Sign In

SA1.10 Cost Management

5 hours · Module 1 · Free
AUTOMATION COST MODEL — LOGIC APPS + EXTERNAL APIsLOGIC APP EXECUTION COSTPer action: ~£0.000025 ($0.000025)15-action playbook × 500 runs/day × 30 days= 225,000 actions = £5.63/month10 playbooks full stack: ~£56/monthEXTERNAL API COSTVirusTotal Premium: ~£700/monthAbuseIPDB Premium: ~£15/monthShodan: ~£50/monthFree tiers: VT 4 req/min, AbuseIPDB 1K/dayCOST COMPARISON — AUTOMATION vs HEADCOUNTFull automation stack (10 playbooks + APIs): £56 + £765 = ~£821/month = ~£9,852/yearOne additional SOC analyst: £50,000-£70,000/year (salary + benefits + equipment + training)Automation is 5-7x cheaper AND scales without limit. The analyst costs the same at 500 or 5000 alerts/day.Note: automation does not REPLACE analysts — it shifts their time from mechanical repetition to judgment-based work.

Figure SA1.10 — Automation cost model. Logic App execution is negligible. External APIs are the significant variable. Both combined are 5-7x cheaper than headcount.

Operational Objective
Cost is the objection that kills automation proposals that survive every other challenge. The CISO approves the concept, the SOC lead approves the design, the analysts are eager to build — and then finance asks "what does this cost?" If the answer is vague, the project stalls. This sub provides the specific cost model: Logic App execution pricing, external API costs, optimization techniques, and the comparison against headcount that makes the ROI undeniable.
Deliverable: A quantified cost model for your automation stack, optimization techniques to reduce costs, and the business case comparison against headcount that you present to finance.
⏱ Estimated completion: 20 minutes

Logic App execution costs

Logic Apps on the Consumption plan charge per action execution. Every step in your Logic App — the trigger evaluation, each HTTP call, each condition check, each compose action, each For Each iteration — is one action execution.

The rate is approximately £0.000025 per action (£0.025 per 1,000 actions). This is so low that most SOC managers do not believe it until they see the Azure bill.

Real-world cost calculation for NE’s automation stack:

Enrichment playbook: 15 actions per run (trigger + 5 enrichment queries + 5 compose steps + comment + Teams + tag + 2 error handling). Runs on every incident: 500/day = 15,000 runs/month. Total actions: 225,000/month. Cost: £5.63/month.

Collection playbook: 12 actions per run. Runs on High/Critical incidents only: ~50/day = 1,500/month. Total actions: 18,000/month. Cost: £0.45/month.

Notification playbook: 8 actions per run. Runs on High/Critical: ~50/day = 1,500/month. Total: 12,000. Cost: £0.30/month.

Containment playbook: 20 actions per run (enrichment + conditions + VIP check + blast radius + containment + verification + notification). Runs on confirmed threats: ~5/day = 150/month. Total: 3,000. Cost: £0.08/month.

Total Logic App cost for 4 production playbooks: £6.46/month. Even with 10 playbooks at higher action counts and volume, the total stays under £60/month.

The Logic App Standard plan (fixed monthly cost, better performance) becomes cost-effective above approximately 10 million actions/month — far beyond any SOC’s automation volume. Stay on Consumption plan.

External API costs

The significant cost variable is not Logic Apps — it is the third-party APIs your playbooks call.

VirusTotal. The free tier allows 4 requests per minute and 500 per day. At 500 alerts/day, you exhaust the daily limit if every alert triggers an IP lookup. Options: (1) Use the free tier and implement caching — store lookup results in a Sentinel watchlist for 24 hours, check the watchlist before calling the API, only call VirusTotal for IPs not in the cache. This reduces API calls by 80%+ because the same attacker IP appears in multiple alerts. (2) Upgrade to VirusTotal Premium (~£700/month) for unlimited lookups. The premium tier is justified only for SOCs processing thousands of unique IOCs per day.

AbuseIPDB. The free tier provides 1,000 checks per day — sufficient for most SOCs. Premium (~£15/month) increases the limit to 5,000/day. The free tier is usually adequate if combined with caching.

Shodan. The free API has severe rate limits (1 request/second, limited endpoints). The membership (~£50/month) provides 100 queries/minute. Shodan enrichment is valuable but optional — VirusTotal and AbuseIPDB cover the most common enrichment needs.

Cost optimization through caching. A Sentinel watchlist can store the results of external API lookups. Before calling VirusTotal, the playbook queries the watchlist: “Has this IP been looked up in the last 24 hours?” If yes, use the cached result. If no, call the API and store the result in the watchlist.

Implementation: add a “Run query and list results” action before the VirusTotal HTTP action:

1
2
3

_GetWatchlist('TI-Cache')
| where IPAddress == "@{variables('CurrentIP')}"
| where LastLookup > ago(24h)

If the query returns results, skip the VirusTotal call and use the cached data. If no results, call VirusTotal and add the result to the watchlist with a “Add rows to watchlist” action.

This pattern reduces external API calls by 70-90% depending on how many repeated IOCs appear in your alerts. At NE, the same attacker IP (203.0.113.45) appeared in 35 alerts over one month — caching turns 35 VirusTotal calls into 1.

When automation rules replace expensive playbooks

Some automation actions do not need a Logic App at all. Automation rules are free — they execute within Sentinel’s platform at no additional cost. Before building a playbook, check whether an automation rule can accomplish the same goal:

Severity changes: automation rule (free) vs playbook that reads the incident and calls the Sentinel API to change severity (£0.00005 per execution). Trivial cost difference but the automation rule is simpler, faster, and does not require a Logic App resource.

Assignment routing: automation rule (free). No playbook needed.

FP auto-close with simple conditions: automation rule (free). If the FP pattern can be expressed as title/severity/rule name conditions, no playbook needed.

FP auto-close with data lookup: playbook required. If the FP pattern requires checking a watchlist (is this IP known-safe?), the lookup needs a KQL action in a Logic App. This is the minimum-cost playbook: trigger + query watchlist + close incident = 3 actions × 500 runs/month = 1,500 actions = £0.04/month.

The rule: use automation rules for simple actions. Use playbooks for actions requiring data lookup, API calls, or conditional logic. Every unnecessary Logic App action is a (tiny) cost and a (small) maintenance burden.

The business case — automation vs headcount

The cost comparison that convinces finance:

Option A: Hire a fourth analyst. Salary: £55,000. Employer NI: £6,000. Benefits: £5,000. Equipment: £2,000. Training: £3,000. Total year 1: £71,000. Total year 2+: £66,000/year. Capacity added: 8 hours/day = 48 additional alerts triaged at 10 minutes each. At 500 alerts/day, the queue deficit drops from 356 to 308. The deficit is still 62%.

Option B: Build automation. Logic Apps: £60/month = £720/year. External APIs (VirusTotal free + AbuseIPDB free + caching): £0/year. Analyst time to build (120 hours over 90 days at 25% of one analyst): £0 incremental cost (existing salary). Total year 1: £720. Total year 2+: £720/year + 4 hours/month maintenance.

Capacity recovered: 64 analyst-hours/day (SA0.1 calculation). The queue deficit drops from 356 to 0. Zero untriaged alerts. The three existing analysts shift surplus time to investigation, hunting, and detection engineering.

Option B costs 1% of Option A and delivers 100% queue clearance instead of 14% improvement. This is not a close comparison. Present the numbers in a one-page document with the heading “Automation Investment Proposal” and the subheading “£720/year to eliminate 356 untriaged alerts per day.”

⚠ Compliance Myth: "Logic App costs are unpredictable and could spike unexpectedly"

The myth: Consumption-based pricing means costs are unpredictable. A misconfigured playbook with an infinite loop could generate millions of actions and a massive bill.

The reality: Logic Apps have built-in protections against runaway execution. The maximum concurrent runs limit (default 200) prevents unbounded parallelism. The “For Each” loop has a maximum iteration count (default 5,000). And Azure Cost Management allows you to set budget alerts — configure an alert at £100/month for all Logic Apps, and you will be notified long before any meaningful cost accumulates. In practice, even a badly misconfigured playbook with 100,000 unintended actions per day costs £2.50/day — noticeable in monitoring but not financially damaging. The infinite-loop fear is technically valid but practically negligible.

Decision point: Your SOC handles 500 alerts/day. VirusTotal’s free tier allows 500 lookups/day. Should you upgrade to Premium? Not necessarily. Implement the caching pattern first — check the watchlist before calling the API. After 30 days, check how many API calls the cache prevented. If cached lookups reduce calls to under 300/day, the free tier is sufficient. If unique IOCs still exceed 500/day after caching, upgrade. Make the decision based on measured data, not estimated volume.

Try it: Calculate your automation costs
  1. List every playbook you plan to build in this course (enrichment, collection, notification, containment)
  2. Estimate the action count per playbook (count the steps in the Logic App designer)
  3. Estimate the daily execution count (how many incidents trigger each playbook)
  4. Calculate: actions × executions × 30 × £0.000025 = monthly Logic App cost
  5. List external APIs you plan to use. Check each API’s free tier limits.
  6. Calculate whether caching keeps you within free tier limits
  7. Sum: Logic App cost + API subscription cost = total monthly automation cost
  8. Compare against the cost of one additional analyst

Present the numbers to your SOC lead. If the total is under £100/month (it almost certainly is), the approval conversation is 30 seconds.

Your SOC processes 300 alerts/day. Your enrichment playbook has 12 actions and calls VirusTotal (free tier: 500/day) for every alert. After deploying the caching pattern, 65% of lookups are served from cache. How many VirusTotal API calls per day, and does the free tier suffice?
105 API calls/day. 300 alerts × 35% cache miss rate = 105 unique lookups. The free tier (500/day) handles this with 395 calls to spare. No upgrade needed. Logic App cost: 12 × 300 × 30 × £0.000025 = £2.70/month.
300 API calls/day — the cache does not reduce calls. The cache reduces calls by 65%, not 0%. 300 × 0.35 = 105 calls/day.
195 API calls/day. 300 × 65% = 195 — this is the number of CACHED lookups, not API calls. The API calls are 300 - 195 = 105.
0 API calls — all lookups should use cache. The cache only contains results for IPs previously looked up within 24 hours. New IPs (35% of lookups in this scenario) require fresh API calls. 100% cache hit rate is not achievable.

Where this goes deeper. SA2 implements the caching pattern for TI enrichment using Sentinel watchlists. SA10 covers Azure Functions pricing for complex logic scenarios. SA12 builds the full cost-benefit analysis for the automation program including ROI calculation, TCO comparison, and the monthly cost tracking that demonstrates ongoing value.

Operational Artifact — Automation Cost Model Template
Calculate your automation stack cost: Logic App actions (per playbook × executions × £0.000025) + external API subscriptions + Key Vault operations (negligible). Compare against one analyst hire. Present as a one-page investment proposal: cost, capacity recovered, MTTA improvement, queue clearance percentage. Update quarterly as playbook count and execution volume change.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← SA1.9 Monitoring Automation Health SA1.11 Interactive Lab: Build Your First Playbook →