Comparison

Shamashai vs Splunk · QRadar · Logsign

Which SIEM is right for a 100–500 device Turkish firm? Side-by-side feature comparison — deployment time, price range, KVKK packaging, localised UI, "can a single IT manager run it" question.

Neutrality note: This page is published by AFN Teknoloji. Competing-product information is taken from public vendor documentation and Türkiye distributor pages. If you spot an error, please tell us, we'll fix it.

§ 1 — Quick summary

The difference at a glance

TopicShamashaiSplunk EnterpriseIBM QRadarLogsign
Target segmentSMB + mid-market (100–500 devices)Enterprise (5000+)Enterprise + BankingSMB + mid
Deployment time30 minutes – 1 day2–6 months3–9 months1–2 weeks
Typical annual pricePer-device · TRY (SMB packaging)6–7 figure USD6–7 figure USD5–6 figure TRY
On-premisePrimary (default)YesYesYes
Cloud SaaSNo (data sovereignty)YesYesYes
Air-gap installSupportedPossiblePossibleSupported
Localised UI (TR)Full Turkish + EnglishNoNoFull Turkish
KVKK package6 articles · evidence-mappedConfigurableConfigurableTürkiye-specific
ISO 27001:2022 package19 controls · day-1ConfigurableConfigurableConfigurable
5651 legal archiveWave 2 hash chain live · S3/MinIO offload Q3 2026Add-onAdd-onYes
Single IT manager runs itYes (1–3 people)No (SOC team)No (SOC + RAD)Yes, with experience
Türkiye supportLocal (AFN Teknoloji)ResellerResellerLocal
Custom parser SDKJSON drop-in (zero agent change)Splunk SPLDSM EditorYes
§ 2 — Detailed feature matrix

Vendor-by-vendor capability comparison

Event management

FeatureShamashaiSplunkQRadarLogsign
Vendor-agnostic canonical schema (OCSF-style)
Composite events (brute force, anomaly)
Behavioral baseline (login fingerprint)
Grouped incident engine
MITRE ATT&CK chips (events + alert rules, clickable)

AI & automation

FeatureShamashaiSplunkQRadarLogsign
AI event summary (TR default, EN option)add-onadd-on
AI parser suggestion (unknown-vendor logs)
AI advisor (device / scan / event)
AI key stays with customer (own OpenAI account)

Topology + inventory

FeatureShamashaiSplunkQRadarLogsign
Automatic topology (firewall + VLAN + internal)
Asset Scan (AD + Entra + Network)
Component-level health (port, disk, VM)
Bulk CSV import/export

Compliance + reporting

FeatureShamashaiSplunkQRadarLogsign
KVKK Article 12 ready pack
ISO 27001:2022 Annex A mapping
Weekly executive summary (email)
Evidence pack (auditor bundle)
PCI-DSS packageroadmap

Active response (SOAR)

FeatureShamashaiSplunkQRadarLogsign
Fortigate IP blockadd-onadd-on
Manual approve / time-bound block
Sophos XG block (REST)
Palo Alto / Cisco blockroadmap

Notifications

FeatureShamashaiSplunkQRadarLogsign
Email (SMTP + M365 Graph)
Web Push + PWA
WhatsApp Business (Meta Cloud API, TR template)
Independent WhatsApp risk threshold (critical-only)
SMS (Türkiye gateway · Netgsm/İletimerkezi · Wave 2)
Slack / Teams / Webhook

Operations

FeatureShamashaiSplunkQRadarLogsign
Windows GUI installer (one-click)
Cloud activation key (first run)
Offline (air-gap) license
Synthetic demo dataset (30-second POC net)
Public API reference (~170 endpoints, in-panel)
IT manager user guide (in-panel, TR)
MFA (TOTP)
OIDC SSO (Entra ID + generic)
SAML SSO
Multi-region HAroadmap

Modern UX (Wave 2 · Jun 2026)

FeatureShamashaiSplunkQRadarLogsign
Mobile-first responsive UI (PWA + add-to-home)
Light / dark theme toggle (workspace preference)
NOC video-wall mode (auto-rotating dashboards)
Drag-drop custom dashboard builder + share
Saved Views (per-role default screens)
Geo-IP attack map (MaxMind + TR-CERT overlay)add-onadd-on
Event-trend forecasting (per-category, 7/30 day)
Executive PDF report (one-page, auto-mailed)
Bulk actions (multi-incident close / assign)
Audit hash chain (prev_hash + row_hash · 5651 evidence)
Maintenance-pattern AI (auto-detect noisy assets)
Cloud-less toggle (full local mode, no AI calls)
MSSP console (multi-tenant, per-customer schema)add-onadd-on

Wave 4-5 roadmap (16 months)

FeatureShamashaiSplunkQRadarLogsign
Action Channel (Ed25519 + MQTT + 2-approval)roadmap (W4-1)
File Integrity Monitoring (ETW + inotify)roadmap (W4-2)add-on
Network config backup + diffroadmap (W4-3)
VMware/Hyper-V deep observabilityroadmap (W4-4)add-on
Patch Management (WUA + Chocolatey + apt/yum)roadmap (W5)
Vulnerability scanning (OpenVAS + CVE)roadmap (W5)add-on
AD identity (self-service password reset)roadmap (W5)
Endpoint Management (MSI deploy + registry)roadmap (W5)
Full support Partial / add-on Noneroadmap = on the roadmap, not yet shipping
§ 3 — Which one fits us?

Practical decision guide

Shamashai is the right fit

  • 100–500 device firm
  • IT team of 1–3 · no dedicated SOC
  • KVKK / ISO 27001 audit-paperwork needed
  • Localised UI required (Turkish, plus English)
  • Splunk price out of reach
  • Data must stay in Türkiye (on-prem / air-gap)
  • Sector: manufacturing, pharma, legal, hospitality, retail, services

Splunk / QRadar fits better

  • 5000+ devices
  • Dedicated SOC team (5+ analysts)
  • BDDK / FAUC / KEY mandates
  • 6-figure TRY monthly budget
  • Threat-hunting workspace required
  • Multi-region HA mandatory
  • PCI-DSS 4.0 + HIPAA + GDPR combined
§ 4 — FAQ

Frequently asked

Is it definitively cheaper than Splunk?
Yes, in its target segment (100–500 devices). Splunk Enterprise typically runs 6–7 figures USD per year. Shamashai is priced per device in TRY; pilot programme gives 50%+ savings in year 1. We don't do everything Splunk does — we do the 80% the SMB/mid segment actually needs.
Can I migrate data from Splunk?
We don't carry old indexes (different schema). But Splunk forwarders can send syslog/CEF to Shamashai in parallel; after the transition Splunk licenses can lapse. We work together for data continuity.
How are you different from Logsign?
Logsign is a strong, Türkiye-experienced product. Shamashai differs on three axes: (1) AI native — a new vendor is learned in 10 minutes, (2) component-level health (port / disk / VM) — Logsign is log-focused, we cover operations too, (3) Cloud activation + GUI installer — Logsign requires more hands-on experience.
Versus QRadar?
QRadar is heavy enterprise tailored to banking. Shamashai is not banking — we serve the mid-market. The recurring pain when QRadar is pitched at a mid-market firm: 6+ month deployment, 6–7 figure license, the IT manager cannot operate it solo. Our product is the opposite.
Can I run hybrid (Splunk + Shamashai)?
Yes. Some customers keep Splunk for the core SOC team and use Shamashai for the IT-operations team's daily work. Both products see the same logs (syslog forward). We can evaluate this model together during the pilot.
Is this comparison page neutral?
No, not fully — we're AFN Teknoloji, selling our own product. But we try to present features **objectively**. We don't inflate competitor weaknesses, nor do we minimise theirs. If you find errors, we fix them.

30-minute comparison call

Tell us your current SIEM or plan; based on your inventory we'll honestly say whether Shamashai is the right fit. If it's not, we'll tell you that too — we don't want to waste anyone's time.