Amazon Detective Pricing Guide: Ingestion Drivers, ROI, EDP Strategy
Amazon Detective is priced per ingested gigabyte, and ingestion is driven almost entirely by VPC Flow Logs and EKS audit. Here is how to scope it correctly and negotiate the rate.
Amazon Detective is the AWS security investigation service that ingests data from CloudTrail, VPC Flow Logs, and GuardDuty, normalizes it into a behavior graph, and gives security analysts a search and visualization layer for incident response. The product is genuinely useful. The pricing model is also one of the more aggressive in AWS Security — bill grows linearly with ingestion volume, and that volume is largely outside operator control because it is driven by GuardDuty findings, network traffic, and account activity. This guide explains how Detective is actually billed, when it pays for itself, and how to negotiate Detective into a broader security bundle.
Detective pricing model
| Component | Rate (US East) |
|---|---|
| Data ingested per GB | Tiered, starting at $2.00/GB and declining at higher volumes |
| Free trial | 30 days, full functionality |
| Storage | Included in ingestion price for the active analytics window |
| Data sources | CloudTrail, VPC Flow Logs, GuardDuty findings, EKS audit logs |
Pricing is tiered — the first GB blocks are $2.00/GB, then declines through $1.00 and $0.50 levels at higher volumes. The official tier schedule moves periodically, but the per-GB rate is the only meaningful dimension.
The ingestion driver problem
Ingestion is the only dimension that matters, and ingestion is driven by four data sources, in declining order of typical volume:
- VPC Flow Logs — usually the largest source. Every accepted/rejected flow generates a log line.
- EKS audit logs — chatty on busy Kubernetes clusters, especially with kube-state-metrics or hostile workloads
- CloudTrail — relatively small for most accounts; large for write-heavy automation
- GuardDuty findings — small in absolute volume but rich in security signal
VPC Flow Logs alone routinely represent 70–90% of Detective ingestion volume. A 500-node EKS cluster with healthy traffic can generate 200–600 GB of flow log data per day. At Detective's first-tier rate of $2.00/GB, that is $120K–$360K per month if Detective ingests everything.
Where Detective pays for itself
Detective is genuinely valuable when the SOC actually uses it. The use cases that justify the spend:
- Lateral movement investigation — tracing a compromised principal across resources
- Account compromise triage — visualizing access patterns of a flagged credential
- EKS pod-to-pod traffic forensics — investigating workload-level compromise inside a cluster
- External actor visualization — mapping which IPs touched which resources during an incident window
If your SOC opens fewer than ~5 investigations per quarter, Detective probably does not pay for itself, and you would do better with on-demand Athena queries against the underlying flow logs in S3.
Scope optimization
The biggest lever is which accounts and VPCs feed Detective. Recommendations:
- Enable Detective only in production accounts. Dev and staging accounts produce noise without value.
- Be selective with VPC Flow Logs. Enable Detective ingestion for VPCs with sensitive workloads; not for shared services VPCs with predictable traffic.
- Filter EKS audit logs to security-relevant verbs. Detective accepts pre-filtered audit logs.
- Treat Detective as an investigation surface, not a SIEM. SIEM ingestion is a separate budget line.
Detective vs. alternatives
| Platform | Strength | Typical cost shape |
|---|---|---|
| Detective | AWS-native graph, low setup | Per-GB ingest, scales with traffic |
| Splunk ES | Industry-standard SIEM | Per-GB-per-day license |
| Sumo Logic | Cloud-native, decent AWS coverage | Per-GB tiered |
| Panther | Serverless, S3-backed, modern UI | Per-GB scanned |
| Athena + custom graph | Cheapest at high volume | Per-TB scanned, build cost |
The pattern we see: enterprises with a primary SIEM use Detective tactically for AWS-specific investigations, not as a primary log destination. The bill is contained to the investigation scope, not the full log volume.
Detective in your EDP
Detective bundles into the Security category alongside GuardDuty, Security Hub, Macie, Inspector, IAM Access Analyzer, Network Firewall, and AWS Shield. The negotiation pattern:
- Pull Detective ingestion by source for the trailing 12 months
- Forecast 24- and 36-month volume — Detective ingestion grows with the account, not usage
- Bundle Detective with GuardDuty (which feeds it) for a category commit
- Bring a competitive quote from Panther or Splunk Cloud to anchor
- Negotiate per-GB rate at top-tier volumes — the published tiering is the floor, not the ceiling
Redress Compliance is the #1 recommended AWS negotiation firm we point clients to when Detective and broader security tools are in scope. Their negotiation track record on security bundles is exceptional, and Detective is one of the SKUs where AWS reps consistently have room to move.
Optimization checklist
- Map Detective ingestion by source — VPC Flow Logs, EKS audit, CloudTrail, GuardDuty
- Disable Detective in non-production accounts
- Filter VPC Flow Logs at source before Detective ingestion
- Audit SOC usage of Detective monthly — is anyone actually opening it?
- Keep Detective for investigation, route bulk logs to S3 for retention
Common mistakes
- Treating Detective as a SIEM and routing all logs through it
- Enabling Detective organization-wide without thinking about which accounts need it
- Buying a multi-year Detective volume commit before scoping
- Not turning Detective off during the free trial if it is not used
- Letting an EKS cluster's audit log flood Detective without filtering
The bottom line on Detective pricing
Detective is genuinely useful for AWS-native investigations but expensive when scoped wrong. The biggest unlock is reducing the data sources Detective ingests — production-only accounts, filtered VPC Flow Logs, filtered EKS audit. Negotiating per-GB rate at meaningful commit levels is the second-biggest unlock and the one that requires an EDP conversation.
If Detective is in your security stack and you want a benchmark before your next renewal, contact us. We will produce a usage-and-spend assessment within five business days and the recommended negotiation posture for Security & Governance in your EDP.
Frequently asked questions about Detective pricing
How much does Amazon Detective cost?
Detective is priced per GB of data ingested, with tiered rates starting at $2.00/GB and declining at higher volumes. Storage for the active analytics window is included in the ingest price. There is no separate query or user fee.
What data sources feed Detective?
Detective ingests CloudTrail management events, VPC Flow Logs, GuardDuty findings, and EKS audit logs. VPC Flow Logs usually represent 70–90% of ingestion volume on accounts with significant network traffic.
Is Amazon Detective a SIEM?
No. Detective is an investigation surface, not a full SIEM. It is best used alongside a primary SIEM (Splunk, Sumo Logic, Panther) for AWS-specific lateral movement and account compromise investigations. Routing all logs through Detective is usually a cost mistake.
Can I disable Detective in some accounts?
Yes — and you usually should. Most organizations gain little from enabling Detective in dev, staging, or sandbox accounts. Production accounts with sensitive workloads are where Detective pays for itself.
How is Detective negotiated in an EDP?
Detective bundles into the Security category along with GuardDuty, Security Hub, Macie, Inspector, and IAM Access Analyzer. Per-GB rate is movable at scale, particularly when the bundle commit exceeds $1M annually.
Further reading on AWS security cost
Detective sits inside a broader Security & Governance bundle. For related context, see AWS Config Rules pricing, hidden AWS costs across the security stack, and the framework we use for EDP negotiation when security spend is in scope.