Is the UniFi and Wazuh stack worth it for SMBs?
This stack offers a cost-effective security baseline by pairing UniFi's $99/year gateway enforcement with Wazuh's open-source telemetry analysis.
UniFi handles gateway-level blocking and policy, while Wazuh captures endpoint evidence and correlates logs. This separation prevents alert fatigue by keeping firewall rules simple and moving complex analysis to the SIEM. It is a practical option for teams that need compliance coverage (NIST CSF or SOC 2) without the cost of a proprietary enterprise stack.
Quick Overview
- Audience: IT and security leaders building a combined network and endpoint monitoring stack
- Last fact-check: 2026-02-16
- Primary sources reviewed: Ubiquiti Help + Store pages, Wazuh Platform/Cloud/Docs
For broader planning context, pair this with the network security operating guide and NIST CSF 2.0 Guide before rollout.
What this stack is good at
The UniFi + Wazuh stack delegates network blocking to the gateway and telemetry analysis to the SIEM.
UniFi CyberSecure (network layer):
- gateway-level IDS/IPS and traffic policy enforcement
- threat-signature inspection and content filtering features
- centralized policy control across UniFi-managed sites
Wazuh (endpoint and analytics layer):
- agent-based endpoint monitoring and log analysis
- vulnerability detection and file integrity monitoring
- alert correlation, investigation context, and response actions
Stack architecture: signal flow and ownership model
The most reliable way to run this stack is to treat it as a pipeline: policy at the gateway, evidence collection at endpoints, correlation in Wazuh, then documented response ownership.
| Layer | Primary Source | Primary Owner | Common Failure Mode | Control That Reduces Risk |
|---|---|---|---|---|
| Perimeter policy | UniFi gateway + CyberSecure policy engine | Network engineering | Overly broad block/allow rules | Change control with rollback criteria and maintenance windows |
| Network telemetry | UniFi logs via Syslog forwarding | Platform operations | Log forwarding breaks silently after config drift | Heartbeat monitor for collector input and alert on ingestion gaps |
| Endpoint telemetry | Wazuh agents on critical systems | Security operations + endpoint admin | Agent coverage decays as assets are added | Monthly asset-to-agent reconciliation with remediation SLA |
| Correlation + triage | Wazuh rules, decoders, and alert queues | Security operations | High alert noise creates triage fatigue | Quarterly top-noise rule review and severity normalization |
| Incident response | Ticketing/SOC runbooks | Security manager + incident commander | Unclear handoff between teams | Owner-escalation matrix with timer-based escalation triggers |
Where does each tool stop?
UniFi does not replace endpoint telemetry, and Wazuh does not replace gateway policy enforcement. If a deployment expects either tool to cover the other's core function, alert quality and response speed usually degrade.
How much does UniFi CyberSecure cost?
UniFi CyberSecure costs $99 per year for standard gateways and $499 per year for Enterprise Fortress gateways.
This subscription activates real-time threat signatures from Proofpoint and expands traffic filtering categories. While entry-level gateways like the Cloud Gateway Ultra include basic stateful firewalls for free, the paid add-on is required for dynamic threat intelligence and botnet filtering.
- Standard License ($99/yr): Fits Cloud Gateway Ultra, Dream Machine Pro/SE.
- Enterprise License ($499/yr): Required for Enterprise Fortress Gateway to support 95,000+ signatures.
What does CyberSecure block?
CyberSecure applies Proofpoint threat intelligence to filter traffic at the gateway level. Confirmed blocking categories include:
- Known C2 (Command-and-Control) IPs: Outbound connections to attacker-controlled infrastructure
- Tor Exit Nodes: Traffic routing through anonymization networks commonly used in exfiltration
- Malware Domains: Domains associated with malware distribution and payload delivery
- Botnet Infrastructure: Communication channels used by compromised devices
- Phishing Domains: Sites flagged for credential harvesting activity
- High-Risk Content Categories: Configurable filtering across 50+ threat categories (model-dependent)
Ubiquiti documentation notes that available capabilities are hardware-model dependent, and that requirements vary by UniFi OS/Network version and region.
Gateway options (verified February 2026)
Cloud Gateway Ultra
Entry-level option for small environments
- Store-listed 1 Gbps IPS routing
- Listed support for 30+ UniFi devices / 300+ clients
- CyberSecure add-on signal: $99/year
- Useful for smaller single-site deployments
Dream Machine Pro
Common SMB baseline gateway
- Store-listed 3.5 Gbps IPS routing
- Listed support for 100+ UniFi devices / 1,000+ clients
- CyberSecure add-on signal: $99/year
- SSL/TLS inspection NOT available — requires EFG or UXG-Enterprise
Dream Machine Pro Max
Middle-ground option for higher throughput
- Store-listed 5 Gbps IPS routing
- Useful step-up before enterprise-class gateways
- CyberSecure add-on signal: $99/year
- SSL/TLS inspection NOT available — requires EFG or UXG-Enterprise
Enterprise Fortress Gateway
Higher-scale option for larger environments
- Store-listed 12.5 Gbps IPS routing
- Listed support for 500+ UniFi devices / 5,000+ clients
- CyberSecure Enterprise signal: $499/year
- Typically selected for larger multi-site estates
Compatibility and tuning reality
CyberSecure behavior is model-dependent. Ubiquiti explicitly notes that feature sets are determined by gateway hardware, and some advanced capabilities may vary by region. Validate compatibility and throughput against your exact gateway model before purchase.
Encrypted traffic visibility matters
If your policy requires SSL/TLS decryption for inspection, plan for NeXT AI SSL Traffic Inspection. Ubiquiti lists EFG and UXG-Enterprise as required hardware, so UDM Pro planning should assume non-decrypted HTTPS visibility unless your design includes those enterprise gateways.
CyberSecure capability snapshot
| Area | CyberSecure | CyberSecure Enterprise |
|---|---|---|
| Store pricing signal | $99/year (common store listing) | $499/year (EFG/enterprise listing) |
| Signature scale (per vendor help docs) | Typically up to 55,000+ on many supported models | Up to 95,000+ on enterprise-class models (e.g., EFG/UXG-Enterprise) |
| Threat category scope | 50+ categories (model-dependent) | 50+ categories (model-dependent) |
| Hardware dependency | Broad compatibility across many gateways | Enterprise-class gateway requirement |
Gateway selection by site profile
| Environment Profile | Typical Gateway Fit | Why this fit is practical | Escalation trigger |
|---|---|---|---|
| Single-site small office | Cloud Gateway Ultra | Lower entry cost with published IPS and client/device scale for smaller estates | Sustained throughput pressure or policy complexity beyond entry tier limits |
| Growing SMB core office | Dream Machine Pro | Strong baseline throughput and broad community/operator familiarity | Need for enterprise-only feature set or larger multi-site aggregation |
| Multi-site or high-throughput environment | Enterprise Fortress Gateway | Higher published IPS throughput and clear enterprise subscription path | Need for segmented architecture beyond a single-gateway model |
Ready to configure your UniFi gateway?
Browse UniFi gateway options and CyberSecure subscription details on the official store.
View UniFi GatewaysWazuh deployment model and requirements
Wazuh is presented by the vendor as a free and open-source platform that unifies XDR and SIEM use cases. Architecturally, deployment includes agent endpoints plus central components (server, indexer, dashboard), with support for agentless monitoring where agent installation is not possible.
Wazuh deployment paths
Self-Managed Wazuh
Software licensing + ~$100/mo infrastructure (est.)
- Open-source licensing model
- Full control over data residency and configuration
- Requires internal operations for upgrades, tuning, and retention planning
- Infrastructure cost: ~$50–$150/mo for a VM, or $600+ CapEx for dedicated hardware
Wazuh Cloud (Small)
Managed service starting tier
- Up to 100 active agents
- 1 month indexed retention
- 3 months archive retention
- Standard support
Wazuh Cloud (Medium/Large)
Managed service higher tiers
- Medium: up to 250 agents
- Large: up to 500 agents
- Longer retention windows
- Custom tier available for larger estates
Not sure which Wazuh model fits your team?
Run the Valydex assessment to map your current staffing capacity and get a deployment recommendation before committing.
Start Free AssessmentSelf-managed vs cloud: operational tradeoff matrix
| Decision Area | Self-Managed Wazuh | Wazuh Cloud | What to ask before deciding |
|---|---|---|---|
| Data control | Maximum control over retention, indexing, and location | Control is bounded by service plan and provider model | Do you have strict data residency or custom retention requirements? |
| Operational load | Internal team owns upgrades, scaling, and incident platform health | Provider handles core platform operations | Can your team sustain ongoing Linux/platform ownership? |
| Cost profile | Lower software licensing cost, higher internal labor variance | Predictable monthly subscription baseline from published tiers | Do you prioritize variable labor cost control or fixed recurring spend? |
| Customization depth | Highest flexibility for custom parsers/rules and architecture choices | Depends on managed-service boundaries and support model | How much custom detection engineering do you actually need? |
Baseline technical requirements (indexer node)
| Requirement Class | CPU | RAM | Storage | Notes |
|---|---|---|---|---|
| Minimum (per docs) | 2 cores | 4 GB | 50 GB+ | Suitable for smaller test or light environments |
| Recommended (per docs) | 8 cores | 16 GB | 500 GB+ | Better for production-scale indexing and search performance |
Sizing method that avoids underprovisioning
Use Wazuh's endpoint-type storage guidance for 90-day planning (servers, workstations, network devices) before finalizing hardware. As a rule of thumb, plan for 500 MB–1 GB per agent per day for full logging. Storage is the most common failure mode for self-hosted SIEMs—undersizing here causes index pressure, retention gaps, and platform instability before any other resource constraint appears.
How do I integrate UniFi logs with Wazuh?
Integration requires enabling remote Syslog on the UniFi gateway and configuring a matching UDP/TCP listener on the Wazuh manager.
Wazuh architecture documentation explicitly supports agentless monitoring for devices where installing an agent is not possible, including network devices, using Syslog/SSH ingestion. Plan for a mixed model:
- network telemetry via Syslog
- endpoint telemetry via Wazuh agents
Architecture: signal flow
Endpoints
└─► Wazuh Agent (port 1514/TCP)
└─► Wazuh Manager
├─► Wazuh Indexer (correlation + storage)
└─► Wazuh Dashboard (triage + response)
UniFi Gateway (CyberSecure)
└─► Remote Syslog (port 514/UDP or TCP)
└─► Wazuh Manager
└─► ubiquiti-unifi decoder → rules → alerts
Integration steps
- Configure Wazuh Listener: Modify
ossec.confto enable<remote>syslog reception on port 514 (UDP or TCP). - Enable UniFi Forwarding: In UniFi Network settings, navigate to System > Advanced > Remote Logging and enter your Wazuh manager IP.
- Map Decoders: Verify that Wazuh's default
ubiquiti-unifidecoder is parsing fields correctly; custom decoder tuning is often required for newer CyberSecure event types.
Filter at the source to control log volume
In UniFi Network's remote logging settings, enable only Security and System event categories for forwarding to Wazuh. Leave Debug logging disabled unless actively troubleshooting a specific issue. Sending all log levels significantly increases indexing load and storage consumption without adding detection value.
Reference port map
| Port | Protocol | Purpose |
|---|---|---|
| 1514 | TCP | Wazuh agent-to-server communication (default) |
| 55000 | TCP | Wazuh API |
| 514 | UDP/TCP | Syslog collector path (disabled by default; enable intentionally) |
Integration caveat
UniFi's raw syslog output is verbose and unstructured by default. Without custom decoder.xml work, the SIEM will ingest a high volume of low-value firewall noise that inflates storage costs and degrades alert quality. Plan for a dedicated decoder tuning pass before treating any detections as production-grade.
UniFi setting to verify
In UniFi Network, confirm the remote logging toggle is enabled (shown as Remote Logging or Enable logging to remote syslog, depending on UI version), then validate collector receipt before tuning rules.
How to stage integration safely
Start with observability mode
Enable log forwarding and Wazuh ingestion first, but avoid aggressive blocking changes until you understand baseline traffic and event patterns.
Prioritize critical assets
Deploy agents to domain controllers, identity systems, externally exposed servers, and business-critical endpoints before broad rollout.
Tune decoders and rules
Validate parse quality and alert relevance with sample logs. Treat the first tuning cycle as engineering work, not as dashboard cosmetics.
Operationalize response paths
Define who triages, who escalates, and what actions are automated versus manual. Keep this explicit before enabling broad response automation.
Decoder and rule engineering standard
Treat parser quality as a first-class control objective. If events are not normalized correctly, even accurate source telemetry will produce weak detection outcomes.
| Engineering Step | Execution Standard | Failure signal | Corrective action |
|---|---|---|---|
| Field mapping | Map source IP, destination, action, and policy fields consistently | High "unknown field" events in parser output | Revise decoder patterns and retest against sampled logs |
| Severity normalization | Align rule severity to response runbook impact tiers | Analysts ignore alerts due to inconsistent criticality labels | Re-baseline severities and retire low-signal rules |
| Correlation logic | Bind network events to endpoint context on shared identifiers | Events remain isolated with no investigation timeline | Add correlation conditions and test with replayed incident data |
| Regression checks | Revalidate parsers/rules after gateway or platform updates | Sudden drop in known-good detection categories | Run parser/rule test suite before production promotion |
Practical implementation pattern
For most teams, the strongest sequence is: first establish clean ingestion, then normalize fields, then tune severity, then add automated responses. Reversing that order usually increases incident-handling noise.
90-day rollout plan (practical)
Days 1-30: Foundation
- select gateway and CyberSecure tier based on actual throughput/scale requirements
- decide Wazuh model (self-managed vs cloud) based on staffing reality
- configure centralized log collection and baseline dashboards
- define alert ownership and escalation contacts
Days 31-60: Coverage expansion
- deploy Wazuh agents to high-priority systems
- complete first decoder/rule tuning pass
- run one controlled incident simulation to validate workflow
- document known blind spots and exception paths
Days 61-90: Hardening and governance
- expand coverage to secondary assets
- reduce noisy detections and tune severity thresholds
- produce leadership-facing operational report (coverage, unresolved risks, response SLAs)
- lock quarterly review cadence for stack maintenance
Common rollout pitfall
Teams that enable broad detection logic before establishing clear response ownership tend to accumulate unresolved alerts quickly. Keeping scope narrow in the first cycle makes the second cycle significantly easier.
Cost planning model (illustrative, source-backed inputs)
These scenario totals are derived estimates using published starting prices from vendor pages. They are planning references, not vendor quotes.
| Scenario | Published Inputs Used | Derived First-Year Baseline (before services/tax) |
|---|---|---|
| Small managed stack | UCG Ultra ($129) + CyberSecure ($99/yr) + Wazuh Cloud Small ($571/mo) | ~$7,080 |
| Mid managed stack | UDM Pro ($379) + CyberSecure ($99/yr) + Wazuh Cloud Medium ($923/mo) | ~$11,550 |
| Higher-scale managed stack | EFG ($1,999) + CyberSecure Enterprise ($499/yr) + Wazuh Cloud Large ($1467/mo) | ~$20,100 |
What these totals exclude
Implementation services, internal labor, storage growth beyond included retention windows, and any additional tooling (email security, EDR alternatives, MDM, or cloud-native controls).
Total-cost drivers that usually decide outcome
In practice, stack cost variance is driven less by list prices and more by operational choices. The items below are the most common budget swing factors during the first year.
| Cost Driver | How it affects spend | Control to keep it predictable |
|---|---|---|
| Detection engineering effort | Poor baseline tuning increases analyst hours and rework cycles | Allocate recurring tuning windows in the operating calendar |
| Retention and storage growth | Log volume expansion can pressure index/storage capacity quickly | Define retention policy by data class before full ingestion rollout |
| Coverage sprawl | Onboarding non-critical assets too early increases noise and platform load | Use staged asset tiers with explicit admission criteria |
| Change-management quality | Uncontrolled gateway/policy changes can trigger emergency rework | Require documented rollback and post-change validation checks |
Should I use self-hosted or Wazuh Cloud?
Self-hosted Wazuh is free but labor-intensive, while Wazuh Cloud starts at ~$571/month for fully managed maintenance.
- Choose Self-Hosted if: You have internal Linux engineers and strict data residency requirements that prevent cloud egress.
- Choose Wazuh Cloud if: You need immediate compliance retention (90+ days) and lack the staff to manage Elastic Stack updates and storage scaling.
Choose the model that matches your team's operating capacity, not just the lowest subscription number.
| Team Profile | Recommended Model | Why this model is usually safer | Revisit trigger |
|---|---|---|---|
| Lean IT team, limited Linux/SIEM depth | UniFi CyberSecure + Wazuh Cloud | Reduces platform-ops burden so team can focus on triage and response | Need for advanced custom parsing or strict data-location requirements |
| Mature internal operations, strong platform ownership | UniFi CyberSecure + self-managed Wazuh | Higher control over architecture, tuning, and retention behavior | Operational overhead starts impacting response quality |
| Multi-site growth with mixed maturity across locations | Hybrid path (cloud first, selective self-managed later) | Lets teams standardize runbooks before taking on full platform ownership | Stable operating cadence and clear in-house ownership coverage |
Coverage boundaries to plan for
This stack covers network policy and endpoint telemetry well. Several adjacent layers still need separate tooling.
Adjacent controls to plan for
- Email security: Business email is a common initial access path and sits outside gateway and endpoint scope
- Identity and VPN: An identity layer for remote access policy and MFA is a practical complement to network controls
- Endpoint protection (EDR): Wazuh provides telemetry and detection, but a dedicated EDR adds response automation and behavioral blocking
- Vulnerability management: Periodic scanning helps surface unpatched exposure before it becomes an incident
- MDM: Endpoint configuration policy enforcement keeps device posture consistent across the estate
- Cloud posture: AWS/Azure/GCP workloads need cloud-native controls that sit outside gateway and agent scope
Identity and VPN layer
For remote access, an identity layer adds meaningful coverage beyond what network and endpoint controls provide on their own. UniFi Identity Enterprise One-Click VPN integrates cleanly with existing UniFi infrastructure, and Adaptive VPN policy controls support policy-based MFA for higher-risk access conditions. The stack is more complete as network + endpoint + identity than as network + endpoint alone.
Endpoint protection and vulnerability management
Wazuh provides strong telemetry and rule-based detection, but it does not replace a dedicated endpoint protection platform. For teams that need behavioral blocking and automated response at the host level, Bitdefender GravityZone is a practical SMB-focused option that complements Wazuh's detection workflow without significant overlap.
For vulnerability exposure, periodic scanning with Tenable Nessus helps identify unpatched systems before they become an incident. Wazuh includes basic vulnerability detection, but a dedicated scanner provides broader coverage and more actionable remediation data.
For a broader view of how these controls fit together at the network layer, see the network security operating guide.
Is this stack a good fit for your team?
Best For
- You already operate (or are standardizing on) UniFi gateway infrastructure
- You need endpoint and network telemetry in one operational workflow
- Your team has capacity for tuning, detection engineering, and incident handling
- You want a staged path from self-managed to managed options
Consider Alternatives If
- Your team has limited capacity for rule tuning or log engineering
- You need fully managed enterprise SOC workflows from day one
- You need fixed turnkey outcomes with minimal internal configuration
- You cannot commit to a recurring quarterly review and tuning cadence
Quarterly operations checklist
Use a fixed quarterly review to keep detection quality stable as your environment changes.
| Review Area | What to verify | Owner |
|---|---|---|
| Gateway policy health | CyberSecure status, signature updates, and policy exceptions still match network intent | Network lead |
| Wazuh detection quality | Top noisy rules, decoder drift, and unresolved high-severity alerts | Security operations lead |
| Coverage reliability | Agent enrollment gaps, Syslog ingestion continuity, and retention headroom | Platform owner |
| Response execution | Incident ownership, escalation timeliness, and overdue remediation actions | Security manager |
Review verdict: strengths, constraints, and next step
For SMB and mid-market teams, this stack is strongest when three conditions are true: gateway policy ownership is clear, endpoint coverage is staged by criticality, and rule-tuning is treated as ongoing engineering work.
| Review Dimension | Assessment | Why this rating was assigned |
|---|---|---|
| Network + endpoint coverage alignment | Strong | Clear division of responsibility between gateway policy and host telemetry |
| Cost transparency | Strong | Core hardware and managed-tier pricing are publicly available and verifiable |
| Implementation complexity | Moderate | Parser and rule engineering effort is non-trivial for smaller teams |
| Long-term maintainability | Depends on operating discipline | Quarterly governance and ownership clarity determine sustained quality |
Bottom-line recommendation
For teams that can sustain a quarterly tuning and governance cadence, UniFi + Wazuh is a defensible, cost-effective stack. For teams that cannot yet commit to that cadence, starting with a managed operating model and expanding ownership later is a lower-risk path.
Want help mapping this stack to your environment?
Run the Valydex assessment to identify your current coverage gaps, team capacity, and the right deployment model before making hardware or subscription decisions.
Start Free AssessmentFAQ
Frequently Asked Questions
Related Articles
More from Security Architecture and Implementation
Network Security Guide
Framework-level network security planning for SMB and mid-market teams, including segmentation and monitoring priorities.
NIST CSF 2.0 Implementation Guide (2026)
Operational CSF 2.0 rollout model with profile scoping, governance cadence, and practical control ownership.
UniFi IT Solutions Review
Platform-level UniFi evaluation to help decide when a broader UniFi architecture is preferable to a mixed stack.
Primary references (verified 2026-02-16):
- UniFi CyberSecure Enhanced by Proofpoint and Cloudflare (Ubiquiti Help)
- Wazuh Cloud Plans
- Wazuh Architecture Documentation
Compare UniFi And Wazuh Stack Components
Use these links to verify current pricing and compare deployment options before rollout.
Ubiquiti UniFi
Firewall and network hardware from Ubiquiti
Starting at Hardware from $379 + CyberSecure from $99/year
Wazuh
Open-source SIEM platform
Starting at Free (self-hosted) or managed service pricing
Affiliate disclosure: We may earn a commission from purchases made through these links at no additional cost to you. Recommendations are based on fit, not commission size.
Need help prioritizing this stack for your environment?
Run the Valydex assessment to map your current controls, coverage gaps, and implementation priorities before final architecture decisions.
Start Free Assessment