Comparison
Shamashai vs Splunk · QRadar · Logsign
Which SIEM is right for a 100–500 device Turkish firm? Side-by-side feature comparison — deployment time, price range, KVKK packaging, localised UI, "can a single IT manager run it" question.
Neutrality note: This page is published by AFN Teknoloji. Competing-product information is taken from public vendor documentation and Türkiye distributor pages. If you spot an error, please tell us, we'll fix it.
§ 1 — Quick summary
The difference at a glance
| Topic | Shamashai | Splunk Enterprise | IBM QRadar | Logsign |
|---|---|---|---|---|
| Target segment | SMB + mid-market (100–500 devices) | Enterprise (5000+) | Enterprise + Banking | SMB + mid |
| Deployment time | 30 minutes – 1 day | 2–6 months | 3–9 months | 1–2 weeks |
| Typical annual price | Per-device · TRY (SMB packaging) | 6–7 figure USD | 6–7 figure USD | 5–6 figure TRY |
| On-premise | Primary (default) | Yes | Yes | Yes |
| Cloud SaaS | No (data sovereignty) | Yes | Yes | Yes |
| Air-gap install | Supported | Possible | Possible | Supported |
| Localised UI (TR) | Full Turkish + English | No | No | Full Turkish |
| KVKK package | 6 articles · evidence-mapped | Configurable | Configurable | Türkiye-specific |
| ISO 27001:2022 package | 19 controls · day-1 | Configurable | Configurable | Configurable |
| 5651 legal archive | Wave 2 hash chain live · S3/MinIO offload Q3 2026 | Add-on | Add-on | Yes |
| Single IT manager runs it | Yes (1–3 people) | No (SOC team) | No (SOC + RAD) | Yes, with experience |
| Türkiye support | Local (AFN Teknoloji) | Reseller | Reseller | Local |
| Custom parser SDK | JSON drop-in (zero agent change) | Splunk SPL | DSM Editor | Yes |
§ 2 — Detailed feature matrix
Vendor-by-vendor capability comparison
Event management
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Vendor-agnostic canonical schema (OCSF-style) | ||||
| Composite events (brute force, anomaly) | ||||
| Behavioral baseline (login fingerprint) | ||||
| Grouped incident engine | ||||
| MITRE ATT&CK chips (events + alert rules, clickable) |
AI & automation
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| AI event summary (TR default, EN option) | add-on | add-on | ||
| AI parser suggestion (unknown-vendor logs) | ||||
| AI advisor (device / scan / event) | ||||
| AI key stays with customer (own OpenAI account) |
Topology + inventory
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Automatic topology (firewall + VLAN + internal) | ||||
| Asset Scan (AD + Entra + Network) | ||||
| Component-level health (port, disk, VM) | ||||
| Bulk CSV import/export |
Compliance + reporting
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| KVKK Article 12 ready pack | ||||
| ISO 27001:2022 Annex A mapping | ||||
| Weekly executive summary (email) | ||||
| Evidence pack (auditor bundle) | ||||
| PCI-DSS package | roadmap |
Active response (SOAR)
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Fortigate IP block | add-on | add-on | ||
| Manual approve / time-bound block | ||||
| Sophos XG block (REST) | ||||
| Palo Alto / Cisco block | roadmap |
Notifications
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Email (SMTP + M365 Graph) | ||||
| Web Push + PWA | ||||
| WhatsApp Business (Meta Cloud API, TR template) | ||||
| Independent WhatsApp risk threshold (critical-only) | ||||
| SMS (Türkiye gateway · Netgsm/İletimerkezi · Wave 2) | ||||
| Slack / Teams / Webhook |
Operations
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Windows GUI installer (one-click) | ||||
| Cloud activation key (first run) | ||||
| Offline (air-gap) license | ||||
| Synthetic demo dataset (30-second POC net) | ||||
| Public API reference (~170 endpoints, in-panel) | ||||
| IT manager user guide (in-panel, TR) | ||||
| MFA (TOTP) | ||||
| OIDC SSO (Entra ID + generic) | ||||
| SAML SSO | ||||
| Multi-region HA | roadmap |
Modern UX (Wave 2 · Jun 2026)
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Mobile-first responsive UI (PWA + add-to-home) | ||||
| Light / dark theme toggle (workspace preference) | ||||
| NOC video-wall mode (auto-rotating dashboards) | ||||
| Drag-drop custom dashboard builder + share | ||||
| Saved Views (per-role default screens) | ||||
| Geo-IP attack map (MaxMind + TR-CERT overlay) | add-on | add-on | ||
| Event-trend forecasting (per-category, 7/30 day) | ||||
| Executive PDF report (one-page, auto-mailed) | ||||
| Bulk actions (multi-incident close / assign) | ||||
| Audit hash chain (prev_hash + row_hash · 5651 evidence) | ||||
| Maintenance-pattern AI (auto-detect noisy assets) | ||||
| Cloud-less toggle (full local mode, no AI calls) | ||||
| MSSP console (multi-tenant, per-customer schema) | add-on | add-on |
Wave 4-5 roadmap (16 months)
| Feature | Shamashai | Splunk | QRadar | Logsign |
|---|---|---|---|---|
| Action Channel (Ed25519 + MQTT + 2-approval) | roadmap (W4-1) | |||
| File Integrity Monitoring (ETW + inotify) | roadmap (W4-2) | add-on | ||
| Network config backup + diff | roadmap (W4-3) | |||
| VMware/Hyper-V deep observability | roadmap (W4-4) | add-on | ||
| Patch Management (WUA + Chocolatey + apt/yum) | roadmap (W5) | |||
| Vulnerability scanning (OpenVAS + CVE) | roadmap (W5) | add-on | ||
| AD identity (self-service password reset) | roadmap (W5) | |||
| Endpoint Management (MSI deploy + registry) | roadmap (W5) |
Full support Partial / add-on Noneroadmap = on the roadmap, not yet shipping
§ 3 — Which one fits us?
Practical decision guide
Shamashai is the right fit
- 100–500 device firm
- IT team of 1–3 · no dedicated SOC
- KVKK / ISO 27001 audit-paperwork needed
- Localised UI required (Turkish, plus English)
- Splunk price out of reach
- Data must stay in Türkiye (on-prem / air-gap)
- Sector: manufacturing, pharma, legal, hospitality, retail, services
Splunk / QRadar fits better
- 5000+ devices
- Dedicated SOC team (5+ analysts)
- BDDK / FAUC / KEY mandates
- 6-figure TRY monthly budget
- Threat-hunting workspace required
- Multi-region HA mandatory
- PCI-DSS 4.0 + HIPAA + GDPR combined
§ 4 — FAQ
Frequently asked
Is it definitively cheaper than Splunk?
Yes, in its target segment (100–500 devices). Splunk Enterprise typically runs 6–7 figures USD per year. Shamashai is priced per device in TRY; pilot programme gives 50%+ savings in year 1. We don't do everything Splunk does — we do the 80% the SMB/mid segment actually needs.
Can I migrate data from Splunk?
We don't carry old indexes (different schema). But Splunk forwarders can send syslog/CEF to Shamashai in parallel; after the transition Splunk licenses can lapse. We work together for data continuity.
How are you different from Logsign?
Logsign is a strong, Türkiye-experienced product. Shamashai differs on three axes: (1) AI native — a new vendor is learned in 10 minutes, (2) component-level health (port / disk / VM) — Logsign is log-focused, we cover operations too, (3) Cloud activation + GUI installer — Logsign requires more hands-on experience.
Versus QRadar?
QRadar is heavy enterprise tailored to banking. Shamashai is not banking — we serve the mid-market. The recurring pain when QRadar is pitched at a mid-market firm: 6+ month deployment, 6–7 figure license, the IT manager cannot operate it solo. Our product is the opposite.
Can I run hybrid (Splunk + Shamashai)?
Yes. Some customers keep Splunk for the core SOC team and use Shamashai for the IT-operations team's daily work. Both products see the same logs (syslog forward). We can evaluate this model together during the pilot.
Is this comparison page neutral?
No, not fully — we're AFN Teknoloji, selling our own product. But we try to present features **objectively**. We don't inflate competitor weaknesses, nor do we minimise theirs. If you find errors, we fix them.
30-minute comparison call
Tell us your current SIEM or plan; based on your inventory we'll honestly say whether Shamashai is the right fit. If it's not, we'll tell you that too — we don't want to waste anyone's time.
