Managed hosting from

£75/month +VAT

Large resource profile: 4 vCPU, 8 GB RAM, log storage sized to your retention. Typically suits estates of up to 100 monitored endpoints; larger fleets are sized individually. Deployment, upgrades, daily backups, monitoring, SSL and UK hosting included, with no per-user fees. How our pricing works

the icon of the card in the content

Security visibility without the ingestion bill

Commercial SIEMs charge by the gigabyte, so the more of your estate you watch, the more you pay, and teams start choosing what not to log. Wazuh is the open source alternative: SIEM and XDR across your whole estate at a flat cost, with your security data on UK infrastructure. Node deploys, tunes and runs it in production, and our own platform reports to the same stack.

What Wazuh is

Wazuh is an open source security platform that combines SIEM and XDR. Lightweight agents on your servers and endpoints collect logs and events, detect threats and rootkits, monitor file integrity, assess configurations against hardening benchmarks and flag known vulnerabilities in installed packages. Agentless collection brings in network devices, firewalls and appliances over syslog.

Everything lands in a central indexer where events are correlated, enriched with threat intelligence and scored, with dashboards for investigation and alerting when something needs a human. It grew from the OSSEC project and is now one of the most widely deployed security platforms in the world.

Why self-hosted Wazuh instead of Splunk or a cloud SIEM

No per-gigabyte pricing: ingestion-metered SIEMs penalise visibility. With Wazuh you log everything that matters and pay a flat managed fee, with storage sized to your retention.

Your security data stays in the UK: authentication records, alerts and investigation trails are among the most sensitive data you hold. They stay on UK infrastructure under UK jurisdiction, with an Article 28 data processing agreement.

Retention you control: keep hot data for investigation and archive for as long as your compliance requires, without a vendor's pricing tiers deciding your evidence window.

Open and auditable: the platform inspecting your estate is itself open to inspection, with no black-box scoring.

No lock-in: events are stored in open formats on infrastructure you control, so your security history is portable.

We run our estate on it

This page describes our own security stack. Every core Node system reports to our Wazuh SIEM: logins, user sessions on the platform, centralised syslog and file integrity across the estate, exactly as set out in our security and compliance practice. When we deploy Wazuh for you, we are handing over patterns we depend on daily, not a reference architecture from a datasheet.

Compliance reporting out of the box

Wazuh ships compliance modules that map its detections and configuration checks to PCI DSS, GDPR, HIPAA and NIST 800-53, turning day-to-day monitoring into the dashboards and evidence your auditors and insurers ask for. For organisations working towards ISO/IEC 27001 or NIST CSF alignment, the SIEM becomes the detect-and-respond backbone of the programme.

Keycloak and single sign-on

The Wazuh dashboard supports SAML single sign-on, so analyst and admin access joins your tenant's own Keycloak realm like every other app on the Node platform. Access to the security stack itself is governed, audited and revoked centrally, which is exactly how a SIEM should be run.

How Node runs Wazuh for you

Deployment: manager, indexer and dashboard in a production configuration, sized for your estate and retention, with TLS throughout.

Agent rollout: we deploy and enrol agents across your servers and endpoints, and bring network devices in over syslog.

Tuning: default rulesets are noisy. We tune detections to your environment so alerts mean something, and keep tuning as the estate changes.

Upgrades and retention: we track Wazuh releases, apply upgrades and patches, and manage index lifecycle so storage stays predictable.

Monitoring and support: we monitor the monitoring, and our UK-based engineers are on hand when an alert needs investigating.


The economics of watching everything: per-gigabyte SIEM pricing creates a perverse incentive to log less, and the gap in your logs is always where the incident happened. A managed Wazuh deployment from Node is a flat, predictable cost however much you monitor, hosted in the UK, tuned by engineers who run the same stack for their own platform. Watch everything, pay the same.

Adoption and community

16,000+ GitHub stars Wazuh describes itself as the world's most widely used open source security platform, reporting more than 15 million protected endpoints, over 100,000 enterprise users and 30 million downloads a year.

Frequently asked questions

What do SIEM and XDR actually mean for my business?

A SIEM collects and correlates logs from across your systems so security events can be spotted, investigated and evidenced in one place. XDR extends that with agents on your servers and endpoints that detect threats, monitor file integrity and check configurations. Together they answer two questions every business eventually gets asked: how would you know if something was wrong, and can you prove what happened?

Where is our security data held?

On UK infrastructure inside your own private tenant, under UK jurisdiction with an Article 28 data processing agreement. Security telemetry is among the most sensitive data a business produces, which is exactly why it should not be metered through a US vendor's cloud.

What does Wazuh monitor?

Agents on your servers and workstations collect logs, detect threats and rootkits, monitor file integrity, assess configurations against hardening benchmarks and detect known vulnerabilities in installed software. Agentless collection covers network devices and appliances via syslog, so the whole estate reports into one place.

Does Node use Wazuh itself?

Yes. Our own estate reports to our own Wazuh SIEM: every core system, every login, centralised syslog and full audit, as described on our security and compliance page. The deployment patterns we sell are the ones that protect our platform.

How does it compare to Splunk or a cloud SIEM?

Commercial SIEMs meter ingestion, so the more visibility you add, the more you pay, and teams end up choosing what not to log. Wazuh is open source with no licence or per-gigabyte fees: you pay a flat managed fee and size storage to the retention you actually need.

Can it help with compliance requirements?

Yes. Wazuh ships modules that map detections and configuration checks to PCI DSS, GDPR, HIPAA and NIST 800-53, giving you dashboards and reports aligned to the frameworks your auditors ask about. It pairs naturally with the ISO/IEC 27001 and NIST CSF practices we run ourselves.

What does the managed service include?

Deployment of the Wazuh manager, indexer and dashboard in a production configuration, agent rollout across your estate, rule tuning to cut noise, retention management, upgrades and patching, monitoring of the platform itself and UK-based support.

Talk to us about Wazuh.

Tell us about your estate and what your auditors or insurers are asking for, and we will size a SIEM deployment with agent rollout and sensible retention.

Our heritage

These projects were delivered by Tokyo Digital, acquired by Node in May 2023 and now a wholly owned subsidiary of Node DT Group. The same team builds and runs the Node platform today.