We are using QRadar as a managed service.
Head of IT Security, Governance and Compliance at a consumer goods company with 10,001+ employees
Easy to use, provides environment visibility, and assists with incident discovery in advance of problems to the business
Pros and Cons
- "This is a good tool to have because it gives you the ability to track what is currently happening in your environment."
- "The modularity could be improved."
What is our primary use case?
How has it helped my organization?
This product helps us to find security incidents before they become a problem to the business. We are able to attend to them quicker and we can put protection in place so that should they occur again, we are able to deal with them more easily.
What is most valuable?
The most valuable feature is the ease of use.
What needs improvement?
The modularity could be improved.
Buyer's Guide
IBM Security QRadar
March 2025

Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
For how long have I used the solution?
We have been using IBM QRadar for three years.
What do I think about the stability of the solution?
This is a very stable product.
What do I think about the scalability of the solution?
We have had no issues with scalability and we have approximately 1,500 users. We are not using its full capabilities at the moment because we are still growing. In the next year or two, we will see.
How are customer service and support?
I don't deal with IBM directly. Rather, I deal with our service provider and they deal with IBM.
How was the initial setup?
The initial set was very easy for us because we just bought what we were looking for, and not the entire infrastructure.
What about the implementation team?
The company that we subscribe to for this service takes care of the installation, maintenance, and management of it. They give us updates that concern the features we use, so the maintenance doesn't affect us much.
What's my experience with pricing, setup cost, and licensing?
We use QRadar as a managed service and we pay licensing fees to the partner.
What other advice do I have?
This is a good tool to have because it gives you the ability to track what is currently happening in your environment. Otherwise, if you did not have that, you'd only react to an event or an incident that has already caused problems. The proactiveness goes a long way because it saves your environment and your business from being negatively affected.
In summary, this is a good product but there is always room for improvement.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.

IT Security Analyst at a manufacturing company with 10,001+ employees
Helps us monitor and generate statistics that help to illustrate what is going on in the company
Pros and Cons
- "I have found its network traffic log, network bit log, and QBI most valuable."
- "We need more features in order to create rules to detect or to meet some requirements for other areas, for example, catching the event from other authentication tools."
What is our primary use case?
We have a lot of use cases with IBM QRadar, but our primary use is for monitoring traffic and detecting tricks.
How has it helped my organization?
In terms of how IBM QRadar has improved our company, on peak days it helps us monitor and generate statistics that help to illustrate what is going on in the company. For example, SMB detects ransomware and invalid log-on. If a user is located in the United States, or we expect a login in Russia, or Ukraine, or Kenya, it is very important for us because we can detect what application they are using there, or if a hacker is trying to log in by mobile or another device.
What is most valuable?
I have found its network traffic log, network bit log, and QBI most valuable.
We have a lot of domain controllers in QRadar tracking all the security. It is also useful for identity management.
What needs improvement?
In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.
In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.
For how long have I used the solution?
I have been using IBM QRadar for seven years.
What do I think about the stability of the solution?
QRadar's stability is great because it is always live and is always catching and monitoring all the information that we need. When we need information, it is here in QRadar.
In terms of maintenance of QRadar, my internet is secured by IBM.
What do I think about the scalability of the solution?
For me, the scalability is good.
At the moment, we have no more than 15 people working on QRadar. This includes analysts, forensics, internet response, and active directory.
How are customer service and technical support?
Tech support is good. Additionally, I can find all the information at IBM.
How was the initial setup?
In some cases, the system or the hardware do not meet the requirements to install one flow collector. Or the menu is not displayed. The menu has 10 options. If the CPU and memory are not enough, the menu shows only five or six options. But this information is not mentioned in the installation process. But it is not complex because the installation is very clear as long as we are meeting all the requirements for the CPU, memory, or the space.
The solution takes maybe four months because we have a lot of integrations.
What other advice do I have?
I would absolutely recommend QRadar because it has a lot of options to improve or detect some information.
On a scale of one to ten, I would give QRadar a 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
IBM Security QRadar
March 2025

Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
Works at a healthcare company with 5,001-10,000 employees
Good visibility of network and endpoints, correlate events to specific point-in-time
Pros and Cons
- "The ability to transition from microscopic to macroscopic view, instantly, is very good."
- "I would like to see a better GUI."
What is our primary use case?
Our primary use case is intrusion prevention and detection. We also use this solution for compliance and assisting in network troubleshooting for IT.
How has it helped my organization?
This has been indispensable in detecting intrusion attempts and many forms of malicious activity.
What is most valuable?
This solution provides amazing visibility into the network and endpoints. The ability to correlate point in time and things happening over time is priceless in today's threat environment.
The rules can look for things both from log sources and from data traversing your network which is unique in the SIEM world and makes QRadar a consistent magic quadrant leader.
The QNI file hash in-flight search is helpful.
The ability to transition from microscopic to macroscopic view, instantly, is very good.
What needs improvement?
I would still like to see a better GUI. improvements have been made but there still a way to go.
There are pretty annoyances like clicking out of a rule setup and instead of going back to search results in the rules, with the rule you selected still highlighted, you get the whole list without your search. Start again. In the new lig source management app if you have a large number of log sources typing a name to filter them by is Java Hell, the high overhead of JIT compiled code means that even two fingered carpal tunnel afflicted users can outpace the type ahead buffer, leaving random intermediate characters on the floor. Needless to say that makes managing log sources sometimes annoying. You can always cut and paste to go around this, but hey for 5 or 6 figures in hardware and software, it aught to keep up with my typing.
But to be fair, these kinds of things are dwarfed by it's awesome ability to ingest and correlate tortured use cases of mind boggling complexity, which is what you REALLY need your SIEM to do. That, QRadar does better than anyone else.
For how long have I used the solution?
I have been using IBM QRadar for more about five years.
What do I think about the scalability of the solution?
Scalability is very good.
What's my experience with pricing, setup cost, and licensing?
This is not a trivial undertaking. You will need at least one experienced user and considerable infrastructure to support this if you use the on-prem version which we did. The cloud version has less overhead but there are some limitations so choose carefully.
Which other solutions did I evaluate?
Other solutions were investigated but none none came close to QRadar's capability.
What other advice do I have?
If you absolutely positively have to catch the bad guys, and you have a heterogeneous environment QRadar is a great choice.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Solution Architect with 1,001-5,000 employees
No matter what technology you choose the technology area is 15% of the effort. Your process’s are 85%
What is most valuable?
IBM Qradar is
- Ease of install . Its effectively redhat6.5 with an app on top.
- Automatic log source identification
- Inbuilt rules and reports are comprehensive so out of the box the system does things
- Recognises every log source we have added.
- IBM supply a virtual image which makes the standing up of a system a small piece of work.
How has it helped my organization?
IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.
Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.
What needs improvement?
Room for improvement - IBM Qradar:
- Graphing on the system is a tad course. Analytics now requires really high quality graphing to assist in pinpointing anomalies.
- Need for multiple Java versions for deployment setup is a pain.
- There are areas you need to have Java 7 to be able to use.(Primary need for this is to access the Deployment area)
- We need to be able to handle multiple overlapping ip address areas. That is coming we know. But slowly.
- When you are building this in a virtualised environment you do have a bit of difficulty accessing the GUI.
For how long have I used the solution?
3.5 years
I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.
IBM I rate as 7.5/10
STRM at 7/10
What was my experience with deployment of the solution?
No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.
What do I think about the stability of the solution?
No stability issues yet.
What do I think about the scalability of the solution?
No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.
How are customer service and technical support?
Customer Service:
Generally excellent.
Technical Support:Generally excellent.
Which solution did I use previously and why did I switch?
- We were using SPLUNK. Licensing does not allow you to expose Splunk screens to customers (we are an ISP and IT service provider).
- Mcafee Nitro was too expensive
- Arcsight takes too long to install and tune
How was the initial setup?
Simple:
- Boot VM off ISO image.
- Install license
- Point logs at it
- Done
Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.
What about the implementation team?
We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.
What was our ROI?
We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.
Which other solutions did I evaluate?
- Mcafee Nitro
- Juniper STRM
- AlienVault. Note. We would probably have used AlienVault but there was no representation in Asia Pacific at the time
- TrustWave
What other advice do I have?
- First gather your requirements
- From that build a business case.
- Understand that no matter what technology you choose the technology area is 15% of the effort. Your processes are 85%. No process…then 5h1t in …5h1t out.
- Make sure you know your business reasons for the implementation
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Archtect at a financial services firm with 1,001-5,000 employees
Easy to set up and expand but has too many false positives
Pros and Cons
- "The scalability is very good. It's not a problem."
- "I'm not sure about the stability just yet. We've observed a few issues and we raised a supporting ticket for it."
What is most valuable?
To be very frank, it's not that much help as of now. We are not getting that many insights from UVA, which we wanted, actually. As of now, we are exploring that UVA, and we have installed it. It's still quite new.
The initial setup is straightforward.
What needs improvement?
The solution is still new to us. Currently, it's a work in progress with this. I'm not in any particular condition to tell what exact improvements are required. I will let a few more months go by before analyzing the overall UBS solution QRadar to get to know and final understanding of this particular application.
There are a lot of things that require modification. That's my initial observation, however, I need more time and a few more months to get to know it and get a final understanding of the solution as a whole.
I want a reduction of false positives. I want crisp true positive incidents out of it. I want to see proper user behavior. Whatever algorithm is working in the background, that algorithm should produce accurate, true positive incidents and not false positives.
For how long have I used the solution?
We are using QRadar as an appliance for the last four years, however, we recently, for the last six months, started using UBS.
What do I think about the stability of the solution?
I'm not sure about the stability just yet. We've observed a few issues and we raised a supporting ticket for it.
What do I think about the scalability of the solution?
The scalability is very good. It's not a problem.
How are customer service and support?
Technical support has been very supportive. We're largely satisfied with them.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is straightforward and simple. It's not very complex.
We are using multiple features in QRadar. UVA is just one feature. We have overall 14 data nodes and we are almost 2,500 GB of data integrated with it and we are using multiple applications in QRadar. We have a nine-member team that manages the overall QRadar architecture, not only UBA.
What about the implementation team?
We did a direct integration.
What's my experience with pricing, setup cost, and licensing?
I'm an architect. Normally costs and licensing are handled by senior management.
For UBA, they haven't asked for any extra charges or anything. It's included in the licensing.
What other advice do I have?
We're an IBM partner. We have platinum support with IBM.
We have segregated our data between on-prem and the cloud. All the on-prem data we have integrated with the QRadar. QRadar itself is an on-prem solution. We have QRadar hardware with us.
At this point, I would not recommend the solution to others.
I'd rate the solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Relationship Manager at a financial services firm with 5,001-10,000 employees
Reasonably priced with good technical support and offers great performance
Pros and Cons
- "We've found the technical support to be very good."
- "The product needs to improve its GUI."
What is most valuable?
The price is very good. It's quite reasonable.
The solution's performance is excellent. The stability is excellent.
We've found the technical support to be very good.
The pricing is very good.
What needs improvement?
The product needs to improve its GUI. The dashboard which they facilitate needs to be modernized. They could make it a lot better and a lot easier to navigate.
For how long have I used the solution?
I've been using the solution for approximately two years or so.
What do I think about the stability of the solution?
The stability of the product has been great. It's from 80% to 90% is stable. There are very few bugs or glitches. It doesn't crash or freeze. If you do run into issues, technical support is quite helpful.
What do I think about the scalability of the solution?
The product works well for small or medium-sized enterprises.
How are customer service and technical support?
The technical support has been great so far. If you run into any kind of issue, their support is available. They are very helpful and extremely responsive. We're quite satisfied with their level of service. I'd give them a rating of 90% to 95%.
What's my experience with pricing, setup cost, and licensing?
The pricing of the solution is quite reasonable.
What other advice do I have?
We're a customer and an end-user. We don't have a direct business relationship with IBM.
Overall, I would rate the solution at a nine out of ten. We've been extremely satisfied with the product so far.
I'd recommend the solution, however, depends upon a company's budget and requirements. For small and medium enterprises, QRadar is the best solution, due to its price and performance.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SOC Team Lead at a financial services firm with 1,001-5,000 employees
Flexible, easy to learn, and price fairly
Pros and Cons
- "I have found the most important features to be the flexibility, tech framework, and disk manager."
- "There could be better integration with the solution."
What is our primary use case?
Depending on the organization's needs the solution can monitor different types of security through logs.
What is most valuable?
I have found the most important features to be the flexibility, tech framework, and disk manager. Additionally, the solution is easy to learn how to use it.
What needs improvement?
There could be better integration with the solution.
For how long have I used the solution?
I have been using the solution for approximately three years.
What do I think about the stability of the solution?
Every solution has some bugs and other issues but for the most part, this solution is stable.
What do I think about the scalability of the solution?
The solution is scalable. The amount of users is dependant on what your needs are. You can have many users having access to the solution. For example, out of a 5,000 person network, you could have five with access to it for security.
How are customer service and technical support?
The solution has great support. Whenever we had an issue they were able to give us support within 15 minutes.
How was the initial setup?
The installation was easy but this can depend on what appliances you want to install it on. If it is VMware, then the installation is easy, it took me 30 minutes.
What about the implementation team?
We did use a consultant to do the deployment and we only needed one technician.
What's my experience with pricing, setup cost, and licensing?
The solution is priced fairly, there is a license for the solution, and we pay annually.
What other advice do I have?
I would recommend the solution to others and we plan to continue using it in the future.
I rate IBM QRadar a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Solutions Architect at a manufacturing company with 51-200 employees
A stable SIEM solution with centralized control and built-in AI/ML
Pros and Cons
- "QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis. There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving. From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected."
- "When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar. Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security."
What is our primary use case?
We provide cloud services to the users, and we have our own cloud setup over here. The major use case is when clients require the SOC to be set up.
Setting up the SOC itself is a huge investment. A customer has to invest a lot to build up the whole SOC environment, so, rather than the customer investing in the SOC environment and building up the SOC, we provide it as a service. Customers don't need to do any up-front investment. They use our service. We manage their security tools and security environment as per the compliance guidelines that come from the Indian government. We follow all those practices, and we help them procure more for their network and infrastructure.
What is most valuable?
QRadar, Splunk, and ArcSight are SIEM solutions with built-in AI/ML features. They can do the complete investigation and alert the admin about what is happening. They can also do the root cause analysis.
There are many other features that come with QRadar. It has a more granular log, so you can integrate with various non-IT as well as IT-based components. You can get unstructured data to the SIEM data, and you can identify more what is happening in the network or what is happening in the central head office. You can also identify what is happening between your remote offices. You can also use it to identify what the users in the field are doing on their devices and how things are moving.
From the integration point of view, it is very centric. It gives complete control centrally. If a user is not connected to the system, whenever he comes online, we can see the policy updates over the Internet, and we can ensure that the data that is supposed to be protected is protected.
What needs improvement?
When it comes to what could be better, it is always what others are trying to do and what is the roadmap. It can have more integration. It should have more flexible RESTful APIs for integration with applications. These are the things that are always in demand for any of the SIEM solutions, not only for QRadar.
Integration is ever-evolving. Nowadays, different versions of mobile handsets are there and data is getting scattered. Users are using their personal handsets to keep the data of the organization. So, it should have a more flexible integration, irrespective of the flavor of the firmware and iOS or Android version. It should have an API that can seamlessly get integrated. It should also provide more flexible control and a more advanced or analytical view to see what exactly is happening across the globe or network. From wherever a user is connecting and accessing the enterprise data, it should give real-time visibility and predictive visibility about what exactly is happening. These things are already there, but there should be more advanced control in terms of managing the security.
For how long have I used the solution?
I have been using this solution for five years.
What do I think about the stability of the solution?
It is absolutely stable. It depends upon how the implementation has been done. We definitely have the skills to do this kind of implementation. We ensure that a customer's environment is absolutely protected.
What do I think about the scalability of the solution?
It is very scalable, but it also depends upon how the implementation was done. We are providing services to one of the major brands in India. They have somewhere around 30,000 devices. We are currently managing more than 1 lakh QRadar users.
How are customer service and technical support?
QRadar has a good technical team. They provide timely support whenever a ticket is raised.
How was the initial setup?
Deployment of such solutions always takes time because these solutions are not simple. You should have the expertise and you should understand what is really needed for the business. We understand the real business need, and accordingly, we implement the policies.
What about the implementation team?
We have been managing some of the security tools for the past 11 years. We have expert engineers who can help our customers with installation, configuration, planning, designing, and other things.
If you have an environment of 5,000 or 10,000 devices, three to five people should be enough to manage it.
What's my experience with pricing, setup cost, and licensing?
Customers have to purchase a license based on the number of users, devices, and applications they want to protect. It allows you to take a license on a subscription basis for three years or five years.
What other advice do I have?
I would recommend this solution. If you are looking for a SIEM solution, IBM QRadar is one that you should ideally look for.
I would rate IBM QRadar a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Security Information and Event Management (SIEM) Log Management User Entity Behavior Analytics (UEBA) Endpoint Detection and Response (EDR) Security Orchestration Automation and Response (SOAR) Managed Detection and Response (MDR) Extended Detection and Response (XDR)Popular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
Splunk Enterprise Security
Elastic Security
LogRhythm SIEM
Rapid7 InsightIDR
Cortex XSIAM
Fortinet FortiSIEM
Sumo Logic Security
AlienVault OSSIM
Securonix Next-Gen SIEM
Google Chronicle Suite
Buyer's Guide
Download our free IBM Security QRadar Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which would you recommend to your boss, IBM QRadar or Splunk?
- What SOC product do you recommend?
- Has anyone got experience in deployment of a SIEM solution?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What is your opinion of IBM QRadar?
- What are the biggest differences between Securonix UEBA, Exabeam, and IBM QRadar?
- Why do most companies prefer IBM QRadar?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?