- Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
- Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
- Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.
Manager at a financial services firm with 1,001-5,000 employees
It provides event correlation across multiple device categories. The web console should have all the features of the standard console.
What is most valuable?
How has it helped my organization?
This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.
What needs improvement?
The web console should have all the features of the standard console.
In addition, the upgrade process should be simpler.
For how long have I used the solution?
I have used this solution for 10 years and 8 months.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
March 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
What was my experience with deployment of the solution?
I did have some small issues at the beginning. It was mostly due to not reading the documentation or sending too many events in the HPE ESM solution.
What do I think about the scalability of the solution?
Scalability was not an issue. The environment was relatively stable and we filtered out non-security events using custom scripts.
How are customer service and support?
I have had mixed experiences over the years. Customer service was good, while the technical support was mostly great.
There were a few glitches, like assigning our trouble ticket to a support specialist in an impossible time zone.
Which solution did I use previously and why did I switch?
I have not used any other solution. In 2005, we started directly with the HPE ArcSight solution because our company security consultant recommended it.
How was the initial setup?
In 2006, when we first installed HPE ArcSight into production, we disabled most of the default rules and other object categories. Today, this may not apply. After which, we designed and implemented our own rules, filters, field sets, active lists, session lists, reports, alerts, etc.
The first year was hard. In the following years, we mainly did the fine tuning, added new event categories and also did a lot of updates/upgrades.
What about the implementation team?
We carried out a pilot implementation based on the initial SOW, including several basic use cases. This allowed us to understand what is really happening in the environment and we learned that most of the default rules are not appropriate for us. After the pilot was successful, we bought the solution.
What was our ROI?
Calculating ROI is tricky and was never a concern for us. The simple fact that HPE ArcSight helped us several times to survive malware attacks (Conficker was one such attack) and it also helped a lot with different compliance audits, which was enough for us.
What's my experience with pricing, setup cost, and licensing?
In order to avoid huge licensing costs, you should use pre-filtering of events, outside the ArcSight solution. We did this for Cisco ASA firewalls, Microsoft TMG proxies, etc. Of course, this approach may not work, if you have regulatory constraints and have to collect everything.
What other advice do I have?
You must understand your environment and its dynamics.
Talk with IT people, write down the most important use cases, shortlist at least three SIEM solutions, do several pilots and then choose well.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Security Solutions Architect at a comms service provider with 10,001+ employees
Scalable though it is not "plug-and-play".
Valuable Features:
- Scalable though it is not "plug-and-play".
- Various deployment configurations, based on requirements, budget and the EPS/GB per day
- Stable, performance predictable based on used capacity
- Integration with alerting/ticketing systems such as Tivoli
Improvements to My Organization:
- We use this product for managed SIEM services and its stability and maturity helps with standard deployments (hardly any surprises)
Room for Improvement:
- A bit on the slow side for reports requiring query of old data
- High availability achievable through complicated configurations (i.e. load balancers)
- The user interface is a bit dated
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
March 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
Senior Manager - Cyber Security at a comms service provider with 1,001-5,000 employees
The two most valuable features for us are the deployment strategy and its operational ease.
What is most valuable?
The two most valuable features for us are the deployment strategy and its operational ease.
How has it helped my organization?
As it's an SIEM solution, it won't prove anything overnight. We're still in the implementation stage and filtering out all the noise. It's operationalized, but we're fine tuning it.
What needs improvement?
I'd like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a SOC analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high.
For how long have I used the solution?
We've had it for about eight months now.
What was my experience with deployment of the solution?
We haven't had any issues with deployment.
What do I think about the stability of the solution?
It is a stable product. We've had no issues with instability.
What do I think about the scalability of the solution?
We haven't had a need to scale yet, and maybe not for another two or three years.
How are customer service and technical support?
System integrated support is there, but we haven't had any need to contact HP support. We will soon, though, because we don't really know how to fine tune the product.
Which solution did I use previously and why did I switch?
The threat landscape was the trigger for needing a SIEM product to correlate everything that is going on within the environment.
How was the initial setup?
We'restill in the implementation stage because it's complex. So the basic things are done, but not the full-scale deployment. It's a process.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Sales Engineer
Useful real-time alerts for web traffic monitoring
Pros and Cons
- "Stable solution with good customer service support."
- "Could benefit from a more modern interface."
What is our primary use case?
We use it to monitor several web traffic sources and to look for compromised indicators within that traffic. The traffic comes from several applications that we've exposed on the internet.
What is most valuable?
The most valuable feature is the real-time alerts. We're also currently looking to incorporate some of the SOAR capabilities that are new to the platform.
What needs improvement?
The interface—the console looks pretty old right now, so could benefit from a more modern design. It's functional, but not so as visually appealing as it could be.
For additional features, I'd say capabilities regarding the behavioral analytics integrated in the solution. Right now, there's something in place, but it's not integrated on our side of the platform.
For how long have I used the solution?
I've been using ArcSight since 2015, so about six years.
What do I think about the stability of the solution?
My impressions are that it is stable.
What do I think about the scalability of the solution?
On our end it's pretty good. We haven't had any problems adding more sources.
How are customer service and support?
I've used their customer service and support a couple of times. It was a good service.
How was the initial setup?
Setup was relatively easy. The initial deployment was around five hours. For full deployment with all the sources, it took longer.
What other advice do I have?
I would rate this solution an eight out of ten. It's been useful and would recommend it to others. I'd also advise to take just the initial architect for implementation because that was critical for us in making the appropriate selections prior to deployment.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Network Security Administrator at a government with 1,001-5,000 employees
With the console, I can move between analyzing events and creating content. SmartConnectors are not resilient and sometimes crash.
What is most valuable?
The ESM's interface is really comprehensive. While the ArcSight console is really heavy, and I tend to dislike Java-based Windows GUIs, it's feature-rich and provides a seamless way to move between analyzing events and creating content.
How has it helped my organization?
The ability to correlate such a diverse range of information into a single location is invaluable.
What needs improvement?
SmartConnectors should be resilient, since they ingest directly from sources (often sources that I have no control over). But they're not resilient. The slightest change in the format of an event can cause SmartConnectors to stop working completely, even for other properly formatted events.
For how long have I used the solution?
I have been using ArcSight for two years.
What do I think about the stability of the solution?
I've had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they're working fine but completely stop listening for events.
What do I think about the scalability of the solution?
The ArcSight Logger is extremely limited when it comes to scalability. For a large deployment that could be handled by a single ESM, a dozen Loggers might be required. The cost of such an undertaking is prohibitive, and there are much more scalable solutions available (ES for instance).
How are customer service and technical support?
I would rate this zero, if I could. I have had many incidents opened with HPE Support for ArcSight products, and there has not been a single issue where their support was more valuable than the time it took to deal with them. In most of my experiences with them, I provided a thorough description of the problem including logs, config files, and sometimes .pcap files.
I then heard back from them roughly once or twice a day for a week, during which time they would ask questions that I had already answered, and suggest actions that couldn't possibly relate to my issue. Of course, I tried their suggestions, but they did not work. By then, I had always devised a workaround to reduce impact to production and didn't receive another suggested resolution for weeks or months.
Which solution did I use previously and why did I switch?
I have used many products that cover some of the territory claimed by ArcSight, including: Sourcefire 3D, ELSA, Sguil/Squert, RSA Security Analytics and Splunk. None of these were as comprehensive as ArcSight.
How was the initial setup?
Most of the initial setup is very straightforward, but some event sources require significant effort to integrate.
What's my experience with pricing, setup cost, and licensing?
ArcSight is exclusively an enterprise product and it is priced accordingly.
Which other solutions did I evaluate?
We evaluated QRadar and Splunk.
What other advice do I have?
Evaluate your needs. If you're only looking to integrate logs or do simple correlations, there might be a better choice out there. If you're looking for a single product that will let you aggregate, correlate and analyze many different sources in a single place, then there are few competitors that can come close to ArcSight's features.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Architect at a tech services company with 51-200 employees
Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors.
What is most valuable?
The best feature of ArcSight is its flexibility. Almost no other vendor provides such a good framework to collect, parse, and analyze data. Its flexibility is achieved by being easy to use, and at the same time having very sophisticated FlexConnectors. Also, I've found ArcSight's correlation engine to be the most advanced on the market.
How has it helped my organization?
My customers who use ArcSight report that it becomes very useful in incident detection and forensics. It's really sped up disclosure of inappropriate activity in information systems and on the network. Flexible event collection allows getting crucial events from almost every possible source. And correlation abilities are incredible if you know how to cook it.
What needs improvement?
Many competitors are going down the road of combining their products with other security products, such as vulnerability scanning, configuration control etc. HP's position doesn't change in that area as they offer to use their standalone solutions and integrate them in ArcSight. There are no embedded scanners or network forensics. Maybe it's time for HP to rethink that position.
For how long have I used the solution?
I've been working with HP ArcSight since 2008. All that time, the product has been growing and evolving, trying to give us more profit and a better experience to old and new customers.
What was my experience with deployment of the solution?
We have had no issues with the deployment.
What do I think about the stability of the solution?
If you encounter serious performance problems, you didn't size correctly prior to deployment.
What do I think about the scalability of the solution?
The scalability options are pretty good although costly.
How are customer service and technical support?
Customer Service:
Every product has its stability bugs, and ArcSight is not an exception, though I haven't found anything critical.
Technical Support:I must say that tech support is getting worse and worse every year. Hard cases may "hang" for months. In simple cases, support often demonstrates a lack of deep knowledge. When ArcSight was not HP, its product support was much much better. Even first-line support could help with anything.
Which solution did I use previously and why did I switch?
As a systems integrator, we constantly evaluate different solutions and deploy not one but many of them. My personal opinion is that a crucial feature for a SIEM system is flexibility. The more you can tune, adjust, and develop the system, you will get more profit from it. If we're talking about SIEM solutions, then no one can offer such flexibility as ArcSight. Splunk maybe, but Splunk is not SIEM, and to get SIEM-like features from it you spend more time and money.
What about the implementation team?
As a system integrator, I always say that implementation must be done by an experienced team. SIEM solutions are not easy, so if time is important, do not rely on doing it haphazardly.
What's my experience with pricing, setup cost, and licensing?
We would like it to be cheaper, but the licensing model is pretty simple.
What other advice do I have?
You need to read the documentation - you can then get it fast and working. If you do not read the documentation, you get pain and tears. Look for an experienced team to deploy the solution, or get experience yourself as HP has some good learning courses.
Deep knowledge of the product will come later, but for the correct implementation you need to be prepared. ArcSight has wonderful community, and you can always ask a question or find an interesting use case there. It's a very useful resource indeed, do not hesitate to visit it.
Disclosure: My company has a business relationship with this vendor other than being a customer: We integrate ArcSight for our customers.
Chief Executive Officer at a tech services company with 11-50 employees
An AI-powered solution that is good enough to cover all cybersecurity activities
Pros and Cons
- "The solution has gone beyond signature-based monitoring and analysis and is AI-powered. It is good enough to cover the full range of cybersecurity services."
- "ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities."
What needs improvement?
ArcSight ESM is not easy to use and it should be integrated with other tools that have infrastructure capabilities.
For how long have I used the solution?
I have been working with the solution for a few months.
What do I think about the stability of the solution?
ArcSight ESM is stable.
What do I think about the scalability of the solution?
The tool is scalable and my company has 20,000 users.
How was the initial setup?
ArcSight ESM is not difficult to deploy. It requires an extensive number of skilled cybersecurity experts.
What other advice do I have?
I would rate the tool a seven out of ten. The solution has gone beyond signature-based monitoring and analysis and is AI-powered. It is good enough to cover the full range of cybersecurity services.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Manager at PT Permata Anugerah Abadi
Great real-time reporting, offers simplicity for implementation and operations
Pros and Cons
- "Very good real-time reporting with a good dashboard."
- "Currently lacks SOAR feature."
What is our primary use case?
We deal mainly with enterprise companies - I'm the senior manager and we are partners with ArcSight.
What is most valuable?
The solution has a good dashboard, very good real-time reporting and it's easy to use, offering simplicity for implementation and operations.
What needs improvement?
I'd like to see an improvement in their training and documentation. SOAR (Security Orchestration, Automation, and Response) would be a good feature to include in the future.
For how long have I used the solution?
I've been using this solution for six years.
What do I think about the scalability of the solution?
This solution is stable and scalable.
How are customer service and support?
They offer 24/7 standby support wherever you are. It's very good.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
The cost is reasonable for a good solution.
What other advice do I have?
It's important to set up the organization before implementation, checking internal desktops or IT security internals before buying the solution.
I rate this product an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner

Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Microsoft Sentinel
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
Sumo Logic Security
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- What's The Best Way to Trial SIEM Solutions?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- RSA-EMC vs. other SIEM products?