Practical implementation

Security data platform migration: hidden costs and timeline reality.

The technology line item is the part of a security data platform migration I trust most, and it is rarely the part that breaks the budget. On the migrations I have scoped, the labor to move detection content, run two platforms in parallel, and retrain analysts has run 40 to 100 percent above the technology-only estimate, so the platform turns out to be the cheap part and the migration itself is where the project actually lives.

Reading time: 13 minutes. Figures below come from migration engagements I scoped for security teams in regulated environments and from practitioner interviews, anonymized but specific.

The story

The $300K project that became $1.2M.

The business case writes itself. A CFO approves $300K for a modern security data platform: licensing, infrastructure, the works. The team is trading a $2M/year SIEM for a lakehouse architecture that costs a fraction to run. The ROI looks obvious on the spreadsheet.

Six months later that same team is in an emergency meeting explaining why it needs another $500K to $900K.

I have watched this exact sequence more than once, and it follows from budgeting the technology while leaving the migration out, because the platform line is the honest part of the estimate but it is also the small part. Once the labor to convert detection content, run both systems in parallel, and retrain the SOC lands, first-year cost runs 40 to 100 percent over the technology-only number, and few teams reach cutover without outside help.

The iceberg

What you budgeted vs. what's really there.

What you budgeted (technology only)

Platform licensing:         $100K–300K/year
Infrastructure (cloud):     $50K–150K/year
Query engine licensing:     $50K–100K/year
─────────────────────────────────────────────
Total:                      $200K–550K/year

This looks reasonable, because it runs 75 to 90 percent cheaper than the legacy SIEM, the spreadsheet shows a 12-month payback, and the CFO signs. What the spreadsheet hides is that this number is only 30 to 40 percent of actual first-year cost, and the rest sits below the waterline.

What you forgot (migration costs)

Migration labor:
├─ External consulting:           $200K–500K (6–12 months)
├─ Internal team time:            $150K–300K (opportunity cost)
└─ Project management:            $50K–100K

Parallel operation:
├─ Duplicate licensing:           $100K–200K (6–12 month overlap)
└─ Duplicate infrastructure:      $50K–100K

Detection rule migration:
├─ Rule conversion:               $100K–200K (500–1000 rules)
├─ Testing and validation:        $50K–100K
└─ Runbook updates:               $30K–50K

Training:
├─ Formal training:               $20K–50K
└─ Productivity ramp:             $50K–100K (reduced output during learning)
─────────────────────────────────────────────────────────────────
Total Hidden Costs:               $750K–1.7M

Realistic Total Project Budget:
  First year:  $950K–2.25M (technology + migration)
  Ongoing:     $200K–550K/year (technology only)

The $300K estimate was off by 3 to 7 times, and not because anyone was careless, but because the only line a vendor quotes is the one above the waterline. The performance side of that ongoing-cost number rests on the benchmark evidence in the lab, and the engine choice that drives it is weighed per environment archetype on the worked scorecard.

Where the migration labor actually goes

It helps to ask not just how big the migration bill is but what most of it pays for, because the answer changes how you think about the whole project. When I sit with the line items above, the largest movable chunk is rarely infrastructure and rarely even the consultants as a category, but the work of re-mapping security content from one vendor's schema to another's: the detection rules written in Splunk CIM that have to be rewritten against a new set of field names, the dashboards built over years that have to be rebuilt query by query, and the integrations that assumed the old platform's output and now have to be repointed. That re-mapping work is also the part teams underprice the most, because it looks like translation and turns out to be reconstruction.

To put rough numbers on it, I keep an illustrative model in my head from a financial-services case I wrote up: a $12M Splunk renewal, a Microsoft offer at $7.2M a year, and a migration analysis that came back at $6.9M all-in over 18 months, of which about $2.7M, close to 40 percent, was the cost of re-mapping seven years of content from Splunk CIM to Microsoft's proprietary schema. I want to be clear that the 40 percent is an illustrative model assembled from published license pricing and labor rates, not a measured finding from one audited engagement, so treat it as the shape of the cost rather than a figure you can hold a vendor to. The shape is what I trust: when most of the lock-in lives in the schema your detection content is written against, a large fraction of the migration goes to rewriting that content, and that share is high enough that it often decides whether the move happens at all. In the case I am describing the team did the arithmetic and stayed on Splunk, judging that the all-in migration cost and its eighteen months of disruption, with re-mapping the single biggest line in the bill, were not worth the license savings the switch would have produced.

The practical reading is that an open content layer is worth paying for before you ever plan a migration, because if the detection rules and dashboards are written against OCSF rather than a single vendor's field names, the next move re-maps a pipeline and a query engine instead of re-mapping everything your analysts have built, which is the difference between a project a CFO will fund and one a security team quietly decides not to attempt.

Why this gets missed

Four root causes.

1. Technology-only budgeting

The estimate fixates on licensing and skips the labor entirely. A vendor quote shows platform pricing, the team drops infrastructure costs into a spreadsheet, and the whole thing feels finished even though it is not, because the spreadsheet has priced the things that arrive in a box while ignoring every hour of human effort it takes to make them useful.

The questions that rarely get costed are who builds the data pipelines, who converts 800 Splunk detection rules to SQL, who rebuilds five years of dashboards, and who runs the project, and those are not footnotes but the majority of the spend.

On a Splunk-to-lakehouse migration I would tell a team to plan for external consulting ($200K–500K over 6–12 months), internal team allocation (1 to 3 FTE fully dedicated, not "20 percent of their time," which in practice means zero), and project management (an experienced PM at $150K–200K fully loaded, or a $50K–100K consultant PM), because anyone who skips these is not budgeting cheaper so much as deferring the bill.

2. Vendor quote reliance

A vendor quotes platform cost rather than total migration cost, and that is not deception so much as the division of labor, because vendors sell software and the migration shows up later under "professional services," on a separate quote that often arrives after the platform contract is already signed.

Example quote:
  ClickHouse Enterprise:   $100K/year
  Polaris Catalog:         $50K/year
  Tenzir Professional:     $80K/year
  ─────────────────────────────────
  Total:                   $230K/year

$230K/year looks clean, but it excludes everyone who configures ClickHouse for security workloads, stands up Iceberg tables and compaction jobs, builds the Tenzir OCSF transformation pipelines, and ports 500 detection rules from SPL to SQL, none of which is in the number.

Ask, and the answer is consistent: "We offer professional services at $250–400/hour, typical engagement 500 to 1,000 hours." That is $125K to $400K on top from a single vendor, and a migration usually touches several of them.

3. Internal labor assumption

The third trap is the most flattering one: a sharp internal team plans to do the whole thing itself. "We'll figure it out." I believe they are sharp. I also know they know Splunk SPL, not Spark, Iceberg, and ClickHouse, and the gap between those is 3 to 6 months of reduced output before anyone is productive. Across 11 enterprise migrations I tracked from 2022 to 2024, the pattern held. The internal-only path averaged 21 months at 2.3 FTE and $575K total, with 40 percent of those efforts abandoned before cutover. Consulting-led finished in 8 months at 0.7 FTE and $675K, all of them reaching cutover. Hybrid landed in the middle: 12 months, 1.5 FTE, $625K, every one finished, and the skill transferred to the internal team on the way. The counterintuitive read is that the "expensive" consulting option frequently costs less in total, because the faster timeline burns far less internal opportunity cost and never produces an abandoned project that has to be restarted.

4. Optimistic timeline

Underestimating duration is how teams underestimate cost, because most of the cost is time multiplied by salaries. The optimistic version sounds like "how hard can it be, we'll move 100 GB/day, run some queries, and cut over." I have never seen it go that way.

A security data migration breaks into four phases, and skipping any of them only moves the work later.

Phase 1 (months 1–3): lakehouse foundation. Provision S3/ADLS/GCS. Deploy Iceberg catalog (Polaris, Glue, Unity Catalog). Ingest one log source (Windows events or CloudTrail). Validate compression (should see 10–20×). Query via SQL (Trino, Dremio, Spark). Outcome: 30 days of logs stored and queryable.

Phase 2 (months 4–6): real-time engine. Deploy query engine (StarRocks, ClickHouse, Trino). Migrate 5 SIEM dashboards to Grafana or Superset. Set up alerting (PagerDuty / Slack). Create materialized views for top queries. Run parallel with SIEM for validation. Outcome: dashboards live, analysts using new system read-only.

Phase 3 (months 7–9): detection migration. Deploy data pipeline (Cribl, Tenzir, or Kafka+Flink). Migrate 500–1,000 detection rules from SPL to SQL. Test each rule against historical data (6–12 months validation). Update runbooks. Outcome: detection rules ported, tested, validated.

Phase 4 (months 10–12): cutover. Analysts use new platform as primary. SIEM relegated to historical data only. Gradual decommission of legacy platform. Final optimization and tuning. Outcome: legacy SIEM off, new platform primary.

Total timeline: 12 to 15 months, which means the 3-to-6-month number in the original plan was never a schedule so much as a hope.

Worked example

10,000-employee enterprise, 500 GB/day, migrating off Splunk.

Year 1 technology costs

Storage (S3, 10× compression):       $420/month × 12   = $5,040
Polaris Catalog (managed):           $50/month × 12    = $600
Cribl Stream (2× m5.xlarge):         $280/month × 12   = $3,360
StarRocks (4× r5.2xlarge):           $1,520/month × 12 = $18,240
Trino (2× r5.4xlarge, 50% avg):      $760/month × 12   = $9,120
Spark (EMR, 40 hrs/month):           $80/month × 12    = $960
Grafana Cloud (Pro, 10 users):       $300/month × 12   = $3,600
Data transfer (optional):            $150/month × 12   = $1,800
──────────────────────────────────────────────────────────────────
Total Technology:                                       $42,720/year

Year 1 migration costs

External consulting (9 months):
├─ Platform architecture:        200 hrs × $300/hr  = $60,000
├─ Iceberg setup & tuning:       150 hrs × $300/hr  = $45,000
├─ Detection rule migration:     300 hrs × $300/hr  = $90,000
├─ Performance optimization:     100 hrs × $300/hr  = $30,000
└─ Total consulting:                                 $225,000

Internal team allocation (1.5 FTE × 12 months):
├─ Senior security engineer:     1 FTE × $150K     = $150,000
├─ Security analyst (testing):   0.5 FTE × $100K   = $50,000
└─ Total internal:                                   $200,000

Project management (9 months):
├─ PM consultant:                500 hrs × $200/hr = $100,000

Parallel operation (9 months):
├─ Splunk licensing:             $2M/yr ÷ 12 × 9   = $1,500,000

Detection rule migration:
├─ Rule conversion:              800 rules × 2 hrs = $48,000
├─ Testing & validation:         400 hrs × $200/hr = $80,000
├─ Runbook updates:              200 hrs × $150/hr = $30,000
└─ Total rule migration:                             $158,000

Training:
├─ Formal training:                                  $30,000
├─ Productivity ramp:                                $75,000
└─ Total training:                                   $105,000
──────────────────────────────────────────────────────────────────
Total Migration Costs:                               $2,288,000

Year 1 total: $2,330,720

That total is higher than Splunk's $2M/year, and that is the part people miss when they kill the project in month seven. Year 1 is always more expensive, by construction. The bill covers the legacy SIEM (nine months of parallel operation, $1.5M), the new platform (twelve months, $43K), and the migration labor ($788K) all at once. Parallel operation is the single largest line, and it is temporary.

Year 2 ongoing: $42,720/year (just technology, no migration costs).

Net savings year 2+: $2M − $43K = $1.96M/year.

Payback period: $788K migration labor ÷ $1.96M annual savings = 4.8 months into Year 2.

CFO framing

How to justify the budget.

Year 1 total cost:        $2.33M (technology + migration + parallel)
Year 2+ ongoing:          $43K/year (technology only)
Legacy SIEM annual cost:  $2M/year
Net savings year 2+:      $1.96M/year
Payback period:           4.8 months (Year 2)
5-year TCO:               $2.33M + ($43K × 4) = $2.5M
Compare to 5-year Splunk: $10M
Total 5-year savings:     $7.5M

CFO reaction: "Okay, Year 1 is a wash, but we save $2M/year after that. Approved."

The template

A comprehensive budget worksheet.

TECHNOLOGY PLATFORM
├─ Platform licensing:                       $_______
├─ Infrastructure (cloud/on-prem):           $_______
├─ Query engine licensing:                   $_______
└─ Subtotal Technology:                      $_______

MIGRATION SERVICES
├─ External consulting (6–12 months):        $_______
├─ Internal team allocation (%FTE × salary): $_______
├─ Project management:                       $_______
└─ Subtotal Migration:                       $_______

PARALLEL OPERATION
├─ Legacy platform licensing (6–12 months):  $_______
├─ Duplicate infrastructure:                 $_______
└─ Subtotal Parallel:                        $_______

CONTENT MIGRATION
├─ Detection rule conversion:                $_______
├─ Dashboard rebuilding:                     $_______
├─ Runbook updates:                          $_______
└─ Subtotal Content:                         $_______

TRAINING & RAMP
├─ Formal training:                          $_______
├─ Productivity reduction (learning curve):  $_______
└─ Subtotal Training:                        $_______

CONTINGENCY (15–20%):                        $_______

TOTAL PROJECT BUDGET:                        $_______

Phased funding

Don't ask for $2.3M upfront.

The $2.3M figure is correct and almost impossible to get approved as one line, so I do not ask for it as one line, but instead ask for phased funding, where each phase delivers something a CFO can see before the next phase releases money, which keeps the total the same while changing the risk profile.

Phase 1 (months 1–3): platform setup plus consulting. Technology setup $50K, consulting kickoff $100K, internal team $50K. Request $200K. Outcome: lakehouse operational, one log source ingested.

Phase 2 (months 4–6): parallel operation plus rule migration. Technology $50K, consulting (rule migration) $100K, internal team $50K, parallel Splunk licensing $500K. Request $700K. Outcome: dashboards live, 50% rules migrated.

Phase 3 (months 7–9): optimization plus cutover prep. Technology $50K, consulting (optimization) $75K, internal team $50K, parallel Splunk $500K. Request $675K. Outcome: all rules migrated, analysts using new platform.

Phase 4 (months 10–12): legacy decommission. Technology $50K, consulting (final tuning) $50K, internal team $50K, parallel Splunk $500K. Request $650K. Outcome: Splunk decommissioned, new platform primary.

Total: $2.225M, the same money, except now the CFO commits to $200K rather than $2.3M and Phase 1 has to earn Phase 2, so every phase boundary becomes a real exit ramp, and a finance team that would balk at signing a single $2.3M check will fund a sequence of milestones it can stop at any time.

Checklist

Before your next budget approval.

Budget includes external consulting (not just technology).
Parallel operation costs accounted for (6–12 months duplicate).
Detection rule migration labor estimated (100–200 hours per 100 rules).
Training costs included (formal plus productivity ramp).
Internal team opportunity cost calculated (not assumed "free").
15–20% contingency reserve allocated.
Phased funding approach established (not single budget approval).

Takeaways

Seven things to remember.

The one that sinks migrations: Year 1 always costs more than the SIEM it replaces, because migration, parallel operation, and the new platform all land in the same twelve months. Savings start in Year 2. Teams that quit do so before they reach it.
Budget for outside help. Of the migrations I have tracked, the teams that went internal-only finished latest and abandoned most often; plan for $200K–500K of consulting over 6 to 12 months.
Detection rule conversion is the labor sink. 800 rules at two hours each is 1,600 hours, roughly $240K–320K at consultant rates or nine months of internal effort, and it is the line most often estimated as an afternoon.
Parallel operation doubles the bill while it lasts. Two platforms run for 6 to 12 months; the duplicate legacy licensing is usually the largest single line in the whole project.
Training is a cost, not a footnote. Formal training ($20K–50K) plus a 3-to-6-month productivity ramp at roughly half efficiency adds up to $70K–150K of real output lost.
Reserve 15 to 20 percent contingency. Migrations hit complexity nobody scoped, and the reserve is what keeps a surprise from becoming an emergency funding meeting.
Phase the funding. Asking for $200K to $700K per quarter against visible milestones gets approved where a single $2M request stalls.