The gap between what small businesses need for security monitoring and what they can afford has historically been the size of a $50,000 annual SIEM license. Wazuh closes that gap — not by being a lesser product, but by combining SIEM, intrusion detection, vulnerability assessment, and compliance reporting into a single open-source platform that runs on hardware most businesses already have. We have deployed Wazuh across our own infrastructure and for clients ranging from 15-endpoint professional services firms to 200-endpoint defense contractors, and the lessons from those deployments are more about operational discipline than technology.
Key Takeaways
- Wazuh provides enterprise-grade SIEM, IDS, vulnerability detection, and compliance reporting at zero licensing cost
- Agent-based architecture scales from a handful of endpoints to hundreds without architectural changes
- The first 30 days of any deployment are primarily about tuning, not monitoring — expect 80% of initial alerts to be false positives
- File integrity monitoring catches what signature-based detection misses, particularly insider threats and supply chain compromises
- CMMC and NIST 800-171 compliance mapping is built in, reducing audit preparation from weeks to hours
- The real cost is operational: someone must review alerts, tune rules, and respond to findings, whether internal staff or a managed security partner
Architecture Decisions That Matter
Our Wazuh deployment follows a distributed architecture with the manager running on a dedicated host within a segmented management VLAN. This separation is a security requirement, not an optimization choice. If an attacker compromises a monitored endpoint, the SIEM infrastructure should not be reachable from that endpoint's network segment.
The Wazuh manager handles agent communication, rule processing, alert generation, and API services. The dashboard provides visualization and search capabilities. For deployments under 100 agents, a single manager handles the load comfortably on modest hardware — 4 CPU cores, 8GB RAM, and SSD storage for the Elasticsearch indices.
Agent deployment is the operational reality of Wazuh. Every monitored endpoint runs a lightweight agent that collects logs, monitors file integrity, reports installed software versions, and executes security configuration assessments. The agent communicates with the manager over an encrypted channel on port 1514.
The deployment decision that saves the most time long-term is automating agent installation from day one. We use Ansible playbooks that install the agent, configure the manager connection, assign the appropriate group membership, and restart the service. For Windows endpoints, Group Policy deploys the MSI package with configuration parameters. Manual agent installation works for proof-of-concept but becomes unmanageable beyond 20 endpoints.
Group-based configuration is how Wazuh scales without becoming a maintenance burden. Rather than configuring each agent individually, agents join groups based on their role: domain controllers, web servers, workstations, Linux servers, network devices. Each group has a shared configuration that defines which logs to collect, which integrity monitoring paths to watch, and which vulnerability detection policies to apply. When a new server deploys, it joins the appropriate group and inherits the correct configuration automatically.
The Tuning Phase
Every Wazuh deployment goes through a tuning phase that typically lasts 30-45 days. During this period, the platform generates alerts based on its default ruleset, and most of those alerts are noise for your specific environment.
This is not a product deficiency. Default rules are intentionally broad because Wazuh cannot know in advance which behaviors are normal in your environment. A service account that authenticates 500 times per hour might be a brute force attack in one environment and a monitoring system doing its job in another.
The first week generates the highest alert volume and the most frustration. Expect 5,000-15,000 alerts per day on a 50-endpoint deployment. Resist the urge to disable rules broadly. Instead, categorize the alerts:
- True positives that need action — these justify the deployment immediately. Common findings include unpatched software, misconfigured services, and credential exposure.
- True positives that are accepted risks — document these and create exceptions. A known legacy application that triggers vulnerability alerts should be tracked but not alerting daily.
- False positives from environmental specifics — custom applications, internal tools, and legitimate administrative activity that match threat signatures. These need targeted rule exceptions.
By week three, daily alert volume typically drops by 70-80% through tuning. The remaining alerts are higher confidence and more actionable. This is when the platform starts delivering genuine security value rather than homework.
The common mistake is tuning too aggressively. Suppressing an alert category because it generates high volume risks hiding the one instance in that category that is a genuine threat. The better approach is to adjust thresholds and add contextual conditions rather than disabling rules entirely. For example, rather than suppressing all authentication failure alerts, tune the rule to alert only when failures exceed your environment's baseline by a defined margin and originate from external or unusual source IPs.
File Integrity Monitoring
File integrity monitoring (FIM) is Wazuh's most underappreciated capability and the one that catches threats other detection methods miss. FIM monitors designated file paths for any changes — creation, modification, deletion, permission changes, ownership changes — and generates alerts with full details of what changed.
For cybersecurity monitoring, FIM addresses threat categories that signature-based detection cannot cover. A novel malware variant has no signature, but it still modifies files on disk. A compromised insider changing configuration files leaves no malicious signature, but the file change is recorded. Supply chain attacks that modify legitimate software binaries are invisible to reputation-based detection but immediately visible to integrity monitoring.
We configure FIM paths based on the endpoint's role. For servers, monitored paths include system binaries, configuration directories, web roots, and application deployment directories. For workstations, monitored paths focus on startup locations, browser extension directories, and system driver paths.
Real-time FIM versus scheduled scanning is a configuration choice with performance implications. Real-time monitoring using inotify (Linux) or ReadDirectoryChanges (Windows) reports changes immediately but consumes more system resources. Scheduled scanning runs at configured intervals and reports differences since the last scan. For most environments, real-time monitoring on critical paths (system binaries, web roots) combined with scheduled scanning on broader paths provides the right balance.
Vulnerability Detection
Wazuh agents inventory installed software and compare versions against the National Vulnerability Database. This provides continuous vulnerability assessment without deploying a separate scanning tool, without scanning-induced network traffic, and without the authentication credential management that network-based vulnerability scanners require.
The practical value is a prioritized list of vulnerabilities per endpoint, scored by CVSS, with affected package details and available update versions. This feeds directly into patch management workflows and provides evidence for compliance audits.
For defense contractors pursuing CMMC certification, Wazuh's vulnerability detection satisfies several Level 2 practices related to flaw remediation. The continuous nature of agent-based detection versus periodic network scans provides stronger evidence of ongoing compliance rather than point-in-time snapshots.
Compliance Mapping
Compliance reporting is where Wazuh saves the most time for businesses operating under regulatory frameworks. Built-in mapping to PCI DSS, HIPAA, NIST 800-53, NIST 800-171, and GDPR means that every alert and every security configuration assessment result is automatically tagged with the compliance controls it satisfies.
For CMMC assessments specifically, Wazuh's security configuration assessment module evaluates endpoints against CIS benchmarks and maps findings to NIST 800-171 controls. This produces an auditable record of configuration compliance that assessors accept as evidence.
The dashboard provides compliance-specific views that show control satisfaction status across the environment. Rather than manually compiling evidence for each control during audit preparation, the compliance dashboard provides real-time status. When an assessor asks for evidence that you monitor for unauthorized changes to system files (NIST 800-171 control 3.14.3), the FIM dashboard provides timestamped, per-endpoint evidence without any manual compilation.
We have seen audit preparation time drop from 2-3 weeks of document gathering to 2-3 days of dashboard review and evidence export for clients using Wazuh as their primary monitoring platform.
Integration with Broader Security Operations
Wazuh does not operate in isolation. Its API enables integration with the broader security and operations stack.
We integrate Wazuh with our Network Sentinel platform for unified risk scoring that combines endpoint security posture (from Wazuh) with network traffic analysis and external threat intelligence. An endpoint that Wazuh reports as having unpatched critical vulnerabilities receives a higher risk score when Network Sentinel simultaneously detects unusual outbound connections from that endpoint. The correlation across data sources produces higher-confidence alerts than either system generates independently.
Alert escalation routes through n8n automation workflows. Critical alerts trigger immediate notifications. High alerts create tickets in the project management system. Medium and low alerts aggregate into daily digest reports for security review. This tiered approach ensures that critical findings receive immediate attention while routine findings are reviewed systematically without creating notification fatigue.
The Real Cost
Wazuh is free and open-source. The licensing cost is genuinely zero, which is remarkable for a platform that competes directly with products costing $50,000-200,000 per year. But free software is not free to operate.
Infrastructure costs are modest. A Wazuh manager for a 50-100 agent deployment runs comfortably on a virtual machine with 4 cores, 16GB RAM, and 500GB SSD. On a self-hosted Proxmox environment, the allocated infrastructure cost is approximately $30-50 per month. On cloud infrastructure, an equivalent VM costs $100-200 per month.
Operational costs are where the real investment lies. Someone must review alerts, tune rules, investigate findings, and maintain the platform. For businesses with internal IT staff, this adds approximately 5-10 hours per week to their workload after the initial tuning phase. For businesses without security-focused staff, a managed security partner handles these responsibilities, typically at $500-2,000 per month depending on environment size and compliance requirements.
Compared to commercial alternatives, the total cost of Wazuh including managed operations typically lands at $6,000-24,000 per year versus $50,000-200,000 for commercial SIEM platforms with equivalent capability. The savings fund additional security improvements: endpoint protection, security awareness training, penetration testing, and incident response planning.
When This Applies
Wazuh is most valuable for businesses that need real security monitoring rather than checkbox compliance. If your current security posture consists of antivirus on endpoints and a firewall with default rules, Wazuh provides the visibility layer that transforms reactive incident response into proactive threat detection.
Defense contractors and government subcontractors pursuing CMMC Level 2 or higher will find that Wazuh satisfies a significant portion of the monitoring, detection, and audit requirements. The compliance framework alignment built into the platform reduces the gap between operational security and audit evidence.
Businesses handling sensitive data — financial records, healthcare information, legal documents, intellectual property — benefit from the file integrity monitoring and access tracking that Wazuh provides. Even without a specific compliance mandate, the ability to detect and investigate unauthorized access to sensitive files is a fundamental security capability.
The approach is less suitable for organizations with fewer than 10 endpoints where the operational overhead of maintaining Wazuh exceeds the security benefit, or for businesses that need a fully managed security platform with no operational involvement. In those cases, cloud-native security monitoring services may provide better value despite higher per-endpoint costs.
For businesses evaluating their security monitoring options, the starting point is understanding what you need to detect rather than what features a platform offers. Map your critical assets, identify your threat model, and assess your compliance requirements. Then evaluate whether Wazuh's capabilities align with those needs. In our experience across multiple deployments, the answer is yes more often than businesses expect, and the cost savings fund the operational investment needed to run it effectively.