Cost calculator
Zero Trust Cost Calculator 2026
Estimate the full implementation budget for your organisation. Adjust workforce, maturity target, cloud environment, and timeline. The model produces year-one total cost, ongoing annual cost, per-user-per-month, and a pillar-by-pillar licensing breakdown.
Preset scenarios
Inputs
500 users
101K5K10K
Estimates apply a 1.5-2.5x implementation multiplier to licensing for professional services, integration, training, and the security architect FTE. Base pricing is normalised across vendor mid-tiers and varies in any specific procurement.
Year 1 total
$337K
Ongoing per year
$230K
Per user per month
$56
Year 1 cost composition
Licensing: $195KServices: $142K
Annual licensing by pillar
Identity27% - $52,020
Network22% - $43,350
Device18% - $34,680
Data20% - $39,015
Workload13% - $26,010
Cost composition
What is in year 1 vs. ongoing
Year 1 carries the heavy professional services load. By year 2 the cost composition shifts dramatically toward steady-state licensing plus operational tuning.
| Cost component | Year 1 | Year 2+ | Notes |
|---|---|---|---|
| Licensing | 100% | 100% | Annual subscription. Negotiable on enterprise multi-year deals. |
| Professional services | 25-50% of licensing | 5-10% of licensing | Heavy during deployment. Optimisation and platform upgrades only after. |
| Integration | 15-30% of licensing | 2-5% of licensing | One-time IdP, SIEM, HR, ticketing connectors plus annual maintenance. |
| Training and change management | $300-$800 / employee | $80-$150 / employee / yr | FIDO2 rollout, conditional access UX, ZTNA client. Refresh annually. |
| Security architect FTE | $130K-$180K / yr | $130K-$180K / yr | Dedicated, ongoing. Scales with org size beyond 2,000 users. |
| Operational tuning | 10-15% of licensing | 15-20% of licensing | Policy drift, alert tuning, access reviews, conditional access exceptions. |
Per-pillar pricing
Component pricing reference
Mid-tier per-user-per-month pricing across the five pillars. Use this as a sanity check on calculator output and as a lookup when sizing individual pillar projects.
| Pillar component | Per-user / month | What it includes |
|---|---|---|
| SSO + basic MFA | $3 - $7 | Conditional access, group-based provisioning |
| Identity P2 / advanced | $6 - $12 | Risk-based MFA, PIM, identity protection |
| PAM | $15 - $40 | Privileged session recording, just-in-time admin, vault |
| Identity governance | $7 - $20 | Access reviews, entitlement management, certifications |
| MDM / UEM | $4 - $9 | Device enrolment, configuration, compliance policies |
| EDR | $3 - $15 | Endpoint detection and response, behavioural analytics |
| ZTNA | $5 - $20 | Identity-based application access, replaces VPN |
| Microsegmentation | $20K-$60K / yr flat | East-west traffic policy, agent or fabric-based |
| CSPM | $5 - $15 / workload | Cloud configuration scanning, compliance posture |
| CASB / DLP | $8 - $18 | SaaS visibility, data classification, leak prevention |
Sanity check
Where the calculator may understate
Three scenarios where the calculator output is the floor, not the ceiling.
- Heavy regulated data estates. Healthcare, finance, and government estates with strict DLP, classification, and audit requirements typically run 25-40% above calculator output because data-pillar tooling is more comprehensive and audit overhead is significant.
- Acquisitive growth. Organisations integrating recent acquisitions face duplicate vendor sprawl during the rollout. Each parallel identity store, EDR deployment, or SIEM pipeline adds 8-15% to year-one cost until consolidation completes.
- Operational technology (OT) environments. Manufacturing, logistics, and energy estates with industrial control systems require specialised microsegmentation and asset visibility tools (Claroty, Nozomi, Dragos). These can add $200K-$2M depending on plant footprint, none of which is captured in the workforce-based model above.
Frequently asked
Calculator questions
How does this zero trust calculator work?
The model takes four inputs (workforce size, maturity target, cloud environment, timeline) and produces a year-one cost, an ongoing annual cost, and a per-user-per-month figure. It starts from per-user-per-month base licensing across the five pillars at intermediate CISA maturity, applies multipliers for the maturity tier, the cloud estate, and timeline aggression, then adds a 1.5-2.5x implementation multiplier for professional services, integration, training, and the security architect FTE. Outputs are framework ranges, not vendor quotes.
How much does zero trust cost per user?
Per-user year-one cost ranges from $800-$1,200 at the basic tier (typical SMB on Microsoft Business Premium plus a ZTNA overlay), $1,500-$2,500 at the intermediate-to-advanced tier (mid-market, mature identity, phased ZTNA, EDR), and $2,500-$4,000+ at the optimal tier (enterprise, full microsegmentation, advanced telemetry, FIDO2 keys, comprehensive DLP). Steady-state ongoing cost typically settles 35-40% below year one once initial professional services taper.
What does the implementation multiplier cover?
Licensing alone is 40-60% of zero trust spend. The implementation multiplier covers everything else: scoping and architecture professional services ($50K-$500K), integration with existing identity, SIEM, and HR systems ($20K-$200K), pilot and parallel-running costs during the migration phase ($20K-$80K), end-user training and change management ($300-$800/employee), policy documentation and governance setup ($15K-$50K), and the dedicated security architect FTE for the duration of the rollout ($130K-$180K/year fully loaded).
Why does the cost change so much by cloud environment?
Microsoft 365 estates trend ~15% lower because Microsoft bundles substantial zero trust functionality into M365 E3/E5 (Entra ID, Intune, Defender, Sentinel) at a single subscription price, removing the need for separate identity, MDM, EDR, and SIEM purchases. Multi-cloud and on-premise estates trend higher because you pay for separate vendor stacks per pillar and integration work multiplies. Google Workspace sits in the middle: BeyondCorp Enterprise Essentials covers basic zero trust for Workspace users, but the broader zero trust ecosystem assumes Microsoft as the default identity provider.
What if our calculator output looks too high?
Three honest reasons it might overstate: (1) you already own significant pieces (M365 E3 already deployed, Defender for Endpoint already licensed, an existing IdP in production), so much of the licensing cost is sunk; (2) you have a competent internal architect, removing $100K-$300K of professional services; (3) you intend to defer Phase 2 microsegmentation and Phase 3 advanced telemetry, which can cut total scope by 30-40%. Use the maturity slider to model a basic-tier deployment if any of those apply.
Should we model timeline as aggressive or phased?
Aggressive timelines (under 18 months to optimal maturity) cost more because they require parallel rather than sequential vendor implementations, larger professional services engagements, and overtime-rate consultancy work. Phased timelines (4+ years) cost less but defer benefit. Standard 3-year phased rollouts are the most common pattern and represent the lowest risk-adjusted total cost. Compliance-driven programmes (CMMC, OMB M-22-09) are often forced into aggressive timelines because the regulatory deadline overrides commercial preference.