Throughput at regulated scale
Two decades of operational depth at 500K to 5M events per second. Programs that ingest at that volume find cloud SIEM pricing punishing.
OpenText • Security operations
OpenText Enterprise Security Manager
Enterprise Security Manager is the on-prem ArcSight ESM flagship for high-throughput regulated SIEM where cloud is not an option. Two decades of operational depth in financial services, government, defense, and healthcare make it the platform of record for regulated SOC environments.
Through Merito, ESM runs as the on-prem flagship for regulated SOCs that cannot adopt cloud SIEM, with infrastructure design, ArcSight content modernization, scale-out planning, and OpenText SecOps line integration handled as long-term operational work rather than one-time deployment.
- Best for
- SOC leaders running high-throughput regulated SIEM where cloud is not an option, SecOps architects scaling SIEM to millions of events per second, Compliance leaders subject to data sovereignty or air-gap mandates
- Hosting
- On-prem
- Time to value
- First log sources onboarded and detection live in four to eight weeks. Custom content and response playbooks live in eight to sixteen weeks. Enterprise SOC rollout typically runs six to twelve months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Enterprise Security Manager in the enterprise stack
OpenText Enterprise Security Manager is ArcSight ESM rebranded. ESM has been the on-prem flagship SIEM for high-throughput regulated environments for two decades, with deployments in financial services, government, defense, and healthcare that handle log volumes other SIEMs cannot economically ingest. Merito's pitch is honest: programs that can run cloud SIEM should evaluate Core Threat Detection and Response or Splunk Cloud; programs that cannot, because of regulatory, sovereignty, or volume constraints, run ESM as the right answer for as long as those constraints hold.
Throughput at scale is the historical strength. Programs that ingest 500,000 to 5,000,000 events per second find that cloud-SIEM pricing models become punishing while ESM stays linear. Combined with the regulated content library and the on-prem operational shape required by some sovereign-cloud and air-gapped programs, ESM remains the operational fit. The 2024-2025 rebrand from ArcSight ESM to OpenText Enterprise Security Manager is cosmetic at the engine level.
Cross-product integration with the OpenText SecOps line is the platform claim. ESM integrates with Network Detection and Response, Core Behavioral Signals (Interset UEBA), Core Adversary Signals (MITRE), Threat Intelligence, and Security Log Analytics. Programs running ESM with the rest of the line get unified SOC operations on-prem the way Core TDR delivers them in SaaS.
What breaks ESM adoption is operational scope creep. ESM is operationally substantial: content tuning, parser maintenance, scale-out architecture, and SOC operating-model design all require discipline. Programs that adopt ESM without operational headcount or partner support find the platform underused. Merito's engagement designs the operating model alongside the deployment, and Managed Services run ESM long-term for programs that want OpenText engineering without internal headcount.
Ideal use cases
- High-throughput regulated SIEM in financial services, government, defense, and healthcare
- On-prem SIEM where cloud is ruled out by regulation or sovereignty
- Air-gapped or sovereign-cloud SOC environments
- ArcSight ESM upgrade and modernization
- Cross-product on-prem SecOps with NDR, UEBA, MITRE content, and long-retention logging
What it is best at
Where OpenText Enterprise Security Manager earns its seat
On-prem operational shape for regulated and sovereign environments
Air-gapped, sovereign-cloud, and regulated workloads where SaaS SIEM is not an option. ESM is the platform of record.
ArcSight content depth
Two decades of regulated SOC content covering insider threat, account compromise, lateral movement, data exfiltration, credential misuse.
Cross-product OpenText SecOps integration
Native correlation with NDR, Core Behavioral Signals (UEBA), Core Adversary Signals (MITRE), Threat Intelligence, and Security Log Analytics on-prem.
Modernization path to Core TDR
Programs ready to leave on-prem migrate to Core Threat Detection and Response in SaaS. Same content lineage; different deployment shape.
Core capabilities
OpenText Enterprise Security Manager capabilities, grouped by outcome
High-throughput SIEM
Where ESM does the work cloud SIEM cannot economically do.
High-volume log ingestion
500K to 5M+ events per second on production deployments. Linear pricing at scale.
ArcSight detection content
Two decades of regulated SOC content covering insider threat, account compromise, lateral movement, data exfiltration, and credential misuse.
Custom rule and correlation authoring
Custom detection rules, correlation logic, and content modernization workflows.
Long-retention SIEM analytics
Hot SIEM with handoff to Security Log Analytics for long-retention forensic analytics.
Investigation and response
Beyond detection into actual SOC operations.
Investigation workflow
Case management, evidence linking, and analyst assignment workflow.
Response automation
SOAR-shaped response with playbooks and integration into operational systems.
Cross-product enrichment
NDR signal, UEBA scoring, threat intel, and forensic context attached to investigations.
On-prem operations and compliance
Regulated and sovereign environments where SaaS is ruled out.
Air-gapped deployment
Fully on-prem deployment without external dependencies for sovereign-cloud and air-gapped programs.
FIPS-compliant cryptography
FIPS 140-2/3 cryptographic modules for federal and regulated programs.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001.
Modernization path
Path to Core Threat Detection and Response in SaaS when regulatory constraints relax.
Where it fits in the stack
How OpenText Enterprise Security Manager connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Network Detection and ResponseNDR signal correlated into ESM investigations.
- OpenText Core Behavioral SignalsInterset UEBA scoring inside ESM.
- OpenText Core Adversary SignalsMITRE ATT&CK content native in detection rules.
- OpenText Threat IntelligenceCurated IOC feeds inside ESM enrichment.
- OpenText Security Log AnalyticsLong-retention forensic store for hunt and investigation.
Enterprise log sources (certified)
Certified- Network devices, firewalls, IDS/IPSNetwork telemetry ingestion across major vendors.
- Operating systems and authenticationWindows, Linux, AIX, mainframe, AD/LDAP, Kerberos.
- Cloud audit logsAWS CloudTrail, Azure Activity Log, GCP Cloud Audit when hybrid cloud is in scope.
- Application logsCustom application log ingestion with parser libraries.
Custom integrations
Custom- Internal log sources and proprietary applicationsCustom log ingestion and parser development.
- Custom SOAR and response workflowsInternal SOAR platform integration and bespoke response playbooks.
- Federal and sovereign compliance reportingFederal-aligned and sovereign-cloud compliance evidence packages.
Deployment and implementation
How it rolls out
- Hosting
- On-prem (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First log sources onboarded and detection live in four to eight weeks. Custom content and response playbooks live in eight to sixteen weeks. Enterprise SOC rollout typically runs six to twelve months.
- Prerequisites
- On-prem infrastructure capacity for high-volume SIEM
- Log source inventory and ingestion priority list
- Named SOC and SecOps owner
- Operating-model decision (in-house vs. partner-managed)
- Modernization roadmap to Core TDR if applicable
- What Merito usually handles
- Enterprise Security Manager runs on-prem in the customer's data center or sovereign cloud. Merito handles infrastructure design, deployment, content modernization, scale-out planning, and the operating-model design that decides whether the program runs in-house or through Merito Managed Services.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Enterprise Security Manager is licensed by events per second, log volume, and edition. Pricing depends on throughput, retention, and on-prem infrastructure scope. License acquisition flows through Merito; the SOC program scopes under a separate engagement.
- Editions and modules
Enterprise Security Manager
On-prem flagship SIEM for high-throughput regulated environments.
Best for: Programs that cannot adopt cloud SIEM due to regulatory, sovereignty, or volume constraints.
Enterprise Security Manager government and federal editions
Hardened editions for federal and sovereign-cloud deployments with FIPS-compliant cryptography.
Best for: Federal and government programs requiring air-gapped or sovereign-cloud SIEM.
- Common expansion areas
- Add Network Detection and Response for east-west visibility
- Add Core Behavioral Signals for UEBA depth
- Add Core Adversary Signals for MITRE content depth
- Add Threat Intelligence for curated IOC feeds
- Add Security Log Analytics for long-retention forensic store
- Plan modernization path to Core Threat Detection and Response when constraints relax
Merito services
How Merito helps you win with OpenText Enterprise Security Manager
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Enterprise Security Manager Implementation
Infrastructure design, deployment, content modernization, scale-out planning, operating-model design.
Explore service02Upgrade and Migration
ArcSight ESM version upgrades and content modernization.
Explore service03MAPS Assessment
SOC program scoping for ESM alongside Core Threat Detection and Response, Splunk Enterprise, and IBM QRadar.
Explore service04DevOps Consulting
Content engineering, response automation, and cross-product on-prem SecOps integration.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for ESM.
Explore service06Managed Services
Long-term partner-managed run for programs that want OpenText engineering without internal headcount.
Explore service07Training and Enablement
Role-based training for SOC analysts, content engineers, and SecOps architects.
Explore service08Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Enterprise Security Manager licensing
License ESM. Run the operating model long term. One partnership.
ESM pricing arrives with infrastructure design, deployment, content modernization, scale-out planning, and operating-model design that keep high-throughput regulated SIEM running as a sustained SOC capability rather than a one-time install.
Merito point of view
ESM is the right tool for high-throughput regulated SIEM. Modernize when the constraints change, not before.
Merito has scoped SOC programs where Enterprise Security Manager is exactly the right answer (high-throughput regulated environments where cloud is not an option, sovereign-cloud and air-gapped programs, regulated programs with volume constraints that make cloud SIEM economically punishing) and others where the program is ready to modernize to Core Threat Detection and Response. Both decisions are valid; the right one depends on the regulatory and volume constraints actually in effect.
Merito recommends ESM specifically when constraints rule out SaaS SIEM. For programs without those constraints, the modernization path to Core TDR is usually the right move. For programs picking specialist on-prem SIEM, Splunk Enterprise and IBM QRadar are competitive depending on the program shape. Merito surfaces those alternatives honestly during scoping.
Operational discipline is the binding constraint on ESM. The platform is technically deep and operationally substantial: content engineering, parser maintenance, scale-out architecture, and SOC operating-model design all require sustained investment. Programs that adopt ESM without operational headcount or partner support find the platform underused. Merito designs the operating model alongside the deployment.
What buyers usually underestimate
- Sticking with ESM when constraints have changed and the program could move to Core Threat Detection and Response.
- Adopting ESM without sufficient operational headcount or partner support, leaving the platform underused.
- Running ESM with stale content and parsers from a previous era, missing modern threat patterns.
- Treating ESM as standalone instead of running it alongside NDR, UEBA, threat intel, and long-retention logging.
- Skipping scale-out planning and hitting throughput limits before the rollout completes.
Related from Merito
Continue exploring OpenText Enterprise Security Manager on Merito
Related solutions
Related services
Related products
- OpenText Core Threat Detection and ResponseModernization path to SaaS SIEM when constraints relax.
- OpenText Network Detection and ResponseNDR for east-west visibility on-prem.
- OpenText Security Log AnalyticsLong-retention forensic store paired with ESM hot SIEM.
- OpenText Core Behavioral SignalsInterset UEBA scoring on-prem.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Enterprise Security Manager FAQs
Consultation request
Talk to Merito about OpenText Enterprise Security Manager
Share your regulated SOC posture, log volume, and operating-model preferences. A Merito OpenText specialist follows up within one business day.
Throughput at scale
Where cloud SIEM pricing breaks
500K to 5M events per second on production deployments. Linear pricing where cloud SIEM becomes punishing.
Regulated and sovereign
On-prem where SaaS is not an option
Air-gapped, sovereign-cloud, and regulated workloads. ESM is the platform of record where cloud is ruled out.
Next step
Run ESM where it fits. Modernize when constraints change.
A Merito ESM engagement scopes the on-prem operating model alongside the deployment. Programs that adopt ESM without sustained operational discipline find the platform underused.