The real-time correlation (CORR) engine and ability to build complex correlations from simple 'building blocks', provided the base 'building blocks' are well throughout in the first place, are the most valuable features for us.
Cyber Security HP Arcsight Dev Ops Lead Developer with 10,001+ employees
The CORR engine and ability to build complex correlations from simple 'building blocks' are the most valuable features for us.
What is most valuable?
How has it helped my organization?
The ways in which it's improved our organization are too numerous to mention. But you have to have good, steady resources and well worked-out use cases. ArcSight can report on many things and save on repetitious daliy monitoring.
What needs improvement?
There's a lot of improvements that need to be made, too many to mention all of them, but some improvements with the Con App would be a good start.
For how long have I used the solution?
We've used it for over eight years.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
April 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.
What was my experience with deployment of the solution?
We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.
What do I think about the stability of the solution?
We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.
What do I think about the scalability of the solution?
We did have issues at the start, but this comes down to having good HP ArcSight architects to start with, which we didn't when the project started.
How are customer service and support?
With HP themselves, they need a lot of pushing to get them to get seriously involved with issues, given that they are paid a lot of money to provide support and deliver top SLAs.
Which solution did I use previously and why did I switch?
We mainly use HP ArcSight, but also Splunk. I didn't have a say in making the choices.
How was the initial setup?
The initial setup was fairly straightforward, but the overall architecture planning needs seasoned professionals who understand what ArcSight is and how it needs to be deployed.
What about the implementation team?
The installation had already been implemented by an HP subsidiary who were fairly good when performing the installation. Despite that, they did a poor job of implementing the hardware.
What's my experience with pricing, setup cost, and licensing?
The HP products are expensive.
What other advice do I have?
It's a fantastic product and highly configurable, but it needs nothing less than a seasoned cyber security professional with serious engineering expertise and a real desire to provide meaningful use cases. Anyone that says ArcSight is 'fire and forget' should not be allowed to work in cyber security!
If you want Arcsight implemented correctly, start by sizing your organization, and looking at data flows and the available data streams. Be mindful of regulatory and compliance reporting, Risk and Legal as well, as you may need to factor in any and all of these when working with enterprise solutions.
Disclosure: My company has a business relationship with this vendor other than being a customer: We have a business relationship in place with HP.

Easy to use, reliable, simple implementation
Pros and Cons
- "The most valuable feature of ArcSight ESM is its ease of use."
- "ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation."
What is our primary use case?
We are using ArcSight ESM in our company for security information and event management.
What is most valuable?
The most valuable feature of ArcSight ESM is its ease of use.
What needs improvement?
ArcSight ESM could improve by adding more features and documentation. There needs to be more documentation.
For how long have I used the solution?
I am been using ArcSight Enterprise Security Manager (ESM) for approximately 10 years.
What do I think about the stability of the solution?
ArcSight ESM is stable.
What do I think about the scalability of the solution?
The scalability of ArcSight ESM is good.
We have approximately 10 people using this solution. There are 1,000 devices using the solution. We are using the solution to its full capacity.
How are customer service and support?
The support is not very good.
I rate the support from ArcSight ESM a four out of five.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup of ArcSight ESM is easy. The deployment process took approximately one week.
What about the implementation team?
I did the implementation of ArcSight ESM myself. We have two people for maintenance.
What other advice do I have?
I rate ArcSight Enterprise Security Manager an eight out of ten
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
April 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
848,716 professionals have used our research since 2012.
Information and Cyber Security Analyst at a financial services firm with 10,001+ employees
The best on-prem SIEM solution that lets you do what you want and has good filtering, scalability, and support
Pros and Cons
- "The filters and the ability to do what you want are the most valuable features. There is nothing that you cannot do in this solution. It has all the features, which makes it very dynamic."
- "I am having issues with report generation with older versions. I don't know if this is because of compatibility issues, but report generation has been a little bit difficult in older versions. It is not similar to the newer and current versions. We are looking at moving to the cloud. It would be good if ArcSight ESM can move to the cloud. They already seem to be working on this. It would also be very helpful and great if we can integrate external threat intelligence, machine learning, and AI into this solution. It has good dashboards, but they can always be better. Its stability can also be improved."
What is our primary use case?
We have many use cases. Our Windows devices, antivirus, and firewall are integrated with ArcSight. I have used ArcSight ESM versions 6.1.1, 6.9, 7.0, and 7.2.
What is most valuable?
The filters and the ability to do what you want are the most valuable features. There is nothing that you cannot do in this solution. It has all the features, which makes it very dynamic.
What needs improvement?
I am having issues with report generation with older versions. I don't know if this is because of compatibility issues, but report generation has been a little bit difficult in older versions. It is not similar to the newer and current versions.
We are looking at moving to the cloud. It would be good if ArcSight ESM can move to the cloud. They already seem to be working on this.
It would also be very helpful and great if we can integrate external threat intelligence, machine learning, and AI into this solution. It has good dashboards, but they can always be better. Its stability can also be improved.
For how long have I used the solution?
I've been using ArcSight for three years. I started using it in February 2019.
What do I think about the stability of the solution?
It is stable, but its stability can be better. I would rate it a four out of five in terms of stability.
What do I think about the scalability of the solution?
It has been good when it comes to scalability. As an MSSP, we provide services to other customers, and we have customers with different capacity requirements. It is good in terms of moving from one particular size to another.
How are customer service and technical support?
They have been great. They are friendly and good.
How was the initial setup?
Its initial setup is straightforward. The deployment duration depends on the environment. It doesn't take time for our own environment, but I've heard some people complaining about the time period for which they have to wait for the deployment to take place.
What's my experience with pricing, setup cost, and licensing?
ArcSight can be a little bit expensive because of the area that we work in and the cost. Licensing is mostly on a yearly basis, not monthly.
What other advice do I have?
I would recommend this solution to anyone looking for an on-prem SIEM solution. It has been the best SIEM solution that I've worked with.
I would rate ArcSight ESM a nine out of ten. It is a great solution.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Lead Splunk Architect at a financial services firm with 10,001+ employees
CEF log formatting helps with combining events from different sources. It can be quite complicated for the "non-IT" user.
What is most valuable?
Correlation and data normalization via CEF: The speed of ArcSight's correlation engine, together with data enrichment, makes it a great tool for exploring vast amounts of data. Other SIEM tools have a hard time giving the same results at the same speed. Also, thanks to CEF log formatting, combining events from different sources takes minimal effort. Whereas, setting up that normalisation on other SIEM competitors could take countless hours.
What needs improvement?
Ease of use, access and simplicity: HPW ArcSight makes it hard to capitalize on reports without the use of the console. Other SIEM tools have made it clear that event correlation results can be used not only to send out alerts, but also to provide easily accessible results to management.
ArcSight can be quite complicated to use for "non-IT" user. In terms of "ease of use", access and simplicity, HPE could do a better job, since customers acquiring the product should be spending more time on implementing use cases than on understanding the product and the console organization.
Also, in terms of installation, we are no longer in an era where installing a product should be a laborious process. Instead, it should be simple and fast.
Also, when it comes to data onboarding, managing ArcSight connectors in a multi-technology environment, there is no simple way to guarantee that data parsing is happening properly.
Finally, having simple-to-set-up, multi-site high availability, in contrast to single-site HA, would be very welcome.
For how long have I used the solution?
I’ve been using ArcSight for three years.
What do I think about the stability of the solution?
We have had some issues on the SmartConnector layer, since not all parsers provide perfect results (especially in the case of proxy data). Also, there have been some issues on the HA modules, since HA works sort of like a local r-sync (no remote HA).
What do I think about the scalability of the solution?
No scalability issues have been encountered so far. ArcSight's architecture is very scalable, especially when set up in a layered architecture.
How are customer service and technical support?
Support is slow and doesn't always have the required skill set to solve the issues.
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
Initial setup was very complex. Any modification to the OS prior to ESM installation may cause errors in installation. Most errors aren't explicit and require a lot of time, effort and sometimes PS help to solve.
What's my experience with pricing, setup cost, and licensing?
Price is fair compared to other SIEMs (Splunk, QRadar, etc.). It's not the go-to product if you are looking for something cheap. Go for ArcSight, if it provides specific features that your IS requires.
Which other solutions did I evaluate?
Before ArcSight, we looked at QRadar and Splunk.
What other advice do I have?
My first advice is "be patient". It takes a lot of time to deploy an ArcSight infrastructure, but the result is worth it. Technically, it’s a very powerful tool. It would be worth it to take the time to learn some of the hidden features.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cybersecurity Infrastructure at VaporVM
Provides more granular data compared to solutions like Azure or Splunk
Pros and Cons
- "We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities."
- "We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well."
What is our primary use case?
We use the product for everything. It serves as our company's management platform, handling our tech needs, block systems, alerts, custom rules, triggered events, analytics, investigations, incident closures, case creations, whitelists, and various other tasks.
What is most valuable?
We utilize ArcSight ESM for real-time threat detection in our organization. We have custom rules that we've developed on top of the WAN services, along with scheduled licensing activities.
It provides more granular data compared to solutions like Azure or Splunk. While ArcSight ESM may be considered less user-friendly, it offers a high level of customization, allowing for configuration and adaptation to specific use cases, especially regarding alerting and incident response.
Its integrations are working well. Though I haven't used the solution for an extended period, it seems highly customizable. This level of customization is not commonly found in many solutions. While solutions like Kubernetes offer a variety of apps through app extensions, it allows users to build their features to a considerable extent.
What needs improvement?
We have pricing issues. ArcSight ESM may not be the most user-friendly option, and its interface is quite traditional. However, despite these aspects, we find it a good cybersecurity solution. It needs to improve the dashboards, documentation, and support as well.
The documentation and community support for ArcSight ESM is not as strong as other solutions. Finding resources and analysts who have experience with ArcSight can be challenging. The solution is less user-friendly than alternatives like Splunk, QRadar, or Sentinel. The technical nature of ArcSight may make analysts hesitant to dive into it, contributing to a steeper learning curve.
For how long have I used the solution?
I have been using the product for two months.
What do I think about the stability of the solution?
During the pandemic, there were challenges related to stability, particularly with the discrepancy in events being pulled in. The issue was attributed to connectors, and there were problems with certificates that needed updating. As a result, events were regularly stopped by these connectors. I rate the tool's stability a seven out of ten.
What do I think about the scalability of the solution?
The solution is scalable. My company has 20 users.
How are customer service and support?
I haven't contacted the tool's technical support yet.
What other advice do I have?
I would recommend ArcSight ESM to others depending on the organization's size and specific requirements. For larger organizations, I might not recommend it, but for SMEs, it could be a suitable choice. If it meets your organization's specific use cases and requirements, and if you can ensure that you have resources trained to work with it, then it could be a suitable choice.
I rate the overall product a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mdr of Presales & Customer Success Head at a financial services firm with 1-10 employees
A robust and scalable solution that is good for correlation
Pros and Cons
- "The tool is good for correlation and aggregation. We use it as a collection platform."
- "The tool should improve its UI. It also should make data more searchable."
What is our primary use case?
The tool is good for correlation and aggregation. We use it as a collection platform.
What needs improvement?
The tool should improve its UI. It also should make data more searchable.
For how long have I used the solution?
I have been working with the tool for three to four years.
What do I think about the stability of the solution?
The tool is stable.
What do I think about the scalability of the solution?
The tool is scalable.
Which solution did I use previously and why did I switch?
I have worked with QRadar and McAfee.
How was the initial setup?
The deployment process is similar to the hosting of other applications. The tool's deployment depends on the environment architecture, and your requirements.
What other advice do I have?
I would rate the solution a seven out of ten. The product is very robust.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Scalable, reliable, and good support
Pros and Cons
- "The stability of ArcSight Enterprise Security Manager is good."
- "The user interface of ArcSight Enterprise Security Manager could improve. It is not very good. Additionally, they could integrate the web interface better."
What is our primary use case?
I use ArcSight Enterprise Security Manager to make some letters, queries, administration of the smart collectors, and logger for deporting.
What needs improvement?
The user interface of ArcSight Enterprise Security Manager could improve. It is not very good. Additionally, they could integrate the web interface better.
For how long have I used the solution?
I have been using ArcSight Enterprise Security Manager(ESM) for approximately five years.
What do I think about the stability of the solution?
The stability of ArcSight Enterprise Security Manager is good.
What do I think about the scalability of the solution?
ArcSight Enterprise Security Manager has good scalability.
We have three administrators and seven analysts using this solution in my organization.
How are customer service and support?
The support from ArcSight Enterprise Security Manager is very good. However, we have some questions that have not been resolved.
I rate the technical support from ArcSight Enterprise Security Manager a four out of five.
How was the initial setup?
The initial setup is difficult because you need to have some extra knowledge to complete it.
What's my experience with pricing, setup cost, and licensing?
We have a license to use this solution. The price of ArcSight Enterprise Security Manager is expensive.
What other advice do I have?
My advice to others is for them to have some training before they use the solution.
I rate ArcSight Enterprise Security Manager a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Principal Enterprise Architect (Technology, Cloud & Security) at a retailer with 10,001+ employees
It supports cloud deployment and is very stable
Pros and Cons
- "The feature that I have found the most useful is that it can be deployed to the cloud."
- "The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information. It should be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud."
What is most valuable?
The feature that I have found the most useful is that it can be deployed to the cloud.
What needs improvement?
The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information.
ArcSight should also be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy.
ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud.
For how long have I used the solution?
I have been using ArcSight for six years.
What do I think about the stability of the solution?
It is very stable.
What do I think about the scalability of the solution?
It is not always scalable.
How are customer service and technical support?
I didn't take any kind of support.
Which solution did I use previously and why did I switch?
I have worked with IBM QRadar. IBM QRadar is very expensive, and it is not easy to deploy like ArcSight. It can't be deployed without an SME. ArcSight is better than IBM QRadar.
How was the initial setup?
The initial setup was very straightforward. It hardly took four weeks.
What other advice do I have?
If you have data centers, an SME or in-house resource to train people, and no budget constraint, then go with IBM. If you have a limited budget, hybrid environment, and untrained manpower, then go for Darktrace, AlienVault, or some other solution.
I would rate ArcSight an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: April 2025
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Microsoft Sentinel
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
Sumo Logic Security
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- What's The Best Way to Trial SIEM Solutions?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- RSA-EMC vs. other SIEM products?