Portal feature cost

Portal Audit Log Cost in 2026: Retention, Storage, Compliance

Audit logs are the compliance line item most consistently underestimated in developer portal budgeting. SOC 2 requires a year of retention, HIPAA six years, FedRAMP three years online. Here is a vendor-neutral breakdown of what audit logs cost on each portal, what SIEM egress adds, and the self-hosted Backstage implementation as a comparison.

SOC 2 retention

12-18 mo

at least 1 year, audit window often 13-18 months

SIEM egress cost

$50-$300/mo

for typical 100-dev volume + mid-tier SIEM

Self-hosted build

$20K-$60K

platform-team one-time implementation

Why Audit Logs Are the Compliance Sleeper Cost

Audit log requirements are the line item most consistently underestimated in developer portal budgeting. The pattern: an organisation selects a portal, runs through the standard buying conversation (catalogue, scorecards, scaffolding, plugin breadth, per-seat pricing), and discovers six months later, during a SOC 2 readiness review, that the standard-tier audit log retention is 30 days and the auditor wants 12. The organisation either upgrades to enterprise tier mid-contract (rarely favourable) or implements a SIEM egress pipeline (works but adds infrastructure complexity).

The underlying confusion: audit log presence and audit log retention are different things. Every portal has some form of audit log; the standard-tier retention windows are short enough (30 to 90 days) that they do not satisfy any of the major compliance frameworks. Verifying retention period during procurement (not just whether audit logs exist) is the practical mitigation.

Compliance framework retention requirements vary. SOC 2 Type II requires at least 12 months of audit log coverage at the time of audit, which in practice means most organisations retain 13 to 18 months to cover audit windows. HIPAA requires 6 years of audit log retention for PHI access events. FedRAMP requires at least 3 years online plus offline retention through the system lifecycle. PCI DSS requires 1 year online with 3 months immediately accessible. Each is approximate as of 2026-05-15 and the exact requirement varies by control framework version; confirm with the relevant auditor.

Vendor Default Retention Windows

Vendor	Standard tier retention	Enterprise tier retention	Extended (custom)
Cortex	30-90 days	1 year	3-7 years (priced add-on)
Port	30-90 days	1-3 years	7 years (priced add-on)
OpsLevel	30-90 days	1 year	3-6 years (priced add-on)
Roadie	30-90 days	1 year	SIEM-export pattern recommended
Self-hosted Backstage	your decision	your decision	your decision (and your storage bill)

The pattern is consistent: standard-tier windows are below compliance minimums, enterprise-tier windows cover SOC 2 and most ISO 27001 needs, and HIPAA, FedRAMP, or PCI requirements typically need either extended-retention add-ons or SIEM egress. The exact numbers shift as vendors update pricing; verify directly with the vendor during procurement before signing.

SIEM Egress Pattern

The most common pattern for organisations with long-retention requirements is to keep the portal's native audit log for short-term operational use (the 30 to 90-day standard-tier window) and export audit events to a SIEM for long-term retention. This decouples the portal's pricing tier from the retention requirement.

Typical portal audit log volume is 0.5 to 5 GB per month at a 100-developer organisation, depending on activity level (busy organisations with high scaffolder usage and frequent catalogue mutations sit at the high end). SIEM ingest pricing varies enormously by SIEM choice. Elastic self-hosted runs roughly $5 to $20 per GB depending on infrastructure. Sumo Logic and Sentinel sit in the middle (typically $50 to $100 per GB). Splunk Cloud and Datadog Logs sit at the high end ($100 to $200 per GB for premium tiers). Monthly SIEM cost for portal audit log egress at a typical mid-sized organisation lands in the $50 to $300 per month band; the absolute volume is small enough that even high-cost SIEMs do not produce alarming totals.

The implementation pattern: configure the portal to emit audit events through its webhook or syslog-style export, route the events through a small ingestion pipeline (Lambda, Cloud Function, or equivalent) that normalises the format to your SIEM's expected schema, ingest into the SIEM with appropriate retention policy. This pattern works on every commercial portal that offers audit log export and on self-hosted Backstage; the engineering work is roughly 1 to 3 platform-engineer weeks for a clean implementation.

Self-Hosted Backstage Audit Log Build

Implementing audit logging on self-hosted Backstage is roughly $20,000 to $60,000 of platform-engineer time. The work breaks into five pieces. Defining the audit event taxonomy: which user actions get logged, what fields each event includes (timestamp, actor, action, target entity, request context). Instrumenting the Backstage event surfaces: UI actions, API calls, scheduler events, scaffolder runs, catalogue mutations. Routing events to durable storage: structured logging to stdout for log-aggregator pickup, or direct emission to a SIEM, depending on your downstream pattern. Implementing the audit log access UI: a page in Backstage where compliance reviewers can search and export audit events for a given time window. Writing the tests that confirm coverage: a test that performs each significant action and verifies the corresponding audit event was logged.

The work is not technically complex but it is broad. Missing event surfaces becomes a compliance gap that auditors flag later. The temptation to log only the obvious events (logins, catalogue edits) and skip the less-obvious ones (scaffolder runs, configuration changes, plugin enables) is real and consistently produces audit findings during SOC 2 readiness reviews. A meaningful build covers every event surface from day one, not selectively. Ongoing maintenance after the initial build is roughly $5,000 to $20,000 per year, mostly tracking new Backstage event surfaces as the framework adds them.

Frequently Asked Questions

What audit log retention does each compliance framework require?

SOC 2 Type II requires audit logs covering at least one year of activity at the time of audit (most organisations retain 13 to 18 months to cover audit windows). ISO 27001 does not mandate a specific retention period but auditors typically expect at least 12 months. HIPAA requires 6 years of audit log retention for PHI access events. FedRAMP requires at least 3 years online plus offline retention through the system's lifecycle. PCI DSS requires 1 year online with 3 months immediately accessible. The exact requirement varies by control framework version; treat these as approximate as of 2026-05-15 and confirm with your auditor.

What is the default retention on each commercial portal?

Standard-tier audit log retention is typically 30 to 90 days across the commercial portal market. Cortex, Port, OpsLevel all default to similar windows on standard tiers. Enterprise tiers extend retention to 1 year or longer (Cortex enterprise typically 1 year, Port enterprise 1 to 3 years, OpsLevel enterprise 1 year). Longer retention than the enterprise default is typically a custom-priced add-on; organisations with HIPAA 6-year or FedRAMP 3-year requirements should expect to either pay for extended retention or export to a SIEM for long-term storage.

What does SIEM egress for portal audit logs cost?

Exporting audit logs to a SIEM (Splunk, Sentinel, Datadog Logs, Elastic, Sumo Logic) costs a function of log volume and SIEM ingest pricing. Typical portal audit log volume is roughly 0.5 to 5 GB per month at a 100-developer organisation, depending on activity level. SIEM ingest pricing at the low end (Elastic self-hosted) is roughly $5 to $20 per GB; at the high end (Splunk Cloud, Datadog Logs) it can run $100 to $200 per GB. Monthly SIEM cost for portal audit log egress lands in the $5 to $1,000 per month band depending on volume and SIEM choice; most mid-sized organisations are in the $50 to $300 per month band.

What does self-hosted Backstage audit log implementation cost?

A real audit-log implementation on self-hosted Backstage is $20,000 to $60,000 of platform-engineer time. The work covers: defining the audit event taxonomy (what events get logged, what fields each event has), instrumenting the Backstage event surfaces (UI actions, API calls, scheduler events, scaffolder actions, catalogue mutations), routing events to durable storage (typically structured logging to stdout for log-aggregator pickup, or direct emission to a SIEM), implementing the audit-log access UI for compliance reviewers, and writing the tests that confirm coverage. The work is not technically complex but it is broad; missing surfaces becomes a compliance gap that auditors flag later.

What is the realistic year-three audit log total cost?

For a 100-developer organisation on enterprise-tier commercial portal: $50,000 to $150,000 per year of the enterprise-tier add-on covers audit log retention at 1-year-plus, plus $1,000 to $5,000 per year of SIEM ingest for long-term archival. Year-three cumulative: roughly $150,000 to $450,000. For a self-hosted Backstage with custom audit-log implementation: $20,000 to $60,000 one-time build plus $5,000 to $20,000 per year of maintenance plus $1,000 to $5,000 per year of SIEM ingest. Year-three cumulative: roughly $40,000 to $120,000. The build path is cheaper but the build risk and the ongoing security-review burden are both real.

How does audit log retention affect storage cost?

At the volumes typical for portal audit logs (0.5 to 5 GB per month per 100 developers), storage cost is small even at long retention. Six years of 5 GB per month equals 360 GB; at S3 Glacier storage pricing of $0.004 per GB per month, that lands at about $1.50 per month of storage cost. At Standard pricing of $0.023 per GB per month, $8 per month. The storage cost is essentially never the binding constraint; the SIEM ingest cost (paid once at ingest time) and the licence cost of extended retention on the portal (paid per year) dominate.