Exabeam EU Alternative 2026 — CLOUD Act 16/25 SIEM Risk After LogRhythm Merger
Post #3 in the sota.io EU SIEM & SOC Series
Exabeam is a major SIEM (Security Information and Event Management) and UEBA (User and Entity Behaviour Analytics) platform used by enterprise security operations centres worldwide. In 2023 Exabeam Inc. completed a merger with LogRhythm, combining two of the largest independent SIEM vendors into a single entity — Exabeam Inc., headquartered in Menlo Park, California, USA.
That Menlo Park address has direct regulatory consequences. Under the CLOUD Act (18 U.S.C. § 2713), US-incorporated companies must produce stored data to US government agencies on request, regardless of where servers are physically located. A SIEM processes your organisation's most sensitive operational data — authentication logs, network flows, incident timelines, user behaviour baselines — making CLOUD Act exposure particularly acute.
This article scores Exabeam at 16/25 on the CLOUD Act GDPR Risk Matrix, explains the post-merger legal landscape, reviews EUCS Level High eligibility, and covers EU-native SIEM alternatives carrying 0/25 CLOUD Act risk.
What Is Exabeam?
Exabeam started in 2013 as a pure UEBA vendor, building machine-learning models to detect anomalous user and entity behaviour that signature-based SIEMs missed. By 2020 it had added full SIEM capabilities — log ingestion, correlation rules, case management — competing directly with Splunk, IBM QRadar, and Microsoft Sentinel.
LogRhythm was a comparable competitor: founded 2003 in Boulder Colorado, known for its Security Intelligence Platform combining SIEM, UEBA, SOAR, and network detection. The 2023 merger created New-Scale SIEM, marketed as the industry's most complete analytics-driven SIEM.
The combined platform today provides:
- Log Management — centralised collection, parsing, and storage of machine-generated data across the enterprise
- UEBA Engine — 850+ ML models building behavioural baselines per user, peer group, and entity type
- Threat Detection — correlation rules, MITRE ATT&CK mapping, threat intelligence enrichment
- TDIR Automation — Threat Detection, Investigation, and Response workflows with automated playbooks
- Case Management — integrated incident tracking from alert to closure
- Cloud Connectors — native ingestion from AWS, Azure, GCP, Microsoft 365, Okta, and 100+ SaaS platforms
The breadth of this data footprint — every login, every privilege escalation, every lateral movement event — is what makes CLOUD Act jurisdiction so consequential.
CLOUD Act Risk Matrix: Exabeam 16/25
The CLOUD Act GDPR Risk Matrix scores vendors across five dimensions on a 0–5 scale. Higher scores indicate greater legal exposure for EU data subjects.
| Dimension | Score | Rationale |
|---|---|---|
| US Incorporation | 5/5 | Exabeam Inc. incorporated in Delaware, HQ Menlo Park CA. LogRhythm Inc. was Colorado-incorporated. Post-merger entity remains US-incorporated. |
| Investment & Ownership | 4/5 | Backed by Accel, Norwest Venture Partners, Lightspeed (all US VCs). Not publicly listed — no mandatory SEC disclosures. Investor board seats carry US legal obligations. |
| Cloud Infrastructure | 3/5 | Exabeam Cloud Platform runs on AWS and Azure. AWS LLC (Amazon.com Inc. Seattle WA) and Microsoft Corp. (Redmond WA) are both independently subject to CLOUD Act requests. Three layers of US jurisdiction. |
| Data Processing Scope | 3/5 | On-premises deployment option remains (inherited from LogRhythm). Cloud deployments (Exabeam Fusion SaaS) are fully US-jurisdiction. Hybrid setups have partial exposure depending on which tier processes data. |
| US Government Contracts | 1/5 | LogRhythm had US federal government customers (DHS, DoD agencies). Exabeam's federal footprint is smaller. No confirmed FedRAMP certification as of 2026. |
Total: 16/25 — Moderate-High CLOUD Act exposure, lower than QRadar (20/25) and Sentinel (19/25) primarily due to on-premises deployment option and lower US government contract concentration.
What Data Is Exposed?
A SIEM ingests the raw operational record of your organisation. Under CLOUD Act jurisdiction, the following categories of data processed by Exabeam Cloud Platform can be compelled by US authorities:
Authentication & Identity:
- All login events (successful and failed) for every user
- Multi-factor authentication sequences
- Privileged access management (PAM) logs
- Active Directory / LDAP query logs
Network & Endpoint:
- Firewall deny/allow logs
- DNS queries (reveals all external services accessed)
- VPN connection records (maps remote workers to IP locations)
- EDR telemetry if integrated
UEBA Baselines:
- Machine-learning models built per user (working hours, typical applications, data access patterns)
- Anomaly scores and risk ratings per individual
- Peer group behavioural profiles
Threat Intelligence:
- IOC (Indicator of Compromise) data correlated against your logs
- Custom threat feeds and internal threat actor profiles
- Incident response findings and forensic artefacts
Under GDPR Article 9, UEBA behavioural profiles may qualify as sensitive personal data inference. Compelled disclosure to US authorities without a valid legal gateway (adequacy decision, standard contractual clauses with derogation) constitutes an unlawful international transfer.
The 2023 Merger: Legal Entity Complexity
The Exabeam-LogRhythm merger completed in August 2023. From a CLOUD Act perspective:
Pre-merger: Two separate US entities, each independently subject to CLOUD Act obligations for their respective customer data.
Post-merger: One consolidated US entity — Exabeam Inc. — holding all customer contracts and data. CLOUD Act obligations are unified and potentially broader.
DPA implications: If your organisation signed a Data Processing Agreement with LogRhythm pre-2023, that DPA transferred to Exabeam Inc. as the successor entity. Review whether the successor entity's CLOUD Act posture was disclosed in the DPA amendment process. Many customers were not explicitly notified.
Sub-processor changes: The merger triggered sub-processor changes under GDPR Article 28(2). If your DPA included a list of approved sub-processors, Exabeam's merger-related changes required 30-day advance notice. Missing this notice constitutes a DPA breach.
This merger complexity adds a due diligence obligation for existing Exabeam and LogRhythm customers — check whether your current DPA reflects the post-merger entity structure.
EUCS Level High: Ineligible
The European Union Cybersecurity Certification Scheme (EUCS) at Level High requires that cloud service providers be structurally immune to non-EU legal access requests. For Level High certification, a vendor must demonstrate:
- EU legal entity as the contracting party
- EU data centre operations without non-EU parent company control
- No non-EU laws (including US CLOUD Act) compelling data disclosure
Exabeam Inc. is a US-incorporated entity with US-domiciled parent, US VC investors, and US-based key personnel. None of these requirements can be satisfied.
EUCS Level High: Not eligible — structural CLOUD Act exposure.
This matters for:
- NIS2 Art. 21 — organisations in essential/important sectors must use approved cryptographic practices and may be audited on cloud supplier risk
- DORA Art. 28 — financial entities must assess third-country law exposure for ICT service providers
- Public sector procurement — many EU member state procurement rules now require EUCS-eligible or sovereignty-compliant cloud services for critical systems
On-Premises: The Partial Mitigation
Unlike IBM QRadar (which has migrated primarily to SaaS) and Microsoft Sentinel (cloud-only), Exabeam retains a viable on-premises deployment path through its LogRhythm heritage. The LogRhythm SIEM Self-Hosted product continues to be supported and sold.
On-premises advantages for EU organisations:
- Data never leaves your network — CLOUD Act cannot compel production of data the vendor does not hold
- Air-gapped deployment possible for classified environments
- No cloud sub-processors in the data path
On-premises limitations:
- Exabeam's UEBA engine (the core ML capability) is increasingly cloud-dependent for model updates
- Threat intelligence feeds require cloud connectivity
- Case management and automation features may require Exabeam Cloud Platform connectivity
- Licence costs are typically higher than SaaS equivalents
- GDPR-compliant data residency requires your own EU infrastructure and internal DPA coverage
Key distinction: On-premises deployment limits CLOUD Act risk to law enforcement requests targeting Exabeam's corporate offices (subpoenas for documentation, source code demands), not requests for operational customer data. This is a meaningful risk reduction but not zero.
GDPR Compliance Gap Analysis
| Area | Risk | Recommended Action |
|---|---|---|
| Data Transfer Mechanism | Chapter V GDPR requires legal basis for non-EU transfers. Exabeam Cloud DPAs typically rely on Standard Contractual Clauses (SCCs). Post-Schrems II, SCCs require Transfer Impact Assessment (TIA). | Conduct TIA for all Exabeam Cloud data flows. Document CLOUD Act risk in TIA. |
| Data Subject Rights | UEBA profiles may contain inferences about individual behaviour that constitute personal data under GDPR Art. 4(1). Data subjects can request access/erasure. | Implement DSRM (Data Subject Rights Management) process covering Exabeam UEBA data. Verify erasure propagation. |
| Legitimate Interest Assessment | Security monitoring typically relies on legitimate interest (Art. 6(1)(f)) or legal obligation (Art. 6(1)(c)). Scope must be documented. | Maintain LIA documentation covering SIEM data scope. |
| Sub-Processor Chain | Exabeam uses AWS and Azure as cloud infrastructure. Both are US-incorporated. | Update Records of Processing Activities (RoPA) to list Exabeam Inc., AWS, Microsoft as sub-processors. |
| Data Breach Notification | SIEM compromise is a Category 3 breach (high-risk personal data). 72-hour notification to DPA applies. | Ensure incident response procedures cover Exabeam environment as Category 3 breach scope. |
EU-Native SIEM Alternatives with 0/25 CLOUD Act Exposure
For EU organisations needing EUCS-compatible or sovereignty-grade SIEM, four options deliver 0/25 CLOUD Act exposure:
Sekoia.io (Sekoia SAS — Paris, France)
Cloud Act Score: 0/25 — French SAS (Société par Actions Simplifiée), EU-incorporated, EU-owned, EU-hosted on OVHcloud.
Sekoia.io (formerly SEKOIA XDR) is a French-built Extended Detection and Response platform built from the ground up for EU sovereignty requirements. Key capabilities:
- SIEM/XDR — log ingestion, correlation, threat detection
- CTI Integration — own threat intelligence feeds, integrated with European CERT/CSIRT networks
- SOAR Playbooks — automated response workflows
- MITRE ATT&CK Coverage — 70%+ coverage on detection rules
- EUCS Compatibility — no US ownership, no US infrastructure sub-processors
- Pricing — licence-based, typically €50k-200k/year for enterprise tier
Best for: French public sector, critical infrastructure under NIS2 Art. 21, organisations requiring ANSSI-approved tools.
Logpoint (Logpoint A/S — Copenhagen, Denmark)
Cloud Act Score: 0/25 — Danish A/S (Aktieselskab), EU-incorporated, EU-owned.
Logpoint is a Denmark-based SIEM vendor operating since 2012. Purpose-built for European compliance requirements:
- SIEM — log collection, normalisation, correlation across 700+ log sources
- UEBA — user behaviour analytics without sending data to US cloud infrastructure
- SOAR — AgentX automation framework for response playbooks
- Case Management — integrated incident workflows
- Self-hosted or Nordic Cloud — EU data residency guaranteed
- NIS2 Compliance Pack — pre-built detection rules mapping to NIS2 Art. 21 security requirements
- Pricing — typically €30k-150k/year enterprise licence
Best for: Nordic/European organisations, NIS2-regulated entities, organisations with existing EU infrastructure.
Wazuh (Open Source — Self-Hosted)
Cloud Act Score: 0/25 — Apache 2.0 open source, self-hosted on EU infrastructure.
Wazuh is the leading open-source SIEM/XDR platform, derived from OSSEC. Self-hosted on your EU infrastructure means zero CLOUD Act exposure:
- SIEM — log collection, aggregation, parsing, alerting
- HIDS — Host Intrusion Detection System across Linux, Windows, macOS, containers
- Vulnerability Detection — CVE scanning and patch status tracking
- FIM — File Integrity Monitoring
- Cloud Security — AWS/Azure/GCP posture management (from your own infrastructure)
- Active Response — automated blocking of detected threats
- Infrastructure cost — 500GB/day requires ~8-16 vCPUs, 64GB RAM
- Commercial support — Wazuh Inc. offers support contracts (Spanish company, EU-subsidiary structure)
Best for: Cost-sensitive organisations, technical teams, classified environments requiring air-gapped deployment.
OpenSearch Security Analytics (AWS-agnostic, Self-Hosted)
Cloud Act Score: 0/25 when self-hosted on EU infrastructure — Apache 2.0 open source.
OpenSearch (the Elasticsearch fork maintained by AWS but open source) includes a Security Analytics plugin providing:
- Sigma Rule Engine — convert 3,000+ Sigma rules to OpenSearch detectors
- Log Ingestion — index any JSON-format log source
- Alerting — condition-based alerting with notification channels
- Dashboards — Kibana-compatible visualisations for SOC analysts
- Self-hosted — on EU VPS/bare metal, zero CLOUD Act exposure
Best for: Organisations already using Elasticsearch/OpenSearch, teams wanting Sigma rule portability, hybrid environments with existing EU log infrastructure.
Migration Path: Exabeam → EU-Native SIEM
Phase 1: Data Landscape Assessment (Weeks 1-4)
- Export Exabeam log source list — identify all connected systems
- Document UEBA models in use — which user populations, which anomaly types
- Map custom detection rules — identify Exabeam-specific rules vs Sigma-compatible rules
- Audit DPA with Exabeam Inc. — verify post-merger entity is correctly named
Phase 2: EU-Native Platform Selection (Weeks 5-8)
| Criterion | Sekoia.io | Logpoint | Wazuh | OpenSearch |
|---|---|---|---|---|
| Managed SaaS | ✅ | ✅ | ❌ | ❌ |
| UEBA built-in | ✅ | ✅ | Limited | ❌ |
| Sigma rules | ✅ | ✅ | ✅ | ✅ |
| EU sovereignty | ✅ | ✅ | ✅ | ✅ |
| EUCS compatible | ✅ | ✅ | ✅ | ✅ |
| Total cost (enterprise) | High | Medium | Low | Very Low |
Phase 3: Sigma Rule Migration (Weeks 9-16)
Exabeam uses its own rule language (Advanced Analytics correlation rules). Migration to Sigma format:
# Export Exabeam rules as JSON
# Convert to Sigma using community tools
pip install sigma-cli
sigma convert -t opensearch-eql my-rules.yml
Pre-built Sigma rule libraries (SigmaHQ, Elastic Detection Rules, SOC Prime) provide 3,000+ detection rules compatible with Logpoint, Wazuh, and OpenSearch Security Analytics.
Phase 4: UEBA Re-Baseline (Weeks 17-24)
UEBA baselines take 30-90 days to build accurate models. Plan parallel operation — run EU-native platform alongside Exabeam during baselining:
- Deploy EU-native SIEM with full log source coverage
- Enable UEBA in learning mode (no alerting)
- After 30 days: enable alerting at low sensitivity, tune false positives
- After 60 days: raise sensitivity to production level
- Decommission Exabeam when EU platform reaches equivalent detection coverage
Phase 5: Data Deletion and DPA Termination
Under GDPR Art. 17 and Art. 28(3)(g), upon contract termination Exabeam must:
- Delete all customer data within 30 days
- Provide written certification of deletion
- Remove data from backup systems within 90 days
Request written deletion certification. Document receipt in your GDPR Records of Processing Activities.
Cost Comparison
| Platform | Deployment | Indicative Annual Cost (500GB/day) |
|---|---|---|
| Exabeam Cloud Platform | SaaS | €150k-400k |
| Exabeam LogRhythm Self-Hosted | On-premises | €80k-200k + infrastructure |
| Sekoia.io | SaaS (EU) | €80k-250k |
| Logpoint | Self-hosted or Cloud (EU) | €50k-150k |
| Wazuh + EU Infrastructure | Self-hosted | €15k-40k (infrastructure) + support |
| OpenSearch Security Analytics | Self-hosted | €10k-25k (infrastructure) |
The open-source options (Wazuh, OpenSearch) offer 80-90% cost reduction compared to commercial SaaS platforms. The trade-off is engineering investment in deployment, tuning, and maintenance.
Decision Framework
Choose Exabeam Cloud Platform if:
- US/global company without EU sovereignty requirements
- Already deeply integrated with Microsoft 365 / Azure ecosystem
- Require advanced UEBA with minimal engineering investment
Choose Exabeam LogRhythm Self-Hosted if:
- Need CLOUD Act risk reduction without full platform migration
- Have existing on-premises SOC infrastructure
- Cannot complete migration on short timeline
Choose Sekoia.io or Logpoint if:
- EU sovereignty is a hard requirement (NIS2 Art. 21, DORA Art. 28, public sector)
- Need managed SaaS without engineering overhead
- Require certified EU-native vendor with EUCS alignment
Choose Wazuh or OpenSearch if:
- Cost is a primary driver
- Have technical team for deployment and maintenance
- Need air-gapped or classified deployment
Key Takeaways
- Exabeam Inc. is a US entity — the 2023 merger with LogRhythm consolidated two US companies, not reduced CLOUD Act exposure
- CLOUD Act score 16/25 — lower than QRadar (20) and Sentinel (19) primarily due to on-premises deployment path
- UEBA profiles are personal data — GDPR Art. 9 may apply to behavioural inferences; compelled disclosure to US authorities requires legal basis assessment
- DPA due diligence required — post-merger entity change may not have been properly reflected in existing DPA contracts
- EUCS Level High: Not eligible — structural US jurisdiction blocks certification
- Migration is feasible — Sigma rule portability and open-source alternatives (Wazuh, OpenSearch) make migration practical
EU organisations in NIS2-regulated sectors, financial services (DORA), and public sector procurement should treat Exabeam Cloud Platform as a transitional solution and plan migration to a 0/25 CLOUD Act-scored EU-native SIEM within their next procurement cycle.
This is Post #3 in the sota.io EU SIEM & SOC Series. Previous posts: IBM QRadar EU Alternative 2026 and Microsoft Sentinel EU Alternative 2026. Next: Sumo Logic EU Alternative 2026.
Scores are based on publicly available corporate registration, investment, infrastructure, and government contract information as of May 2026. They represent legal exposure analysis, not security product ratings.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.