Skip to content
Hasselt-city-hall
Austin MitchellJul 2, 2026 1:31:25 PM8 min read

Guardsix vs Microsoft Sentinel: Log management in a regulated hybrid estate

If you run security for a regulated organisation, your logs do not all live in one place. Some sit in the cloud. Some sit on-prem. Some sit in an OT segment that operates with its own infrastructure. Your team has to make sense of every one of them — under regulations like NIS2, DORA and GDPR, with a finance director who needs next year's number to be reliable and consistent.

When teams in this position evaluate log management, Microsoft Sentinel is almost always on the shortlist. For an organisation already deep in Azure and Microsoft 365, Sentinel onboards native sources quickly, ingests a lot of Microsoft telemetry at little or no extra cost, and takes the work of patching and scaling infrastructure off your plate.

But a shortlist decision for a regulated hybrid estate is not a feature comparison. It is an architectural one. And on architecture, the honest framing is the simplest one: Microsoft Sentinel is cloud-first by design. Guardsix is sovereign by design.

That difference carries important implications for organisations that operate in regulated industries, especially outside the United States.

Your logs live in a hybrid estate, but Sentinel lives in one cloud

Microsoft Sentinel runs as a SaaS service inside Microsoft Azure. There is no self-hosted Sentinel, no on-prem Sentinel, and no air-gapped Sentinel. This is a point Microsoft documents itself and that analysts have repeatedly noted. To use it, your security data has to come to Azure.

For a hybrid estate, that is the whole problem in one sentence. Either you route everything — on-prem systems, OT segments, and data that is not permitted to leave the building — into a public cloud, or you accept a split: one platform for the cloud, something else for everything else. Split coverage is split visibility. Split visibility is exactly what a lean team cannot operate and an auditor will not accept.

Guardsix deploys where your logs already are. On-prem, hybrid, or air-gapped — your environment, your governance. One platform collects across hybrid, on-prem, OT and cloud without re-architecting your estate to suit the tool. The deployment model bends to your environment, not the other way around.

Residency is not sovereignty

Microsoft has made real, substantial investments in European data residency. It has invested in EU regions, a EU Data Boundary, a binding resilience pledge, and an EU-resident approval layer for access requests. It would be dishonest to pretend these investments don't count, but they only reduce exposure to cloud dependency risk. They do not remove it.

The reason is structural, not contractual. Microsoft is a US corporation, and US laws like the CLOUD Act or FISA Section 702 can reach data a US provider controls regardless of where that data physically sits. Microsoft's own director of legal affairs for France conceded this under oath to the French Senate in June 2025: asked whether he could guarantee that French citizens' data would never be passed to US authorities, he said he could not.

So a regulated organisation can hold its logs in an EU region and still be unable to answer important questions about whose law governs the data. Residency tells you where the data sits. Sovereignty tells you whose rules it answers to. They are not the same thing, and Microsoft's own counsel has confirmed it.

Guardsix is headquartered in Europe and governed under EU law. Self-hosted, in your environment, with no foreign vendor in the data path. When the regulator asks whose laws govern your security data, you answer with one word. That answer holds up to scrutiny because it is a fact of structure, not a line in a contract.

The macro picture is moving the same way. The European Commission's preliminary view, issued in June 2026, is that the largest cloud providers should be treated as gatekeepers under the Digital Markets Act. This is recognition of the concentration risk that regulated buyers have felt for years.

Quote by Heena Virkunnen, Executive Vice-President for Tech Sovereignty

The cost question, told honestly

Sentinel's pricing is metered largely on the volume of data you ingest. For a Microsoft-heavy estate with subsidised native telemetry, that can be genuinely cost-effective.

The issue is not that Sentinel is expensive. It is that ingestion-metered pricing puts coverage and cost in direct tension. Every new log source, every traffic spike, every retention extension a regulator demands shows up as a bigger bill. This puts security leaders in a position where logging less means spending less.

Cost unpredictability shows up in places that are easy to miss until the invoice lands.

  • Free queries become billable ones. In the full analytics tier, searches are unlimited and free. In the cheaper lake and log tiers, you pay for every gigabyte a query scans. Because analytics data is mirrored into the lake, an analyst can run the same search down the billed path by mistake and pay for an answer they could have had for nothing.
  • Old evidence is slow and costly to reach. Data sent to low-cost long-term storage has to be restored or searched before you can use it. That is billed by volume, and can take hours to actually retrieve. The logs you most need in an audit are often the ones that cost the most to analyse.
  • You pay to process data even when you discard it. The pipeline charges for data entering the lake whether you keep it or filter it out. Sending in 100 GB and dropping 90 per cent still incurs processing on the full 100 GB. Filtering controls what you store, not what you are billed to process.
  • Commitments are paid up front, and hard to unwind. Capacity tiers are billed in advance regardless of what you actually ingest, and can only be stepped down on a rigid schedule. Misjudge the volume or the tier, and you carry the cost until the window reopens.
  • Tuning the bill is a job in itself. The real budget question becomes which logs land in which tier. This is a continuous exercise in transformations, tier decisions, and query-language skill that lean teams don't have the hours to staff. The platform's cost depends on engineering effort you may not have.

Guardsix SIEM prices on the infrastructure you run, not the data you generate. Spend scales with your nodes, not your log volume, so a finance director can model the security budget across the full procurement cycle, with assurance that that a traffic spike does not turn into a billing event.

Evidence the auditor accepts, under your control

NIS2, DORA and GDPR share one demand: you have to demonstrate, not describe. That means complete historical evidence, available on-demand and under your control.

In a metered cloud model, long-retention data tends to go cold — slower to bring back, billed by the query, and in some tiers encrypted with keys the provider holds rather than you. That is workable for a large SOC with dedicated engineers. It is friction for a lean team that needs the access trail ready the day the auditor walks in.

Guardsix SIEM keeps audit-ready evidence continuous and complete, with pre-built mappings to NIS2, GDPR and sector rules, and the evidence chain stays under your control because the platform runs in your environment. The proof of access is yours, not borrowed.

This issue will become even more important as the Cloud and AI Development Act (CADA) transitions from proposal to EU-wide regulation. CADA separates workflows into assurance levels based on strictly defined sovereignty requirements. There is no evidence to suggest that Microsoft Sentinel can meet the highest levels of assurance, even with region selection and local data centre investments. Guardsix can provide completely sovereign on-prem deployments that meet the highest criteria for data sovereignty.

The choice

Microsoft Sentinel has earned its place on SIEM buyers' shortlist, but it's rarely the best choice for regulated organisations outside the United States:

  Microsoft Sentinel Guardsix
Deployment Azure-only SaaS. No self-hosted, on-prem or air-gapped option — hybrid and OT data has to come to the cloud, or split across tools. Deploys where your logs already are: on-prem, hybrid, air-gapped. One platform across hybrid, on-prem, OT and cloud.
Jurisdiction EU residency is available, but a US provider stays reachable under the CLOUD Act and FISA 702. Residency, not sovereignty. EU-headquartered, EU-governed, self-hosted. Your security data answers to EU law alone.
Pricing Metered on data ingested. Can be cost-effective for Microsoft-heavy estates; coverage and budget pull against each other as volume grows. Node-based. Spend scales with the infrastructure you run, not the data you generate. A traffic spike isn't a billing event.
Audit evidence Long retention is available, but cold data is slower to reach, billed per query, and in some tiers uses provider-held keys. Continuous, complete evidence under your control and your keys, mapped to NIS2, GDPR and sector rules.

For a Microsoft-native organisation that lives entirely in Azure and is comfortable with US jurisdiction over its security data, Sentinel is a reasonable choice to consider. But for a regulated organisation with logs on-prem, in OT, and in the cloud, and a regulator who can ask whose law governs the data, it does not offer a model that keeps you in control.

What to do now

European organisations are taking back control of where their security data lives, who operates it, and what it costs next year. Download our playbook on The Cloud and AI Development Act and find out what the proposal means for your sovereignty posture.

avatar
Austin Mitchell
Principal Product Marketer at Guardsix. Austin primary focus is helping lean SecOps teams can achieve faster detection and response without the complexity, cost, or trade-offs imposed by traditional security platforms.
COMMENTS

RELATED ARTICLES