Estimating Data Ingestion¶
This guide helps you estimate how much data your organization might ingest into LimaCharlie, so you can plan costs before deploying.
How LimaCharlie Bills for Data¶
LimaCharlie has two billing models depending on the data source:
EDR endpoints (Windows, macOS, Linux, Chrome) are billed per endpoint per month at a flat rate. This includes all telemetry generated by the endpoint agent and 1 year of full telemetry retention. You do not need to estimate data volume for EDR endpoints — it is already included in the per-endpoint price regardless of how much telemetry they generate.
External telemetry (data ingested via Adapters) is billed per GB ingested. This covers third-party log sources like cloud providers, identity platforms, SaaS applications, network devices, and other security tools. These sources also include 1 year of telemetry retention.
For current pricing details, see limacharlie.io/pricing.
Company Size Definitions¶
The estimates in this guide use the following size brackets, defined by the number of employees and the typical infrastructure that comes with each:
| Size | Employees | Typical Endpoints | Typical Servers |
|---|---|---|---|
| Small | 50–200 | 50–200 | 5–20 |
| Medium | 200–1,000 | 200–1,000 | 20–100 |
| Large | 1,000–5,000 | 1,000–5,000 | 100–500 |
[!NOTE] These are rough guidelines. Your actual numbers depend on your industry, infrastructure maturity, and which data sources you choose to ingest. Use these estimates as a starting point and refine based on your environment.
External Telemetry Sources¶
The tables below estimate daily ingestion volumes for common categories of external data sources. All values are in GB/day.
Cloud Infrastructure Logs¶
Logs from cloud providers (AWS CloudTrail, Azure Monitor, GCP Audit Logs) covering API calls, resource changes, and access events.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| AWS CloudTrail | 0.5–2 GB | 2–10 GB | 10–50 GB | Scales with number of AWS accounts and API call volume |
| AWS GuardDuty | 0.1–0.5 GB | 0.5–2 GB | 2–8 GB | Finding volume depends on threat activity |
| Azure Monitor / Activity Logs | 0.5–2 GB | 2–8 GB | 8–40 GB | Includes sign-in, audit, and resource logs |
| GCP Audit Logs | 0.5–1 GB | 1–5 GB | 5–25 GB | Admin activity + data access logs |
Typical total — Cloud: 1–5 GB/day (small), 5–25 GB/day (medium), 25–120 GB/day (large)
Identity & Access Management¶
Logs from identity providers tracking authentications, MFA events, directory changes, and access policies.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| Okta System Log | 0.1–0.5 GB | 0.5–2 GB | 2–8 GB | ~50–200 events per user per day |
| Microsoft Entra ID | 0.1–0.5 GB | 0.5–3 GB | 3–10 GB | Sign-in + audit + provisioning logs |
| Duo | 0.05–0.2 GB | 0.2–1 GB | 1–3 GB | MFA authentication events |
| 1Password | < 0.1 GB | 0.1–0.3 GB | 0.3–1 GB | Vault access and item usage events |
Typical total — Identity: 0.2–1 GB/day (small), 1–5 GB/day (medium), 5–20 GB/day (large)
Email & Collaboration¶
Audit logs from email and collaboration platforms covering user activity, admin actions, and compliance events.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| Microsoft 365 Audit | 0.2–1 GB | 1–5 GB | 5–20 GB | 50–200 audit records per active user per day; SharePoint and Teams users generate more |
| Google Workspace | 0.1–0.5 GB | 0.5–3 GB | 3–12 GB | Admin, Drive, Login, and Token activity |
| Slack Audit Log | < 0.1 GB | 0.1–0.5 GB | 0.5–2 GB | Enterprise Grid only; tracks workspace access and admin events |
Typical total — Collaboration: 0.3–1.5 GB/day (small), 1.5–8 GB/day (medium), 8–35 GB/day (large)
Network Security¶
Logs from firewalls, IDS/IPS, VPN concentrators, and network proxies. These are often the highest-volume log sources.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| Firewalls (Palo Alto, Fortinet, etc.) | 1–5 GB | 5–30 GB | 30–150 GB | Connection/traffic logs are very high volume; threat-only logs are 10–50x smaller |
| IDS/IPS | 0.5–2 GB | 2–10 GB | 10–50 GB | Alert volume depends on rule tuning |
| VPN / ZTNA | 0.1–0.5 GB | 0.5–2 GB | 2–10 GB | Session and authentication events |
| Web Proxy / DNS | 0.5–3 GB | 3–15 GB | 15–80 GB | Per-request logging is very high volume |
[!WARNING] Network security devices are typically the largest source of log data. Firewall traffic logs alone can dwarf all other sources combined. Consider ingesting only threat events and denied connections rather than full connection logs to manage volume.
Typical total — Network: 2–10 GB/day (small), 10–55 GB/day (medium), 55–290 GB/day (large)
Third-Party Security Tools¶
Logs from other EDR, endpoint protection, or security detection platforms forwarded into LimaCharlie for centralized analysis.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| CrowdStrike | 0.5–2 GB | 2–8 GB | 8–40 GB | Event volume scales with endpoint count and detection verbosity |
| Microsoft Defender | 0.5–2 GB | 2–8 GB | 8–30 GB | Alerts, incidents, and raw detection events |
| SentinelOne | 0.5–2 GB | 2–8 GB | 8–30 GB | Deep Visibility data is high volume |
| Sophos | 0.2–1 GB | 1–4 GB | 4–15 GB | Endpoint and network protection events |
Typical total — Security Tools: 1–5 GB/day (small), 5–25 GB/day (medium), 25–100 GB/day (large)
SaaS & Other Applications¶
Audit and activity logs from business applications.
| Source | Small | Medium | Large | Notes |
|---|---|---|---|---|
| GitHub Audit | < 0.1 GB | 0.1–0.5 GB | 0.5–2 GB | Scales with number of repos and developers |
| Kubernetes (pods/audit) | 0.5–2 GB | 2–10 GB | 10–50 GB | Highly variable; depends on cluster size and logging level |
| Custom Syslog sources | 0.1–1 GB | 1–5 GB | 5–20 GB | Varies widely by application |
Putting It All Together¶
The table below shows estimated total daily external ingestion based on a typical set of data sources for each company size. Most organizations will not ingest every source listed above.
| Scenario | Small | Medium | Large |
|---|---|---|---|
| Minimal — Identity + Cloud only | 1–5 GB/day | 5–25 GB/day | 25–120 GB/day |
| Moderate — Above + Email/Collab + one security tool | 3–12 GB/day | 12–60 GB/day | 60–270 GB/day |
| Comprehensive — Above + Network + multiple security tools | 5–25 GB/day | 25–140 GB/day | 140–500+ GB/day |
[!NOTE] These estimates assume typical logging verbosity. Enabling verbose or debug logging on any source can increase volumes by 2–10x. Conversely, filtering to only security-relevant events can reduce volumes significantly.
Tips for Managing Ingestion Costs¶
- Start with high-value, low-volume sources. Identity logs and cloud audit trails provide excellent security visibility at relatively low data volumes.
- Filter at the source. Many adapters support filtering to reduce noise. For firewalls, ingesting only threat events and denied connections rather than all traffic logs can reduce volume by 90% or more.
- Use the LimaCharlie Usage Alerts extension to set thresholds and get notified before unexpected spikes impact your bill.
- Monitor your actual usage in the Billing & Usage section of your organization's settings to compare against these estimates and adjust your ingestion strategy.
- Remember that EDR endpoints are flat-rate. If you're choosing between ingesting a third-party EDR's telemetry versus deploying LimaCharlie's own endpoint agent, the agent's flat per-endpoint pricing is often more cost-effective and provides richer telemetry.