Elastic drops endpoint fees as it adds workflow automation

Elastic has removed per-endpoint pricing for its XDR product and added native workflow automation to its security platform, aiming to widen coverage and reduce the need for separate automation tools.

The shift replaces a long-running pricing model that has often forced security teams to limit how many devices they protect. It also introduces a built-in workflow tool that could replace standalone SOAR software in some deployments. Elastic said the combined effect could cut total cost of ownership by up to 70% compared with other platforms.

The announcement comes as Australian businesses face rising cyber costs. Elastic cited the latest ASD Cyber Threat Report, which found average cybercrime costs for large Australian firms have risen 219% to more than AUD $200,000 per incident.

Mike Nichols, Elastic's general manager of security, said speed is changing the economics of security operations. In commentary accompanying the announcement, he said attackers can move from compromise to impact in as little as 11 minutes, leaving little time for teams that rely on manual triage and fragmented tools.

Pricing shift

Under the new model, all security customers using Elastic's serverless offering can cover unlimited endpoints without separate per-device fees. Elastic said per-endpoint charging has often led organisations to protect only part of their network, creating gaps in data and visibility.

That matters because broader visibility is increasingly central to newer security operations models, where software agents and automation investigate and respond to threats in the background. Across the sector, vendors have framed this as a shift from conventional security operations centres built around dashboards and manual workflows to more automated models that require less analyst intervention.

Elastic tied the pricing change directly to that shift, arguing that partial data limits what automated systems can do. AI-based security tools need access to activity across the environment to detect patterns and support response before an attack escalates, the company said.

Jan Brilke, CEO of AV-Comparatives, said coverage and simplicity affect how widely protections are deployed. “Organisations continue to face growing attack complexity, fragmented toolsets, and increasing operational overhead,” he said. “At the same time, completeness and efficacy of cybersecurity offerings and their ease-of-use can influence how broadly protections are deployed, potentially creating visibility gaps. A high score in our Business Security Test and Endpoint Prevention and Response Reports indicates that it is possible to achieve high levels of efficacy while simplifying coverage and reducing these trade-offs.”

Elastic also said its XDR product received a 100% protection rating in AV-Comparatives' 2025 Business Security evaluation.

Workflow tool

The second product change brings Elastic Workflows into the security platform as a native feature. According to Elastic, the tool gives users direct access to alerts, cases and investigation data without requiring a separate SOAR product.

Standalone SOAR tools have long helped security teams automate repetitive response tasks, but they can also introduce another supplier relationship, extra integrations and added maintenance. Elastic is betting customers will prefer automation embedded in the same environment as their SIEM and XDR tools.

One customer example highlighted time savings in routine operations. “Using Workflows enabled our SOC to spend so much more time on the things that matter. On a daily basis, we ran through 500 alerts, spending 3 hours creating cases and enriching them manually. Using Workflows, this is all done automatically, saving up to 2.5 hours a day,” said a SOC leader at a European government agency.

Nichols expressed Elastic's position on separate automation platforms more directly. “Organisations shouldn't have to decide which systems are worth protecting, and with AI drastically evolving the threat landscape, they can't afford to,” he said. “Per-endpoint pricing turns coverage into a budget decision. We don't believe in that at Elastic. We've built the highest-rated XDR in the industry and are making it available without that tax, so security teams don't have to choose between full coverage of world-class protection and manageable costs.”

On workflows, he added: “If you're not using AI to fight AI, you're already behind, and if you're still relying on separate SOAR tools, you're even further. Elastic Workflows brings AI-driven automation directly to where data lives with no extra tools or integration overhead.”

The new workflow feature is being offered in tech preview. Elastic said it works with its Agent Builder feature in Elasticsearch, which is designed to let customers build custom AI agents that combine scripted playbooks with reasoning during investigations.

The broader message is that security buyers are moving away from questions of licence counts and toward decisions about visibility, automation and operational speed. For Australian organisations facing higher incident costs and growing pressure on security teams, the commercial model behind security tools may now matter as much as the detection technology itself.

Thought Machine security operations lead Jack Simpson also described the product positively. “How do I sleep at night? We ran an incident simulation to test the proactive capabilities of Elastic Defend-a critical component in securing our organization. We created reverse shells in various formats to see how Elastic would perform when our analysts weren't watching. It was fantastic at triggering, defending, and categorizing the attacks. I sleep well knowing Elastic Defend is protecting our organization.”