IBM QRadar Review
November 14, 2019

IBM QRadar Review

Douglas Concepcion | TrustRadius Reviewer
Score 7 out of 10
Vetted Review

Overall Satisfaction with IBM QRadar

QRadar is primarily being used by companies to increase the visibility of their operational environment. It is used as the central correlation engine for relevant event sources. It is almost always the central piece of their SOC, assisting the analysts in quickly determining risks to the organization. The deployment footprint varies from client to client driven by required coverage area and cost.
  • It is easier to deploy than most SIEM's.
  • Its correlation engine in my opinion is the best of any SIEM.
  • The GUI when compared to most other SIEM's is easier to work with.
  • It is a mature SIEM with a better than average level of support.
  • As with all SIEM's that I'm aware of, it relies on supervised machine learning. This is a major weakness in today's threat landscape.
  • As with all SIEM's the more event sources it needs to correlate the slower it becomes. This becomes an issue as the deployment footprint increases, a solution needs to be developed to address this limitation.
  • The ability to customize the GUI and reporting per user needs some improvement.
  • ROI is a very tough calculation to achieve when it comes to cyber events. The reason is that how do you rate damage to the brand e.g. Target. Loss of confidence in a brand can easily lead to a company going bankrupt - how, do you measure that?
  • QRadar is in line with most other SIEM's in its category in TCO.
  • QRadar will lower the TCO and ROI of a security team's cost, due to the ability to perform most of the investigation and remediation recommendation.
Splunk Enterprise Security I've found is the easiest of all major SIEM's to deploy due to its event normalization capabilities. It lags behind QRadar in event correlation but is better in user GUI customization. One issue where QRadar beats it is in cost. Splunk starts off cheap, but as you expand (due to it's licensing model), it quickly becomes very expensive. It is the monster that keeps on feeding.
QRadar being a mature product has many different information resources to tap in too, and the quality of the IBM engineers is usually higher than most other vendors.

Do you think IBM Security QRadar SIEM delivers good value for the price?

Not sure

Are you happy with IBM Security QRadar SIEM's feature set?


Did IBM Security QRadar SIEM live up to sales and marketing promises?


Did implementation of IBM Security QRadar SIEM go as expected?


Would you buy IBM Security QRadar SIEM again?


HCL BigFix (formerly from IBM), HCL AppScan (formerly from IBM), Darktrace
QRadar is well suited for any SOC and it would always be my first recommendation for this kind of deployment.
The biggest issue it has is cost, for small to midsize companies looking to deploy it. It very quickly becomes cost-prohibitive. Another issue it and every SIEM that I'm aware of needs to address is east to west traffic visibility. Flows by default only give you at most sixty data points, which is not enough in today's world.

IBM Security QRadar SIEM Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection