Security Log Retention: Balancing Compliance Requirements With Detection Needs

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Log retention is where compliance obligations and operational security needs intersect in ways that are rarely aligned by default. Compliance frameworks specify minimum retention periods for audit purposes. Incident responders need different logs, at different granularities, for different time windows depending on what they are investigating. Paying SIEM prices for all retention tiers is unnecessary and expensive. This guide covers the retention requirements by major framework and the tiered storage architecture that satisfies both compliance and detection without overpaying.
Retention Requirements by Compliance Framework
The four most common frameworks that specify log retention requirements are PCI-DSS, HIPAA, SOC 2, and ISO 27001. Their requirements are not identical, and organizations subject to multiple frameworks must satisfy the most stringent requirement for shared log sources.
PCI-DSS v4.0 (Requirement 10.7) requires at least 12 months of audit log retention with three months immediately available for analysis. Immediately available means queryable within your primary log analysis tool, not in archival storage requiring a restoration process. This is the most specific and prescriptive requirement among common frameworks.
HIPAA Security Rule requires covered entities and business associates to retain documentation of security policies and procedures for six years from creation or last effective date. For audit logs specifically, HIPAA does not specify a minimum retention period but states logs must be maintained for breach investigation and audit purposes. Most healthcare organizations apply a six-year retention period to security logs based on the broader HIPAA documentation retention requirement, which is the conservative and defensible position.
SOC 2 (Type II) does not specify a minimum log retention period. The auditors assess whether your actual retention practice is consistent with your stated policy and whether it supports the trust services criteria you are being audited against. For availability and security criteria, 12 months of retention is the typical expectation auditors apply in practice.
ISO 27001 Annex A 8.15 (Logging) requires that logs be protected from modification and unauthorized access and retained in line with the organization's documented retention requirements. It does not specify a minimum period. Your documented policy creates the compliance obligation, so be deliberate about what you document.
General regulatory guidance from NIST SP 800-92 recommends a minimum of one year for security event logs and longer retention for logs relevant to investigations of significant security incidents. For organizations subject to no specific framework, this provides a defensible baseline.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Hot, Warm, and Cold Storage Tiers
Paying SIEM ingestion and storage prices for 12-plus months of logs is one of the most common places organizations overspend on security operations. SIEM platforms charge premium prices for interactive query capability; that premium is justified for recent, actively-investigated data and unjustified for archival data that needs to be accessible but not frequently queried.
A three-tier architecture aligns cost with access frequency:
Hot storage (0 to 90 days): The primary SIEM or detection platform. Full interactive query capability, real-time alert correlation, high I/O performance. This is where active detection happens and where analysts investigate current incidents. Retain all ingested log sources here. Cost: premium (typically $0.25 to $1.50 per GB per month for managed SIEM).
Warm storage (90 days to 12 months): A queryable log archive at significantly lower cost than hot storage. Cloud-native options include AWS OpenSearch with Ultrawarm or Glacier Instant Retrieval, Azure Data Explorer, or dedicated security data lake solutions. Query performance is slower than hot storage but acceptable for investigation use cases. Cost: significantly reduced (typically $0.03 to $0.10 per GB per month).
Cold storage (12 months and beyond): Object storage (AWS S3 Glacier, Azure Blob Archive) for compliance archival. Not interactively queryable without restoration, but meets the retention obligation for audit purposes. Retrieval for forensic investigation requires a restoration job that may take hours. Cost: minimal (typically $0.001 to $0.004 per GB per month).
The transition from hot to warm at 90 days aligns with PCI-DSS's three-month immediate availability requirement while dramatically reducing storage cost for months 4 through 12. The transition to cold at 12 months satisfies PCI-DSS total retention while maintaining archival access for HIPAA six-year obligations at near-zero cost.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Which Log Types Require Which Retention Tiers
Not all log sources require the same retention period or the same access tier. Applying a uniform retention policy to all logs regardless of type is both a cost problem and a compliance risk: you may be paying to retain low-value logs for years while deleting high-value investigation logs that a future breach inquiry will require.
Authentication and authorization logs are the highest-priority retention category. Attacker dwell times measured in weeks or months mean that the initial access event for a breach you discover today may have occurred 60 to 90 days ago. Authentication logs should remain in hot storage for 90 days and warm storage for 12 months. For HIPAA-covered environments, retain for six years in cold storage.
Endpoint process execution logs (EDR telemetry, Sysmon) have a shorter investigation relevance window for most use cases. 30 to 90 days in hot storage is sufficient for detection; 12 months in warm storage covers extended investigation needs. Volume tends to be high, so the cost impact of warm storage for this category is significant.
Cloud control plane logs (CloudTrail, Activity Log) should follow the same retention schedule as authentication logs given that they record the administrative actions taken by compromised cloud credentials. These are compact in volume and easy to retain in cold storage for multi-year compliance.
Firewall and network flow logs are high-volume and lower-priority for long-term retention. 30 to 90 days in hot storage for detection correlation; 6 to 12 months in warm storage for investigation. Cold storage beyond 12 months is rarely required unless a specific compliance obligation or active investigation mandates it.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Log Integrity and Chain of Custody
Retention is not only about access duration. Compliance frameworks and incident response require that logs have not been modified since they were created. A security log that a threat actor could have tampered with has reduced evidentiary value in a breach investigation or regulatory audit.
The minimum standard for log integrity is immutability at rest. Cloud object storage services (S3 with Object Lock, Azure Immutable Blob Storage) provide write-once, read-many storage that prevents modification or deletion for a defined retention period. Enable immutability with a retention lock that matches your compliance obligation before writing logs to the archive.
Cryptographic integrity verification provides a stronger guarantee than immutability alone. Some SIEM platforms and log management tools sign each log batch with a hash or digital signature at ingestion time. The integrity of the archive can be verified by recomputing the hash and comparing against the stored value. This creates a chain of custody that demonstrates to auditors that logs have not been altered.
Access controls are the third layer. Restrict write access to log archives to only the systems that forward logs and the administrative accounts needed for retention management. No analyst or investigator should have write access to the archive. Access to read logs for investigation should be logged and attributed, and those access logs should themselves be retained.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Incident Response Implications of Retention Architecture
The investigation that forces you to confront a retention gap will always involve logs that were just outside your retention window. This is not bad luck: attackers with dwell times of 30 to 90 days before detection are the norm, and a 30-day retention policy is practically a guarantee of incomplete forensic reconstruction.
When an incident requires accessing data from warm or cold storage, your incident response process needs to account for restoration time. Cold storage retrieval can take four to 12 hours. Warm storage queries may be slower than hot storage by an order of magnitude. Building test scenarios where your IR team practices pulling warm and cold storage data reduces the friction during an actual investigation.
Legal hold procedures are a separate consideration from regular retention policy. When a security incident triggers a legal or regulatory proceeding, legal hold requirements may extend retention beyond your normal schedule. Have a documented process for legal counsel to place a hold on specific log sources that suspends the normal deletion schedule. This process must be executable quickly: the window between incident discovery and evidence preservation is short.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Satisfy compliance requirements by mapping your obligations to the most stringent framework you are subject to. Implement hot, warm, and cold storage tiers at the 90-day and 12-month thresholds to reduce cost without sacrificing investigation capability. Enable immutable storage for all archive tiers, restrict write access, and test warm and cold retrieval procedures annually before an incident makes them urgent.
Frequently asked questions
What is the minimum log retention period required by PCI-DSS?
PCI-DSS v4.0 Requirement 10.7 requires a minimum of 12 months of audit log retention, with the most recent three months immediately available for analysis and review. Immediately available means the logs must be queryable without a restoration process. The remaining nine months may be stored in a lower-cost archive but must be restorable within a reasonable timeframe for audit and investigation purposes. Organizations subject to PCI-DSS should review Requirement 10.7 against their current SIEM retention configuration to confirm the three-month immediate availability requirement is met.
Do HIPAA regulations specify a required log retention period?
HIPAA does not specify a minimum retention period for security event logs in the Security Rule text. The Security Rule requires covered entities to maintain documentation of security policies and procedures for six years from the date of creation or the date it was last in effect, whichever is later. Most healthcare organizations apply the six-year standard to security audit logs as the defensible conservative position, since logs produced as part of implementing and operating the Security Rule are documentation under that requirement. Consult your healthcare compliance attorney for guidance specific to your organization.
How much does it cost to retain security logs for 12 months in cloud storage?
The cost depends heavily on the storage tier and the log volume. Storing one terabyte per month of logs for 12 months in SIEM hot storage at $0.50 per GB costs approximately $6,144 per year. Moving that same volume to AWS S3 Standard after 90 days and S3 Glacier after 12 months reduces the total cost to approximately $700 per year for the same data volume. The tiered architecture reduces 12-month retention cost by approximately 85 to 90 percent compared to keeping all data in premium SIEM storage. For organizations generating 10 or more terabytes per month, this cost difference becomes a significant budget item.
What is the best way to ensure log integrity for compliance audits?
The minimum standard is immutable storage with a retention lock period that prevents deletion or modification. Enable AWS S3 Object Lock, Azure Immutable Blob Storage, or equivalent controls on all archival storage. For forensic and legal proceedings, a stronger posture is cryptographic integrity verification: compute a SHA-256 hash of each daily log batch at ingestion time, store the hashes in a separate location, and include a hash verification step in your audit evidence package. This allows you to demonstrate to auditors or investigators that logs have not been altered since they were created.
What happens to our log retention obligations if we have a security breach?
A security breach typically extends your log retention obligations through two mechanisms. First, your legal counsel may place a litigation hold on affected log sources, suspending the normal deletion schedule until the legal matter is resolved. This hold can last years. Second, regulatory breach notification requirements often trigger an investigation period during which regulators may request specific log evidence, extending the effective retention requirement for those sources. Your incident response plan should include a documented legal hold procedure that can be executed quickly after breach discovery. Do not delete any logs within the scope of the incident without explicit approval from legal counsel.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
