands of our customers' SOCs, so they can focus their efforts on what actually matters."

Market Pressure

The release comes as managed detection and response providers broaden their services beyond alert triage and incident response into adjacent operational areas. SIEM management has become a logical extension, particularly for customers that want to keep existing technology investments while reducing staffing pressure.

It also highlights a shift in buyer expectations. Security teams increasingly want outside support that can work directly within current platforms while preserving visibility over rules and workflows. In practice, that means a managed service must show not only that it can improve detections, but also that it will not obscure decision-making or create another layer of lock-in.

Pricing for the Detection Engineering subscription is based on the number of attack surfaces and log sources, with custom detection engineering included. Performance Engineering is scoped separately on a project basis.

For now, Expel's managed SIEM service supports Microsoft Sentinel and Splunk Enterprise Security, two of the most widely used SIEM products among large organisations and security operations centres.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member