- High flexibility: There are many custom sources of information that we wouldn't be able to integrate with another SIEM solution, thus compromising our security.
- High performance: The amount of data fed to the solution is huge (100s of millions of events per day).
- Capacity for multi-tier hierarchical deployment: We are able to integrate and standardize security incident detection and response over many locations.
Security Expert at a tech services company with 501-1,000 employees
With multi-tier hierarchical deployment, we are able to integrate and standardize security incident detection and response.
What is most valuable?
How has it helped my organization?
- Losses from security incidents have significantly decreased.
- Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.
- Detailed reports allow for planning and informed decision making.
What needs improvement?
The overall complexity of the product can be overwhelming for some. It's not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.
Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better.
The GUI is outdated. Improvements on this are on the way, according to the vendor.
For how long have I used the solution?
I’ve been using ArcSight for five years.
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
March 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
What do I think about the stability of the solution?
We had stability issues only in a virtual environment, which is not recommended by the vendor for a high-load setup. The main virtual server would crash every now and then. But once we had migrated the setup to a dedicated physical server, we had no major stability issues.
What do I think about the scalability of the solution?
Scalability was one of our main concerns while choosing a solution and, so far, it has satisfied our needs in this area without any issues.
How are customer service and support?
Right now, I would call technical support moderately good, since it has improved greatly over the past years. There are still some issues with timeliness every now and then, but the number of critical issues is quite low.
Which solution did I use previously and why did I switch?
We have evaluated several solutions and HPE ArcSight was the only one that satisfied our requirements in performance, scalability, and flexibility.
How was the initial setup?
Initial setup was quite complex and required a lot of planning. That is a downside of the solution being flexible and customizable.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing model has changed dramatically over the last years, so I can't really give much advice on its current state. You need to be ready for the solution to be quite expensive.
Which other solutions did I evaluate?
We evaluated McAfee ESM.
What other advice do I have?
The keys to success with this solution are:
- Careful deployment planning
- Readiness to invest time and resources into training your IT security personnel
- Fine tuning the solution to your specific needs
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Has helped us to gather, store, correlate and analyze security log data from many different information systems.
Valuable Features:
Intrusion Detection System (IDS)
Security Information and Event Management (SIEM)
Improvements to My Organization:
To organizations like mine, security information and event management products being introduced in the industry, as an outcome of several vulnerability, are able to provide real-time monitoring reporting and defense against these attacks. It has helped us to gather, store, correlate and analyze security log data from many different information systems.
Room for Improvement:
For this review, ArcSight sent me the Logger 4 7000-series appliance (2U) with six 1TB RADIUS drives, the maximum amount of internal storage available. I will like to see a threat analytics module. Also, the ability to produce reports.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
Buyer's Guide
ArcSight Enterprise Security Manager (ESM)
March 2025

Learn what your peers think about ArcSight Enterprise Security Manager (ESM). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,672 professionals have used our research since 2012.
IT Security Assistant Manager at a insurance company with 5,001-10,000 employees
It allows us to traceback security threats, to generate usage trends and discover anomalies.
Valuable Features:
For us, there are several valuable features.
- The ability to correctly parse the most number of products comparing to its competitors;
- The ability to create very complex scenarios to detect security risks and anomalies;
- Very stable system components (connectors, logger and correlation engine) combined with satisfactory vendor support; and
- The ability to create parsers for all kinds of applications and systems is an important differentiator.
Improvements to My Organization:
It greatly changed our work habits in the organization allowing us to not only trace back security threats, but also to generate usage trends, discover anomalies and so many other usages. It quickly became an indispensable tool.
Room for Improvement:
They can definitely provide faster search response and offer larger on-the-box storage support. The predefined correlation ruleset can be improved to cover more security alerts and more products.
There is also still room for improvement for processing speed. An easily accessible documentation such as reference architectures does not exist, more guidance can be provided to customer for such a complex product.
Deployment Issues:
We've had no issues with deployment.
Stability Issues:
We've had no issues with stability.
Scalability Issues:
We've had no issues with scalability.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Analyst at a financial services firm with 10,001+ employees
Helps our clients with compliance and gives them real-time alerts and monitoring for their server data
Pros and Cons
- "We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR."
- "I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM."
What is our primary use case?
We use this solution for clients that want database consulting. They have a lot of general user's data in that demise so they want to have a robust SIEM solution that they trust. They have real-time alerts and monitoring for their data server.
How has it helped my organization?
We do consulting and I get feedback from our clients that the product really helped them with compliance, especially with GDPR.
What needs improvement?
They should make a user manual for the technical people.
I would like for them to integrate mobile devices. Integration or any kind of functionality which will act as a substitute for IBM so that we can really track our mobile devices as well as look at SIEM.
What do I think about the stability of the solution?
I would rate the stability as a four out of five.
How was the initial setup?
The initial setup was easy. It was a two-month project plus one month setting up the best practices cost organization. In total, it was around a three month project.
What's my experience with pricing, setup cost, and licensing?
Pricing is average.
What other advice do I have?
I would rate this solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Specialist Security Solutions at a tech services company with 201-500 employees
The feature list allows us to input data dynamically to list it as a rule action.
How has it helped my organization?
Having a SIEM solution in general improves the way an organization functions, especially in the SOC part. With HPE ArcSight, we were able to deploy multiple dashboards, reports, and use case views that combine different views, data, and variables.
What is most valuable?
One of the most valuable features is the Active List/Session List capability.
Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.
For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.
What needs improvement?
The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.
The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.
What do I think about the stability of the solution?
In general, it is a very stable product. We did multiple implementations, and we never had any major issues.
As with any other solution that handles a large number of logs/data, regular fine-tuning is required. This fine-tuning makes sure that the system is doing what is supposed to do, with the capacity load that it was designed/sized to do
What do I think about the scalability of the solution?
There were no scalability issues. A single Express/ESM Appliance is usually enough to support most of the enterprise’s needs. Only package upgrades need to be purchased. No hardware changes are necessary.
As for the loggers for long retention, you can add multiple loggers and cluster them as one virtual appliance. This provides for an easy scalability feature.
For the connectors part, you can implement as many connectors as you need so you can cover all your zones/branches. At a later time, a load-balanced connector for syslog can be introduced to make sure that logs for sensitive UDP packets are lost.
How are customer service and technical support?
We barely used the technical support assistance except for licensing. The times when we did use it, they were very good.
Which solution did I use previously and why did I switch?
We worked with RSA enVision/RSA SA as a partner:
- RSA enVision was very basic and was very hard to fine-tune.
- RSA SA (logs/packets) is more oriented towards packets/investigation and lacks multiple features when only using it for log management/SIEM.
How was the initial setup?
The initial setup was very easy. A fresh ESM/Express Installation with a connector can be up and running within a few hours.
With all of the best SIEM solutions, the biggest chunk of work comes later in creating customized rules, dashboards, use cases, and flex connectors for non-supported devices.
What's my experience with pricing, setup cost, and licensing?
In general, ArcSight solutions can cost a lot in big deployments. That comes as a result of having a big, scalable, stable, and feature-rich solution.
Which other solutions did I evaluate?
As a partner, we sell the product. We shifted from RSA to ArcSight based on our internal evaluations.
We tested McAfee Nitro, which was not mature enough at the time compared to ArcSight.
What other advice do I have?
Do a live PoC to test all needed features.
Think of use cases that you would like to deploy and make sure they are doable on the system, without additional licenses/appliances.
Choose a mature partner who is able to deliver the implementation even if it costs a bit more. The most common factor of failed SIEM experiences are due to bad implementations from non-experienced partners/engineers.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are partners with HPE.
EVP & Global Head - Services at a tech company with 1,001-5,000 employees
The live threat feed keeps us abreast of the latest threats. The initial setup required a lot of customization.
Valuable Features
From the time that we purchased it, the multi-tenancy feature has been the most valuable for us. At the time, HP was the only vendor with this feature, but it seems that every vendor today does. Another feature we like is the live threat feed that's quite advanced. HP is the industry leader with this from an SIEM perspective.
Improvements to My Organization
From a daily perspective, ArcSight prevents attacks while it actively monitors our systems. It provides us analytics for these attacks and helps keep us abreast of the latest threats because of live threat feeds.
Room for Improvement
It's complicated to deploy. I need a logger at each site, which also gets quite expensive. There's no shared loggers.
Deployment Issues
We've had no issues with deployment, although it's complicated.
Stability Issues
It's a pretty stable solution. We've had no issues with instability.
Scalability Issues
It's very scalable.
Customer Service and Technical Support
They're pretty good and responsive.
Initial Setup
The initial setup was complex and required a lot of customization and tinkering. There are other products on the market that are very light, and this is not one of them. To get all the functionalities and to exploit them, it takes a long time to deploy. It takes 3-4 months.
Pricing, Setup Cost and Licensing
It's very expensive in its licensing model.
Other Advice
Definitely consider it as a top-3 choice, but know what you're trying to achieve with an SIEM tool.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Manager Fraud Services at a financial services firm with 1,001-5,000 employees
It's a reliable service and provides our team members with a lot of knowledge.
Valuable Features:
It's a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department.
Room for Improvement:
There are improvements that could be made to help us insure that we're in compliance with our monitoring requirements.
Use of Solution:
I've been in my group for over eight years and we've used it for the entire time. I'm not sure when the initial implementation was.
Deployment Issues:
We've had no issues with deployment.
Stability Issues:
It's consistently stable. I've not heard any complaints about instability.
Scalability Issues:
HP has delivered for our company and its size.
Initial Setup:
The initial setup was done more than eight years ago before I started with the company.
Implementation Team:
We bring in an HP consultant for development and implementation.
Other Advice:
It's a solid product supported by a solid company.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Managing partner at a tech services company with 11-50 employees
Good at consolidating logs, fairly stable, and can scale
Pros and Cons
- "The solution is pretty stable."
- "The way that scaling is set up isn't very cost-effective."
What is our primary use case?
We primarily use the solution for consolidating the logs from all the applications and databases and different centers.
What is most valuable?
The solution is very good at consolidating logs from a variety of sources.
The solution is pretty stable.
The solution can scale.
What needs improvement?
The way that scaling is set up isn't very cost-effective.
The automation needs to be improved. Everybody needs automation as there is a lack of analysts these days in all of our security diagnostic accounts. There's too much noise in the data they push to you. It's a lot of white noise, and it takes a lot of time to sort through the all false positives that ArcSight triggers to you.
It's very complicated to see if something is a real case and if it's a threat or not. It's very difficult to be able to check that the information sent as they are sending you thousands of messages per day regarding threats. It's very difficult for an analyst to be able to pinpoint the real root cause of the problem.
I would suggest that they offer full automation and filtering for white noise. By white noise I mean the bulk of messaging and alerts they have been sending to the security analysts. It's difficult for them to realize if it's a threat or not in the end, and you need to spend a lot of time among other systems that you also need to manage. Maybe only 10% of this information is useful for a security analyst.
The product should improve its ease of use.
They should work to have a more let's say intuitive dashboard, a real-time intuitive dashboard, and to focus it on the most important, critical assets in the company.
The solution requires a lot of expertise and manpower to deploy the solution.
For how long have I used the solution?
We've been using the solution for nine years. It's been just under a decade.
What do I think about the stability of the solution?
The solution is pretty stable. However, they've got some problems in terms of interacting with APIs. To try to make ArcSight speak with other solutions and try to correlate information from IPS/IDS solutions looks pretty complicated.
What do I think about the scalability of the solution?
The solution can scale if you need it too. It's just an expensive process.
Regarding the scalability, it was a problem that their license model was EPS. If you're familiar with EPS licensing model, events per second, it is not a very good idea as a model as you cannot foresee what's in 2021 or what will be in 2022. From our point, it causes a lack of proper budgeting due to the fact that it's very difficult to budget how many events per second you will generate in all your systems.
How are customer service and technical support?
We haven't really dealt with technical support. I wouldn't be able to speak to the quality of their services.
How was the initial setup?
The initial setup is very, very complex, and requires a lot of consultancy and professional services associated with it. It's not at all easy to install the solution as per my knowledge. It's very complicated.
What's my experience with pricing, setup cost, and licensing?
The licensing model is based on EPS - Events Per Second - and it makes it hard to budget how much the solution will cost.
The solution is pretty expensive.
Which other solutions did I evaluate?
At a marketing level, we've checked out Splunk. We have not tested it internally on our servers. We simply took a closer look at their marketing and their strategic messaging.
What other advice do I have?
We have used on-premises previously. We have never tested the cloud option if they have one.
I would rate the solution seven out of ten. I consider Splunk and LogRhythm to be the number one solutions in the market.
I would advise others to try to be very careful when they got a quote from ArcSight, as, in the end, what they offer to you initially is not what you will end up in the end in terms of budgeting and pricing, and the level of expectations.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Security Information and Event Management (SIEM)Popular Comparisons
Microsoft Sentinel
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
Sumo Logic Security
Securonix Next-Gen SIEM
Google Chronicle Suite
ManageEngine EventLog Analyzer
Buyer's Guide
Download our free ArcSight Enterprise Security Manager (ESM) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which is the best SIEM tool for a mid-sized financial services firm: Arcsight or Securonix?
- Exporting Nessus Data Logs to HP ArcSight ESM
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- What's The Best Way to Trial SIEM Solutions?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?
- RSA-EMC vs. other SIEM products?
Thanks I agree.